Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kk.exe

Overview

General Information

Sample name:kk.exe
Analysis ID:1540404
MD5:6d3972b910ec219f2ef6eb3068227bee
SHA1:1669dc4c778672b9517ca2cf455369dfc3fbb8fd
SHA256:f7b17ea8d0bb38c5760528dcafbf354618a643056f04dc110d743bbbf8e99079
Tags:agentteslaexeuser-malwarelabnet
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • kk.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\kk.exe" MD5: 6D3972B910EC219F2EF6EB3068227BEE)
    • RegSvcs.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\kk.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs           "}
SourceRuleDescriptionAuthorStrings
00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.3776925018.0000000002839000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          Click to see the 8 entries
          SourceRuleDescriptionAuthorStrings
          0.2.kk.exe.1680000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.kk.exe.1680000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.kk.exe.1680000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 4 entries

                  System Summary

                  barindex
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 107.178.108.41, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7408, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49702
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 0.2.kk.exe.1680000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs "}
                  Source: kk.exeReversingLabs: Detection: 52%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: kk.exeJoe Sandbox ML: detected
                  Source: kk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: kk.exe, 00000000.00000003.1325936356.0000000004490000.00000004.00001000.00020000.00000000.sdmp, kk.exe, 00000000.00000003.1317497233.0000000004630000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: kk.exe, 00000000.00000003.1325936356.0000000004490000.00000004.00001000.00020000.00000000.sdmp, kk.exe, 00000000.00000003.1317497233.0000000004630000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                  Source: global trafficTCP traffic: 192.168.2.7:49702 -> 107.178.108.41:587
                  Source: Joe Sandbox ViewIP Address: 107.178.108.41 107.178.108.41
                  Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
                  Source: global trafficTCP traffic: 192.168.2.7:49702 -> 107.178.108.41:587
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
                  Source: global trafficDNS traffic detected: DNS query: mail.pgsu.co.id
                  Source: RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.pgsu.co.id
                  Source: RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pgsu.co.id
                  Source: RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3778815541.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                  Source: RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3778815541.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                  Source: RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: kk.exe, 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, cPKWk.cs.Net Code: gdCwU6rsZ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

                  System Summary

                  barindex
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.kk.exe.1680000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004120380_2_00412038
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004271610_2_00427161
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0047E1FA0_2_0047E1FA
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004212BE0_2_004212BE
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004433900_2_00443390
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004433910_2_00443391
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0041A46B0_2_0041A46B
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0041240C0_2_0041240C
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004465660_2_00446566
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004045E00_2_004045E0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0041D7500_2_0041D750
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004037E00_2_004037E0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004278590_2_00427859
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004128180_2_00412818
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040F8900_2_0040F890
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0042397B0_2_0042397B
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00409A400_2_00409A40
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00411B630_2_00411B63
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0047CBF00_2_0047CBF0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044EBBC0_2_0044EBBC
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00412C380_2_00412C38
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044ED9A0_2_0044ED9A
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00423EBF0_2_00423EBF
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00424F700_2_00424F70
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0041AF0D0_2_0041AF0D
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_03F493F60_2_03F493F6
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_03F4CC880_2_03F4CC88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D94AA03_2_00D94AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D93E883_2_00D93E88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D941D03_2_00D941D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D9D1803_2_00D9D180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D9FC183_2_00D9FC18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0538DCAD3_2_0538DCAD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0538BCF83_2_0538BCF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0538A8983_2_0538A898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05388B723_2_05388B72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05383F403_2_05383F40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05384FE83_2_05384FE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_053856C83_2_053856C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_053800403_2_05380040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_053832233_2_05383223
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05382AF03_2_05382AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D215223_2_05D21522
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D215283_2_05D21528
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D9D17C3_2_00D9D17C
                  Source: C:\Users\user\Desktop\kk.exeCode function: String function: 00445975 appears 65 times
                  Source: C:\Users\user\Desktop\kk.exeCode function: String function: 0041171A appears 37 times
                  Source: C:\Users\user\Desktop\kk.exeCode function: String function: 0041718C appears 45 times
                  Source: C:\Users\user\Desktop\kk.exeCode function: String function: 0040E6D0 appears 35 times
                  Source: kk.exe, 00000000.00000003.1317931727.000000000475D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kk.exe
                  Source: kk.exe, 00000000.00000003.1318288842.00000000045B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kk.exe
                  Source: kk.exe, 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs kk.exe
                  Source: kk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.kk.exe.1680000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.kk.exe.1680000.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\kk.exeFile created: C:\Users\user~1\AppData\Local\Temp\porcelainizeJump to behavior
                  Source: kk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\kk.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: kk.exeReversingLabs: Detection: 52%
                  Source: C:\Users\user\Desktop\kk.exeFile read: C:\Users\user\Desktop\kk.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\kk.exe "C:\Users\user\Desktop\kk.exe"
                  Source: C:\Users\user\Desktop\kk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\kk.exe"
                  Source: C:\Users\user\Desktop\kk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\kk.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: kk.exeStatic file information: File size 1177859 > 1048576
                  Source: Binary string: wntdll.pdbUGP source: kk.exe, 00000000.00000003.1325936356.0000000004490000.00000004.00001000.00020000.00000000.sdmp, kk.exe, 00000000.00000003.1317497233.0000000004630000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: kk.exe, 00000000.00000003.1325936356.0000000004490000.00000004.00001000.00020000.00000000.sdmp, kk.exe, 00000000.00000003.1317497233.0000000004630000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                  Source: kk.exeStatic PE information: real checksum: 0xa2135 should be: 0x12e796
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D9AAF3 pushad ; ret 3_2_00D9AAF4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00D9AA80 pushad ; ret 3_2_00D9AA82
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05383AD7 push ebx; retf 3_2_05383ADA
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                  Source: C:\Users\user\Desktop\kk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004440780_2_00444078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\kk.exeAPI/Special instruction interceptor: Address: 3F4C8AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199410Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199032Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2153Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7666Jump to behavior
                  Source: C:\Users\user\Desktop\kk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-86265
                  Source: C:\Users\user\Desktop\kk.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-84979
                  Source: C:\Users\user\Desktop\kk.exeAPI coverage: 3.0 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99407Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99282Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99157Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199410Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199032Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1197594Jump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.3778815541.0000000005D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                  Source: C:\Users\user\Desktop\kk.exeAPI call chain: ExitProcess graph end nodegraph_0-84829
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_03F4B4D8 mov eax, dword ptr fs:[00000030h]0_2_03F4B4D8
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_03F4CB78 mov eax, dword ptr fs:[00000030h]0_2_03F4CB78
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_03F4CB18 mov eax, dword ptr fs:[00000030h]0_2_03F4CB18
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Users\user\Desktop\kk.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6DC008Jump to behavior
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
                  Source: C:\Users\user\Desktop\kk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\kk.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
                  Source: kk.exeBinary or memory string: Shell_TrayWnd
                  Source: kk.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 0.2.kk.exe.1680000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.kk.exe.1680000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3776925018.0000000002839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3776925018.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kk.exe PID: 7296, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7408, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: kk.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
                  Source: kk.exeBinary or memory string: WIN_XP
                  Source: kk.exeBinary or memory string: WIN_XPe
                  Source: kk.exeBinary or memory string: WIN_VISTA
                  Source: kk.exeBinary or memory string: WIN_7
                  Source: Yara matchFile source: 0.2.kk.exe.1680000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.kk.exe.1680000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3776925018.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kk.exe PID: 7296, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7408, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 0.2.kk.exe.1680000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.kk.exe.1680000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3776925018.0000000002839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3776925018.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kk.exe PID: 7296, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7408, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
                  Source: C:\Users\user\Desktop\kk.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts
                  121
                  Windows Management Instrumentation
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  11
                  Disable or Modify Tools
                  2
                  OS Credential Dumping
                  2
                  System Time Discovery
                  Remote Services11
                  Archive Collected Data
                  1
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts3
                  Native API
                  2
                  Valid Accounts
                  1
                  DLL Side-Loading
                  11
                  Deobfuscate/Decode Files or Information
                  221
                  Input Capture
                  1
                  Account Discovery
                  Remote Desktop Protocol2
                  Data from Local System
                  1
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts
                  2
                  Obfuscated Files or Information
                  1
                  Credentials in Registry
                  2
                  File and Directory Discovery
                  SMB/Windows Admin Shares1
                  Email Collection
                  1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation
                  1
                  DLL Side-Loading
                  NTDS138
                  System Information Discovery
                  Distributed Component Object Model221
                  Input Capture
                  1
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection
                  2
                  Valid Accounts
                  LSA Secrets331
                  Security Software Discovery
                  SSH4
                  Clipboard Data
                  11
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials121
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation
                  DCSync2
                  Process Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection
                  Proc Filesystem11
                  Application Window Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  kk.exe53%ReversingLabsWin32.Spyware.Negasteal
                  kk.exe100%Joe Sandbox ML
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  https://account.dyn.com/0%URL Reputationsafe
                  http://x1.c.lencr.org/00%URL Reputationsafe
                  http://x1.i.lencr.org/00%URL Reputationsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  pgsu.co.id
                  107.178.108.41
                  truetrue
                    unknown
                    mail.pgsu.co.id
                    unknown
                    unknowntrue
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://pgsu.co.idRegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmpfalse
                        unknown
                        http://r10.o.lencr.org0#RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3778815541.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmpfalse
                          unknown
                          https://account.dyn.com/kk.exe, 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://mail.pgsu.co.idRegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmpfalse
                            unknown
                            http://x1.c.lencr.org/0RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://x1.i.lencr.org/0RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://r10.i.lencr.org/0RegSvcs.exe, 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3778815541.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776537795.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3776394158.0000000000B46000.00000004.00000020.00020000.00000000.sdmpfalse
                              unknown
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              107.178.108.41
                              pgsu.co.idUnited States
                              53755IOFLOODUStrue
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1540404
                              Start date and time:2024-10-23 18:41:10 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 37s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:10
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:kk.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 36
                              • Number of non-executed functions: 315
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: kk.exe
                              TimeTypeDescription
                              12:42:15API Interceptor11812972x Sleep call for process: RegSvcs.exe modified
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              107.178.108.41mm.exeGet hashmaliciousAgentTeslaBrowse
                                tUaGg541L8.exeGet hashmaliciousAgentTeslaBrowse
                                  fXE0FZxunm.exeGet hashmaliciousAgentTeslaBrowse
                                    inv. outstand.exeGet hashmaliciousAgentTeslaBrowse
                                      sdss.exeGet hashmaliciousAgentTeslaBrowse
                                        veems.exeGet hashmaliciousAgentTeslaBrowse
                                          sdss.exeGet hashmaliciousAgentTeslaBrowse
                                            kas.exeGet hashmaliciousAgentTeslaBrowse
                                              27.exeGet hashmaliciousAgentTeslaBrowse
                                                dm.exeGet hashmaliciousAgentTeslaBrowse
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  IOFLOODUShttps://www.google.co.nz/url?q=nL206935ZEtyvV206935l&sa=t&url=amp/%69%70%66%6F%78%2E%63%6F%2E%75%6B%2F%70%61%67%65%73%2F%74%68%61%6E%6B%73%2E%68%74%6D%6C#cnlhbi5zcGVuY2VyQHVzLnlhemFraS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                  • 107.178.102.96
                                                  https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14Get hashmaliciousPhisherBrowse
                                                  • 107.167.89.10
                                                  https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
                                                  • 107.167.89.10
                                                  mm.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 107.178.108.41
                                                  na.elfGet hashmaliciousMiraiBrowse
                                                  • 184.164.88.201
                                                  tUaGg541L8.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 107.178.108.41
                                                  fXE0FZxunm.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 107.178.108.41
                                                  inv. outstand.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 107.178.108.41
                                                  sdss.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 107.178.108.41
                                                  veems.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 107.178.108.41
                                                  No context
                                                  No context
                                                  Process:C:\Users\user\Desktop\kk.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):240128
                                                  Entropy (8bit):6.585969824135677
                                                  Encrypted:false
                                                  SSDEEP:6144:GraWHclro2I/J5JWoFPCDmtogZ42TsqGkhV/SeCb:GrarILTCDuHG+LCb
                                                  MD5:A17C5C914FA25F84A797D562DDA999C8
                                                  SHA1:4A7244F0D2A14C910BA905C68762C61A69C4791F
                                                  SHA-256:D8C10DBABDB6D6E704670E9C9586E91EB50FB4249640055B80B4C84A751EEC78
                                                  SHA-512:C3395D37AAEBDC8CA1703CA95A260D0077AC7DB3D36D6548540D6FC3B4D6D21756D92A26DB23ECFEB6343DA8F27578DD3A79CC5CF62FEF8A9A05F2B82530FDE6
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:yl.WH74TOHF3..49.FL46YWKw4TKHF39349JFL46YWK74TKHF39349JFL46Y.K74ZT.H3.:...G....?"D.$9'!AX^.Z+("[By5..F!%h/].w{jj+#PSwZF=.TKHF393d|JF.55Yg..RTKHF3934.JDM?7RWK.7TK@F39349T.O46yWK7.WKHFs93.9JFN46]WK74TKHB39349JFL42YWI74TKHF19s.9JVL4&YWK7$TKXF39349ZFL46YWK74TK..09|49JF.76.RK74TKHF39349JFL46YW.44XKHF39349JFL46YWK74TKHF39349JFL46YWK74TKHF39349JFL46YwK7<TKHF39349JFD.6Y.K74TKHF3934.>#4@6YWo.7TKhF39.79JDL46YWK74TKHF39.49*h>GD:WK7rQKHF.:34?JFL.5YWK74TKHF3934yJF..D<;$T4TGHF39.79JDL46.TK74TKHF39349J.L4tYWK74TKHF39349JFL.5YWK74.KHF1964..DL..XWH74TJHF59349JFL46YWK74TKHF39349JFL46YWK74TKHF39349JFL46YJ....x{D.>[M.j.Q.T..'..1.|6r!.1R..}.Z....o35.z4.Ev..P...!.@CJ8....tT=(Y#dC{D)....h.wg8t}.Q%.N...8..]2..o..t....D<.k.@..%#Y.8';[Qz.) RKZ.;.GL46Y........ZAxn.IIR.$!....Z>e....4FL4RYWKE4TK)F39t49J)L467WK7JTKH8393r9JF.46Y`K74qKHF^934.JFLJ6YW.J;[...ZJ..9JFL4...{.Y.........|7.Jm;o...0...i<`.6".;wz...9.. ..$kX2...K50]RI00WGuHx....HBH14^SH;.Z............(...g..4F39349.FL.6YW.4.KHF.9.4..FL4..W.7.T...3
                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.26778059005819
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 95.11%
                                                  • AutoIt3 compiled script executable (510682/80) 4.86%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:kk.exe
                                                  File size:1'177'859 bytes
                                                  MD5:6d3972b910ec219f2ef6eb3068227bee
                                                  SHA1:1669dc4c778672b9517ca2cf455369dfc3fbb8fd
                                                  SHA256:f7b17ea8d0bb38c5760528dcafbf354618a643056f04dc110d743bbbf8e99079
                                                  SHA512:65d382238e9abb5fbc08403cd76bfd4f40eae45d0592ba4fc67807415ab48196f252d9a0a5bb7b7385b41692e669168320e131e41d113476f87d0aa099270526
                                                  SSDEEP:24576:WfmMv6Ckr7Mny5QbmRelcbzKO2Rosp8UAmo:W3v+7/5Qb5lcbzKbCjUAB
                                                  TLSH:4745D012B2C680F5D9623871193AE316A7F575387232CD8797D02E66BEEF0405E2EF61
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........
                                                  Icon Hash:01449a1a796c95a9
                                                  Entrypoint:0x416310
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:0
                                                  File Version Major:5
                                                  File Version Minor:0
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:0
                                                  Import Hash:aaaa8913c89c8aa4a5d93f06853894da
                                                  Instruction
                                                  call 00007F1404D267BCh
                                                  jmp 00007F1404D1A58Eh
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [ebp+0Ch]
                                                  mov ecx, dword ptr [ebp+10h]
                                                  mov edi, dword ptr [ebp+08h]
                                                  mov eax, ecx
                                                  mov edx, ecx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007F1404D1A71Ah
                                                  cmp edi, eax
                                                  jc 00007F1404D1A8BAh
                                                  cmp ecx, 00000100h
                                                  jc 00007F1404D1A731h
                                                  cmp dword ptr [004A94E0h], 00000000h
                                                  je 00007F1404D1A728h
                                                  push edi
                                                  push esi
                                                  and edi, 0Fh
                                                  and esi, 0Fh
                                                  cmp edi, esi
                                                  pop esi
                                                  pop edi
                                                  jne 00007F1404D1A71Ah
                                                  pop esi
                                                  pop edi
                                                  pop ebp
                                                  jmp 00007F1404D1AB7Ah
                                                  test edi, 00000003h
                                                  jne 00007F1404D1A727h
                                                  shr ecx, 02h
                                                  and edx, 03h
                                                  cmp ecx, 08h
                                                  jc 00007F1404D1A73Ch
                                                  rep movsd
                                                  jmp dword ptr [00416494h+edx*4]
                                                  nop
                                                  mov eax, edi
                                                  mov edx, 00000003h
                                                  sub ecx, 04h
                                                  jc 00007F1404D1A71Eh
                                                  and eax, 03h
                                                  add ecx, eax
                                                  jmp dword ptr [004163A8h+eax*4]
                                                  jmp dword ptr [004164A4h+ecx*4]
                                                  nop
                                                  jmp dword ptr [00416428h+ecx*4]
                                                  nop
                                                  mov eax, E4004163h
                                                  arpl word ptr [ecx+00h], ax
                                                  or byte ptr [ecx+eax*2+00h], ah
                                                  and edx, ecx
                                                  mov al, byte ptr [esi]
                                                  mov byte ptr [edi], al
                                                  mov al, byte ptr [esi+01h]
                                                  mov byte ptr [edi+01h], al
                                                  mov al, byte ptr [esi+02h]
                                                  shr ecx, 02h
                                                  mov byte ptr [edi+02h], al
                                                  add esi, 03h
                                                  add edi, 03h
                                                  cmp ecx, 08h
                                                  jc 00007F1404D1A6DEh
                                                  Programming Language:
                                                  • [ASM] VS2008 SP1 build 30729
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [C++] VS2008 SP1 build 30729
                                                  • [ C ] VS2005 build 50727
                                                  • [IMP] VS2005 build 50727
                                                  • [ASM] VS2008 build 21022
                                                  • [RES] VS2008 build 21022
                                                  • [LNK] VS2008 SP1 build 30729
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x136e8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xab0000x136e80x13800c9173f7c8b271253d012f4d842cddf75False0.09770633012820513data3.2802381666465874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xab4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                  RT_ICON0xab5700x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                  RT_ICON0xab6980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0xab7c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 30236 x 30236 px/mEnglishGreat Britain0.06435584999408495
                                                  RT_MENU0xbbfe80x50dataEnglishGreat Britain0.9
                                                  RT_DIALOG0xbc0380xfcdataEnglishGreat Britain0.6507936507936508
                                                  RT_STRING0xbc1380x530dataEnglishGreat Britain0.33960843373493976
                                                  RT_STRING0xbc6680x690dataEnglishGreat Britain0.26964285714285713
                                                  RT_STRING0xbccf80x43adataEnglishGreat Britain0.3733826247689464
                                                  RT_STRING0xbd1380x5fcdataEnglishGreat Britain0.3087467362924282
                                                  RT_STRING0xbd7380x65cdataEnglishGreat Britain0.34336609336609336
                                                  RT_STRING0xbdd980x388dataEnglishGreat Britain0.377212389380531
                                                  RT_STRING0xbe1200x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                  RT_GROUP_ICON0xbe2780x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0xbe2900x14dataEnglishGreat Britain1.15
                                                  RT_GROUP_ICON0xbe2a80x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0xbe2c00x14dataEnglishGreat Britain1.25
                                                  RT_VERSION0xbe2d80x19cdataEnglishGreat Britain0.5339805825242718
                                                  RT_MANIFEST0xbe4780x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581
                                                  DLLImport
                                                  WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                  VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                  MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                  PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                  USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                  KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                  GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                  ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                  OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData
                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain
                                                  EnglishUnited States
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 23, 2024 18:42:17.772839069 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:17.778424978 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:17.778604984 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.328008890 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.346488953 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.351866961 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.490833998 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.491050959 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.496431112 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.637324095 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.643299103 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.648669958 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.820301056 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.820312977 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.820322990 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.820336103 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.820542097 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.820542097 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.850964069 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:18.856352091 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:18.995495081 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.009335041 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:19.014657974 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.154638052 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.155692101 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:19.161039114 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.300389051 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.301626921 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:19.307126045 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.463454962 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.463768005 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:19.469078064 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.608050108 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.608278036 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:19.614248037 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.873239994 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:19.873450994 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:19.878896952 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.017545938 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.018168926 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:20.018230915 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:20.018244028 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:20.018268108 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:42:20.023551941 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.023562908 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.023870945 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.023888111 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.187800884 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:42:20.231326103 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:43:56.466382980 CEST49702587192.168.2.7107.178.108.41
                                                  Oct 23, 2024 18:43:56.471940041 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:43:56.611443996 CEST58749702107.178.108.41192.168.2.7
                                                  Oct 23, 2024 18:43:56.618192911 CEST49702587192.168.2.7107.178.108.41
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 23, 2024 18:42:16.443463087 CEST6252653192.168.2.71.1.1.1
                                                  Oct 23, 2024 18:42:17.450357914 CEST6252653192.168.2.71.1.1.1
                                                  Oct 23, 2024 18:42:17.761939049 CEST53625261.1.1.1192.168.2.7
                                                  Oct 23, 2024 18:42:17.761957884 CEST53625261.1.1.1192.168.2.7
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 23, 2024 18:42:16.443463087 CEST192.168.2.71.1.1.10x83f5Standard query (0)mail.pgsu.co.idA (IP address)IN (0x0001)false
                                                  Oct 23, 2024 18:42:17.450357914 CEST192.168.2.71.1.1.10x83f5Standard query (0)mail.pgsu.co.idA (IP address)IN (0x0001)false
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 23, 2024 18:42:17.761939049 CEST1.1.1.1192.168.2.70x83f5No error (0)mail.pgsu.co.idpgsu.co.idCNAME (Canonical name)IN (0x0001)false
                                                  Oct 23, 2024 18:42:17.761939049 CEST1.1.1.1192.168.2.70x83f5No error (0)pgsu.co.id107.178.108.41A (IP address)IN (0x0001)false
                                                  Oct 23, 2024 18:42:17.761957884 CEST1.1.1.1192.168.2.70x83f5No error (0)mail.pgsu.co.idpgsu.co.idCNAME (Canonical name)IN (0x0001)false
                                                  Oct 23, 2024 18:42:17.761957884 CEST1.1.1.1192.168.2.70x83f5No error (0)pgsu.co.id107.178.108.41A (IP address)IN (0x0001)false
                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Oct 23, 2024 18:42:18.328008890 CEST58749702107.178.108.41192.168.2.7220-grogolvps.padinet.com ESMTP Exim 4.98 #2 Wed, 23 Oct 2024 23:42:18 +0700
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Oct 23, 2024 18:42:18.346488953 CEST49702587192.168.2.7107.178.108.41EHLO 226546
                                                  Oct 23, 2024 18:42:18.490833998 CEST58749702107.178.108.41192.168.2.7250-grogolvps.padinet.com Hello 226546 [173.254.250.90]
                                                  250-SIZE 52428800
                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPECONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Oct 23, 2024 18:42:18.491050959 CEST49702587192.168.2.7107.178.108.41STARTTLS
                                                  Oct 23, 2024 18:42:18.637324095 CEST58749702107.178.108.41192.168.2.7220 TLS go ahead

                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:12:42:12
                                                  Start date:23/10/2024
                                                  Path:C:\Users\user\Desktop\kk.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\kk.exe"
                                                  Imagebase:0x400000
                                                  File size:1'177'859 bytes
                                                  MD5 hash:6D3972B910EC219F2EF6EB3068227BEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1328783876.0000000001680000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  Target ID:3
                                                  Start time:12:42:13
                                                  Start date:23/10/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\kk.exe"
                                                  Imagebase:0x530000
                                                  File size:45'984 bytes
                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3776925018.000000000280E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3776925018.0000000002839000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3775663549.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3776925018.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3776925018.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:3%
                                                    Dynamic/Decrypted Code Coverage:1.3%
                                                    Signature Coverage:3.8%
                                                    Total number of Nodes:1408
                                                    Total number of Limit Nodes:31
                                                    execution_graph 84760 40f110 RegOpenKeyExW 84761 40f13c RegQueryValueExW RegCloseKey 84760->84761 84762 40f15f 84760->84762 84761->84762 84763 429212 84768 410b90 84763->84768 84769 410b9a __write_nolock 84768->84769 84788 41171a 84769->84788 84773 410c66 _wcsncat 84803 413e3c 84773->84803 84776 41171a 75 API calls 84777 410ca3 _wcscpy 84776->84777 84778 410cd1 RegOpenKeyExW 84777->84778 84779 429bc3 RegQueryValueExW 84778->84779 84780 410cf7 84778->84780 84781 429cd9 RegCloseKey 84779->84781 84783 429bf2 _wcscat _wcslen _wcsncpy 84779->84783 84785 411421 84780->84785 84782 41171a 75 API calls 84782->84783 84783->84782 84784 429cd8 84783->84784 84784->84781 84878 4113e5 84785->84878 84787 41142e 84790 411724 84788->84790 84791 410c31 GetModuleFileNameW 84790->84791 84796 411740 std::bad_alloc::bad_alloc 84790->84796 84806 4138ba 84790->84806 84824 411afc 6 API calls __decode_pointer 84790->84824 84800 413db0 84791->84800 84793 411766 84825 4116fd 67 API calls std::exception::exception 84793->84825 84795 411770 84826 41805b RaiseException 84795->84826 84796->84793 84798 411421 __cinit 74 API calls 84796->84798 84798->84793 84799 41177e 84836 413b95 84800->84836 84866 41abec 84803->84866 84807 41396d 84806->84807 84817 4138cc 84806->84817 84834 411afc 6 API calls __decode_pointer 84807->84834 84809 413973 84835 417f23 67 API calls __getptd_noexit 84809->84835 84814 413929 RtlAllocateHeap 84814->84817 84815 4138dd 84815->84817 84827 418252 67 API calls 2 library calls 84815->84827 84828 4180a7 67 API calls 7 library calls 84815->84828 84829 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84815->84829 84817->84814 84817->84815 84818 413959 84817->84818 84821 41395e 84817->84821 84823 413965 84817->84823 84830 41386b 67 API calls 4 library calls 84817->84830 84831 411afc 6 API calls __decode_pointer 84817->84831 84832 417f23 67 API calls __getptd_noexit 84818->84832 84833 417f23 67 API calls __getptd_noexit 84821->84833 84823->84790 84824->84790 84825->84795 84826->84799 84827->84815 84828->84815 84830->84817 84831->84817 84832->84821 84833->84823 84834->84809 84835->84823 84837 413c2f 84836->84837 84843 413bae 84836->84843 84838 413d60 84837->84838 84839 413d7b 84837->84839 84862 417f23 67 API calls __getptd_noexit 84838->84862 84864 417f23 67 API calls __getptd_noexit 84839->84864 84842 413d65 84845 413cfb 84842->84845 84863 417ebb 6 API calls 2 library calls 84842->84863 84843->84837 84853 413c1d 84843->84853 84858 41ab19 67 API calls __swprintf 84843->84858 84845->84773 84846 413c9b 84848 413d03 84846->84848 84849 413cb9 84846->84849 84848->84837 84848->84845 84850 413d8e 84848->84850 84849->84837 84851 413cd6 84849->84851 84860 41ab19 67 API calls __swprintf 84849->84860 84865 41ab19 67 API calls __swprintf 84850->84865 84851->84837 84851->84845 84855 413cef 84851->84855 84853->84837 84853->84846 84859 41ab19 67 API calls __swprintf 84853->84859 84861 41ab19 67 API calls __swprintf 84855->84861 84858->84853 84859->84846 84860->84851 84861->84845 84862->84842 84864->84842 84865->84845 84867 41ac02 84866->84867 84868 41abfd 84866->84868 84875 417f23 67 API calls __getptd_noexit 84867->84875 84868->84867 84870 41ac22 84868->84870 84874 410c99 84870->84874 84877 417f23 67 API calls __getptd_noexit 84870->84877 84871 41ac07 84876 417ebb 6 API calls 2 library calls 84871->84876 84874->84776 84875->84871 84877->84871 84879 4113f1 __mtinitlocknum 84878->84879 84886 41181b 84879->84886 84885 411412 __mtinitlocknum 84885->84787 84912 418407 84886->84912 84888 4113f6 84889 4112fa 84888->84889 84977 4169e9 TlsGetValue 84889->84977 84892 4169e9 __decode_pointer 6 API calls 84893 41131e 84892->84893 84894 4113a1 84893->84894 84987 4170e7 68 API calls 5 library calls 84893->84987 84909 41141b 84894->84909 84896 41133c 84897 411388 84896->84897 84900 411357 84896->84900 84901 411366 84896->84901 84898 41696e __encode_pointer 6 API calls 84897->84898 84899 411396 84898->84899 84902 41696e __encode_pointer 6 API calls 84899->84902 84988 417047 73 API calls _realloc 84900->84988 84901->84894 84904 411360 84901->84904 84902->84894 84904->84901 84906 41137c 84904->84906 84989 417047 73 API calls _realloc 84904->84989 84990 41696e TlsGetValue 84906->84990 84907 411376 84907->84894 84907->84906 85002 411824 84909->85002 84913 41841c 84912->84913 84914 41842f EnterCriticalSection 84912->84914 84919 418344 84913->84919 84914->84888 84916 418422 84916->84914 84947 4117af 67 API calls 3 library calls 84916->84947 84918 41842e 84918->84914 84920 418350 __mtinitlocknum 84919->84920 84921 418360 84920->84921 84922 418378 84920->84922 84948 418252 67 API calls 2 library calls 84921->84948 84931 418386 __mtinitlocknum 84922->84931 84951 416fb6 84922->84951 84925 418365 84949 4180a7 67 API calls 7 library calls 84925->84949 84928 41836c 84950 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84928->84950 84929 4183a7 84934 418407 __lock 67 API calls 84929->84934 84930 418398 84957 417f23 67 API calls __getptd_noexit 84930->84957 84931->84916 84936 4183ae 84934->84936 84937 4183e2 84936->84937 84938 4183b6 84936->84938 84939 413a88 __mtinitlocknum 67 API calls 84937->84939 84958 4189e6 InitializeCriticalSectionAndSpinCount __mtinitlocknum 84938->84958 84942 4183d3 84939->84942 84941 4183c1 84941->84942 84959 413a88 84941->84959 84973 4183fe LeaveCriticalSection _doexit 84942->84973 84945 4183cd 84972 417f23 67 API calls __getptd_noexit 84945->84972 84947->84918 84948->84925 84949->84928 84954 416fbf 84951->84954 84952 4138ba _malloc 66 API calls 84952->84954 84953 416ff5 84953->84929 84953->84930 84954->84952 84954->84953 84955 416fd6 Sleep 84954->84955 84956 416feb 84955->84956 84956->84953 84956->84954 84957->84931 84958->84941 84961 413a94 __mtinitlocknum 84959->84961 84960 413b0d _realloc __mtinitlocknum 84960->84945 84961->84960 84963 418407 __lock 65 API calls 84961->84963 84971 413ad3 84961->84971 84962 413ae8 RtlFreeHeap 84962->84960 84964 413afa 84962->84964 84968 413aab ___sbh_find_block 84963->84968 84976 417f23 67 API calls __getptd_noexit 84964->84976 84966 413aff GetLastError 84966->84960 84967 413ac5 84975 413ade LeaveCriticalSection _doexit 84967->84975 84968->84967 84974 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 84968->84974 84971->84960 84971->84962 84972->84942 84973->84931 84974->84967 84975->84971 84976->84966 84978 416a01 84977->84978 84979 416a22 GetModuleHandleW 84977->84979 84978->84979 84982 416a0b TlsGetValue 84978->84982 84980 416a32 84979->84980 84981 416a3d GetProcAddress 84979->84981 85000 41177f Sleep GetModuleHandleW 84980->85000 84984 41130e 84981->84984 84986 416a16 84982->84986 84984->84892 84985 416a38 84985->84981 84985->84984 84986->84979 84986->84984 84987->84896 84988->84904 84989->84907 84991 4169a7 GetModuleHandleW 84990->84991 84992 416986 84990->84992 84993 4169c2 GetProcAddress 84991->84993 84994 4169b7 84991->84994 84992->84991 84995 416990 TlsGetValue 84992->84995 84997 41699f 84993->84997 85001 41177f Sleep GetModuleHandleW 84994->85001 84999 41699b 84995->84999 84997->84897 84998 4169bd 84998->84993 84998->84997 84999->84991 84999->84997 85000->84985 85001->84998 85005 41832d LeaveCriticalSection 85002->85005 85004 411420 85004->84885 85005->85004 85006 409030 85020 409110 117 API calls 85006->85020 85008 42ceb6 85034 410ae0 VariantClear moneypunct 85008->85034 85010 40906e 85010->85008 85012 42cea9 85010->85012 85014 4090a4 85010->85014 85011 42cebf 85033 45e62e 116 API calls 3 library calls 85012->85033 85021 404160 85014->85021 85017 4090f0 moneypunct 85019 4090be moneypunct 85019->85017 85029 4092c0 85019->85029 85020->85010 85022 4092c0 VariantClear 85021->85022 85023 40416e 85022->85023 85035 404120 85023->85035 85025 40419b 85039 4734b7 85025->85039 85083 40efe0 85025->85083 85026 4041c6 85026->85008 85026->85019 85030 4092c8 moneypunct 85029->85030 85031 429db0 VariantClear 85030->85031 85032 4092d5 moneypunct 85030->85032 85031->85032 85032->85019 85033->85008 85034->85011 85036 40412e 85035->85036 85037 4092c0 VariantClear 85036->85037 85038 404138 85037->85038 85038->85025 85091 453063 85039->85091 85042 473545 85095 463c42 85042->85095 85043 47350c 85044 4092c0 VariantClear 85043->85044 85051 473514 85044->85051 85046 473558 85047 47355c 85046->85047 85064 473595 85046->85064 85048 4092c0 VariantClear 85047->85048 85057 473564 85048->85057 85049 473616 85108 463d7e 85049->85108 85051->85026 85052 473622 85054 473697 85052->85054 85055 47362c 85052->85055 85053 453063 111 API calls 85053->85064 85142 457838 85054->85142 85058 4092c0 VariantClear 85055->85058 85057->85026 85061 473634 85058->85061 85061->85026 85063 473655 85066 4092c0 VariantClear 85063->85066 85064->85049 85064->85053 85064->85063 85154 462f5a 87 API calls __wcsicoll 85064->85154 85077 47365d 85066->85077 85067 4736b0 85155 45e62e 116 API calls 3 library calls 85067->85155 85068 4736c9 85156 40e7e0 76 API calls 85068->85156 85071 4736ba GetCurrentProcess TerminateProcess 85071->85068 85072 4736db 85079 4736ff 85072->85079 85157 40d030 76 API calls 85072->85157 85073 473731 85080 473744 FreeLibrary 85073->85080 85081 47374b 85073->85081 85075 4736f1 85158 46b945 134 API calls 2 library calls 85075->85158 85077->85026 85079->85073 85159 40d030 76 API calls 85079->85159 85160 46b945 134 API calls 2 library calls 85079->85160 85080->85081 85081->85026 85084 40eff5 CreateFileW 85083->85084 85085 4299bf 85083->85085 85087 40f017 85084->85087 85086 4299c4 CreateFileW 85085->85086 85085->85087 85086->85087 85088 4299ea 85086->85088 85087->85026 85205 40e0d0 SetFilePointerEx SetFilePointerEx 85088->85205 85090 4299f5 85090->85087 85092 45306e 85091->85092 85093 45307a 85091->85093 85092->85093 85161 452e2a 111 API calls 5 library calls 85092->85161 85093->85042 85093->85043 85162 45335b 76 API calls 85095->85162 85097 463c5d 85163 442c52 80 API calls _wcslen 85097->85163 85099 463c72 85107 463cac 85099->85107 85164 40c060 85099->85164 85103 463cf7 85103->85046 85105 463ca4 85170 40c740 85105->85170 85107->85103 85175 462f5a 87 API calls __wcsicoll 85107->85175 85109 453063 111 API calls 85108->85109 85110 463d99 85109->85110 85111 463de0 85110->85111 85112 463dca 85110->85112 85187 40c760 78 API calls 85111->85187 85186 453081 111 API calls 85112->85186 85115 463dd0 LoadLibraryW 85117 463e09 85115->85117 85116 463de7 85121 463e19 85116->85121 85188 40c760 78 API calls 85116->85188 85118 463e3e 85117->85118 85117->85121 85123 463e4e 85118->85123 85124 463e7b 85118->85124 85120 463dfb 85120->85121 85189 40c760 78 API calls 85120->85189 85121->85052 85190 40d500 75 API calls 85123->85190 85192 40c760 78 API calls 85124->85192 85127 463e82 GetProcAddress 85131 463e90 85127->85131 85128 463e57 85191 45efe7 77 API calls moneypunct 85128->85191 85130 463e62 GetProcAddress 85133 463e79 85130->85133 85131->85121 85132 463edf 85131->85132 85131->85133 85132->85121 85135 463eef FreeLibrary 85132->85135 85133->85131 85193 403470 75 API calls _realloc 85133->85193 85135->85121 85136 463eb4 85194 40d500 75 API calls 85136->85194 85138 463ebd 85195 45efe7 77 API calls moneypunct 85138->85195 85140 463ec8 GetProcAddress 85196 401330 moneypunct 85140->85196 85143 457a4c 85142->85143 85149 45785f _strcat moneypunct _wcslen _wcscpy 85142->85149 85150 410d40 85143->85150 85144 40c760 78 API calls 85144->85149 85145 443576 78 API calls 85145->85149 85146 453081 111 API calls 85146->85149 85147 4138ba 67 API calls _malloc 85147->85149 85149->85143 85149->85144 85149->85145 85149->85146 85149->85147 85197 40f580 85149->85197 85152 410d55 85150->85152 85151 410ded VirtualProtect 85153 410dbb 85151->85153 85152->85151 85152->85153 85153->85067 85153->85068 85154->85064 85155->85071 85156->85072 85157->85075 85158->85079 85159->85079 85160->85079 85161->85093 85162->85097 85163->85099 85165 41171a 75 API calls 85164->85165 85166 40c088 85165->85166 85167 41171a 75 API calls 85166->85167 85168 40c096 85167->85168 85169 4608ce 75 API calls _realloc 85168->85169 85169->85105 85171 40c752 85170->85171 85172 40c747 85170->85172 85171->85107 85172->85171 85176 402ae0 85172->85176 85174 42a572 _realloc 85174->85107 85175->85103 85177 42a06a 85176->85177 85178 402aef 85176->85178 85183 401380 85177->85183 85178->85174 85180 42a072 85181 41171a 75 API calls 85180->85181 85182 42a095 _realloc 85181->85182 85182->85174 85184 41171a 75 API calls 85183->85184 85185 401387 85184->85185 85185->85180 85186->85115 85187->85116 85188->85120 85189->85117 85190->85128 85191->85130 85192->85127 85193->85136 85194->85138 85195->85140 85196->85132 85198 429440 85197->85198 85199 40f589 _wcslen 85197->85199 85200 40f58f WideCharToMultiByte 85199->85200 85201 40f5d8 85200->85201 85202 40f5ad 85200->85202 85201->85149 85203 41171a 75 API calls 85202->85203 85204 40f5bb WideCharToMultiByte 85203->85204 85204->85149 85205->85090 85206 4444e4 85211 40d900 85206->85211 85208 4444ee 85215 43723d 85208->85215 85210 444504 85212 40d917 85211->85212 85213 40d909 85211->85213 85212->85213 85214 40d91c CloseHandle 85212->85214 85213->85208 85214->85208 85216 40d900 CloseHandle 85215->85216 85217 437247 moneypunct 85216->85217 85217->85210 85218 4034b0 85219 4034b9 85218->85219 85220 4034bd 85218->85220 85221 42a0ba 85220->85221 85222 41171a 75 API calls 85220->85222 85223 4034fe moneypunct _realloc 85222->85223 85224 416193 85261 41718c 85224->85261 85226 41619f GetStartupInfoW 85228 4161c2 85226->85228 85262 41aa31 HeapCreate 85228->85262 85230 416212 85264 416e29 GetModuleHandleW 85230->85264 85234 416223 __RTC_Initialize 85298 41b669 85234->85298 85237 416231 85238 41623d GetCommandLineW 85237->85238 85367 4117af 67 API calls 3 library calls 85237->85367 85313 42235f GetEnvironmentStringsW 85238->85313 85241 41623c 85241->85238 85242 41624c 85319 4222b1 GetModuleFileNameW 85242->85319 85244 416256 85245 416261 85244->85245 85368 4117af 67 API calls 3 library calls 85244->85368 85323 422082 85245->85323 85249 416272 85336 41186e 85249->85336 85252 416279 85254 416284 __wwincmdln 85252->85254 85370 4117af 67 API calls 3 library calls 85252->85370 85342 40d7f0 85254->85342 85257 4162b3 85372 411a4b 67 API calls _doexit 85257->85372 85260 4162b8 __mtinitlocknum 85261->85226 85263 416206 85262->85263 85263->85230 85365 41616a 67 API calls 3 library calls 85263->85365 85265 416e44 85264->85265 85266 416e3d 85264->85266 85268 416fac 85265->85268 85269 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85265->85269 85373 41177f Sleep GetModuleHandleW 85266->85373 85383 416ad5 70 API calls 2 library calls 85268->85383 85272 416e97 TlsAlloc 85269->85272 85271 416e43 85271->85265 85274 416218 85272->85274 85275 416ee5 TlsSetValue 85272->85275 85274->85234 85366 41616a 67 API calls 3 library calls 85274->85366 85275->85274 85276 416ef6 85275->85276 85374 411a69 6 API calls 4 library calls 85276->85374 85278 416efb 85279 41696e __encode_pointer 6 API calls 85278->85279 85280 416f06 85279->85280 85281 41696e __encode_pointer 6 API calls 85280->85281 85282 416f16 85281->85282 85283 41696e __encode_pointer 6 API calls 85282->85283 85284 416f26 85283->85284 85285 41696e __encode_pointer 6 API calls 85284->85285 85286 416f36 85285->85286 85375 41828b InitializeCriticalSectionAndSpinCount __mtinitlocknum 85286->85375 85288 416f43 85288->85268 85289 4169e9 __decode_pointer 6 API calls 85288->85289 85290 416f57 85289->85290 85290->85268 85376 416ffb 85290->85376 85293 4169e9 __decode_pointer 6 API calls 85294 416f8a 85293->85294 85294->85268 85295 416f91 85294->85295 85382 416b12 67 API calls 5 library calls 85295->85382 85297 416f99 GetCurrentThreadId 85297->85274 85402 41718c 85298->85402 85300 41b675 GetStartupInfoA 85301 416ffb __calloc_crt 67 API calls 85300->85301 85308 41b696 85301->85308 85302 41b8b4 __mtinitlocknum 85302->85237 85303 41b831 GetStdHandle 85307 41b7fb 85303->85307 85304 41b896 SetHandleCount 85304->85302 85305 416ffb __calloc_crt 67 API calls 85305->85308 85306 41b843 GetFileType 85306->85307 85307->85302 85307->85303 85307->85304 85307->85306 85404 4189e6 InitializeCriticalSectionAndSpinCount __mtinitlocknum 85307->85404 85308->85302 85308->85305 85308->85307 85309 41b77e 85308->85309 85309->85302 85309->85307 85310 41b7a7 GetFileType 85309->85310 85403 4189e6 InitializeCriticalSectionAndSpinCount __mtinitlocknum 85309->85403 85310->85309 85314 422370 85313->85314 85315 422374 85313->85315 85314->85242 85316 416fb6 __malloc_crt 67 API calls 85315->85316 85317 422395 _realloc 85316->85317 85318 42239c FreeEnvironmentStringsW 85317->85318 85318->85242 85320 4222e6 _wparse_cmdline 85319->85320 85321 416fb6 __malloc_crt 67 API calls 85320->85321 85322 422329 _wparse_cmdline 85320->85322 85321->85322 85322->85244 85324 42209a _wcslen 85323->85324 85328 416267 85323->85328 85325 416ffb __calloc_crt 67 API calls 85324->85325 85331 4220be _wcslen 85325->85331 85326 422123 85327 413a88 __mtinitlocknum 67 API calls 85326->85327 85327->85328 85328->85249 85369 4117af 67 API calls 3 library calls 85328->85369 85329 416ffb __calloc_crt 67 API calls 85329->85331 85330 422149 85332 413a88 __mtinitlocknum 67 API calls 85330->85332 85331->85326 85331->85328 85331->85329 85331->85330 85334 422108 85331->85334 85405 426349 67 API calls __swprintf 85331->85405 85332->85328 85334->85331 85406 417d93 10 API calls 3 library calls 85334->85406 85337 41187c __IsNonwritableInCurrentImage 85336->85337 85407 418486 85337->85407 85339 41189a __initterm_e 85340 411421 __cinit 74 API calls 85339->85340 85341 4118b9 __IsNonwritableInCurrentImage __initterm 85339->85341 85340->85341 85341->85252 85343 431bcb 85342->85343 85344 40d80c 85342->85344 85345 4092c0 VariantClear 85344->85345 85346 40d847 85345->85346 85411 40eb50 85346->85411 85349 40d877 85414 411ac6 67 API calls 4 library calls 85349->85414 85352 40d888 85415 411b24 67 API calls __swprintf 85352->85415 85354 40d891 85416 40f370 SystemParametersInfoW SystemParametersInfoW 85354->85416 85356 40d89f 85417 40d6d0 GetCurrentDirectoryW 85356->85417 85358 40d8a7 SystemParametersInfoW 85359 40d8d4 85358->85359 85360 40d8cd FreeLibrary 85358->85360 85361 4092c0 VariantClear 85359->85361 85360->85359 85362 40d8dd 85361->85362 85363 4092c0 VariantClear 85362->85363 85364 40d8e6 85363->85364 85364->85257 85371 411a1f 67 API calls _doexit 85364->85371 85365->85230 85366->85234 85367->85241 85368->85245 85369->85249 85370->85254 85371->85257 85372->85260 85373->85271 85374->85278 85375->85288 85377 417004 85376->85377 85379 416f70 85377->85379 85380 417022 Sleep 85377->85380 85384 422452 85377->85384 85379->85268 85379->85293 85381 417037 85380->85381 85381->85377 85381->85379 85382->85297 85383->85274 85385 42245e __mtinitlocknum 85384->85385 85386 422476 85385->85386 85396 422495 _memset 85385->85396 85397 417f23 67 API calls __getptd_noexit 85386->85397 85388 42247b 85398 417ebb 6 API calls 2 library calls 85388->85398 85389 422507 HeapAlloc 85389->85396 85392 418407 __lock 66 API calls 85392->85396 85393 42248b __mtinitlocknum 85393->85377 85396->85389 85396->85392 85396->85393 85399 41a74c 5 API calls 2 library calls 85396->85399 85400 42254e LeaveCriticalSection _doexit 85396->85400 85401 411afc 6 API calls __decode_pointer 85396->85401 85397->85388 85399->85396 85400->85396 85401->85396 85402->85300 85403->85309 85404->85307 85405->85331 85406->85334 85408 41848c 85407->85408 85409 41696e __encode_pointer 6 API calls 85408->85409 85410 4184a4 85408->85410 85409->85408 85410->85339 85455 40eb70 85411->85455 85414->85352 85415->85354 85416->85356 85459 401f80 85417->85459 85419 40d6f1 IsDebuggerPresent 85420 431a9d MessageBoxA 85419->85420 85421 40d6ff 85419->85421 85422 431ab6 85420->85422 85421->85422 85423 40d71f 85421->85423 85561 403e90 75 API calls 3 library calls 85422->85561 85529 40f3b0 85423->85529 85427 40d73a GetFullPathNameW 85559 401440 127 API calls _wcscat 85427->85559 85429 40d77a 85430 40d782 85429->85430 85432 431b09 SetCurrentDirectoryW 85429->85432 85431 40d78b 85430->85431 85562 43604b 6 API calls 85430->85562 85541 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85431->85541 85432->85430 85435 431b28 85435->85431 85437 431b30 GetModuleFileNameW 85435->85437 85439 431ba4 GetForegroundWindow ShellExecuteW 85437->85439 85440 431b4c 85437->85440 85443 40d7c7 85439->85443 85563 401b70 85440->85563 85441 40d795 85449 40d7a8 85441->85449 85549 40e1e0 85441->85549 85446 40d7d1 SetCurrentDirectoryW 85443->85446 85446->85358 85448 431b66 85570 40d3b0 75 API calls 2 library calls 85448->85570 85449->85443 85560 401000 Shell_NotifyIconW _memset 85449->85560 85452 431b72 GetForegroundWindow ShellExecuteW 85453 431b9f 85452->85453 85453->85443 85454 40eba0 LoadLibraryA GetProcAddress 85454->85349 85456 40d86e 85455->85456 85457 40eb76 LoadLibraryA 85455->85457 85456->85349 85456->85454 85457->85456 85458 40eb87 GetProcAddress 85457->85458 85458->85456 85571 40e680 85459->85571 85463 401fa2 GetModuleFileNameW 85589 40ff90 85463->85589 85465 401fbd 85601 4107b0 85465->85601 85468 401b70 75 API calls 85469 401fe4 85468->85469 85604 4019e0 85469->85604 85471 401ff2 85472 4092c0 VariantClear 85471->85472 85473 402002 85472->85473 85474 401b70 75 API calls 85473->85474 85475 40201c 85474->85475 85476 4019e0 76 API calls 85475->85476 85477 40202c 85476->85477 85478 401b70 75 API calls 85477->85478 85479 40203c 85478->85479 85612 40c3e0 85479->85612 85481 40204d 85482 40c060 75 API calls 85481->85482 85483 402061 85482->85483 85630 401a70 85483->85630 85485 40206e 85637 4115d0 85485->85637 85488 42c174 85490 401a70 75 API calls 85488->85490 85489 402088 85491 4115d0 __wcsicoll 79 API calls 85489->85491 85492 42c189 85490->85492 85493 402093 85491->85493 85495 401a70 75 API calls 85492->85495 85493->85492 85494 40209e 85493->85494 85496 4115d0 __wcsicoll 79 API calls 85494->85496 85497 42c1a7 85495->85497 85498 4020a9 85496->85498 85499 42c1b0 GetModuleFileNameW 85497->85499 85498->85499 85500 4020b4 85498->85500 85502 401a70 75 API calls 85499->85502 85501 4115d0 __wcsicoll 79 API calls 85500->85501 85503 4020bf 85501->85503 85504 42c1e2 85502->85504 85506 402107 85503->85506 85509 401a70 75 API calls 85503->85509 85514 42c20a _wcscpy 85503->85514 85649 40df50 75 API calls 85504->85649 85508 402119 85506->85508 85506->85514 85507 42c1f1 85510 401a70 75 API calls 85507->85510 85511 42c243 85508->85511 85645 40e7e0 76 API calls 85508->85645 85512 4020e5 _wcscpy 85509->85512 85513 42c201 85510->85513 85519 401a70 75 API calls 85512->85519 85513->85514 85516 401a70 75 API calls 85514->85516 85524 402148 85516->85524 85517 402132 85646 40d030 76 API calls 85517->85646 85519->85506 85520 40213e 85521 4092c0 VariantClear 85520->85521 85521->85524 85522 402184 85526 4092c0 VariantClear 85522->85526 85524->85522 85527 401a70 75 API calls 85524->85527 85647 40d030 76 API calls 85524->85647 85648 40e640 76 API calls 85524->85648 85528 402196 moneypunct 85526->85528 85527->85524 85528->85419 85530 42ccf4 _memset 85529->85530 85531 40f3c9 85529->85531 85534 42cd05 GetOpenFileNameW 85530->85534 86337 40ffb0 76 API calls moneypunct 85531->86337 85533 40f3d2 86338 410130 SHGetMalloc 85533->86338 85534->85531 85536 40d732 85534->85536 85536->85427 85536->85429 85537 40f3d9 86343 410020 88 API calls __wcsicoll 85537->86343 85539 40f3e7 86344 40f400 85539->86344 85542 42b9d3 85541->85542 85543 41025a LoadImageW RegisterClassExW 85541->85543 86391 443e8f EnumResourceNamesW LoadImageW 85542->86391 86390 4102f0 7 API calls 85543->86390 85546 42b9da 85547 40d790 85548 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85547->85548 85548->85441 85551 40e207 _memset 85549->85551 85550 40e262 85553 40e2a4 85550->85553 86414 43737d 84 API calls __wcsicoll 85550->86414 85551->85550 85552 42aa14 DestroyIcon 85551->85552 85552->85550 85555 40e2c0 Shell_NotifyIconW 85553->85555 85556 42aa50 Shell_NotifyIconW 85553->85556 86392 401be0 85555->86392 85558 40e2da 85558->85449 85559->85429 85560->85443 85561->85429 85562->85435 85564 401b76 _wcslen 85563->85564 85565 41171a 75 API calls 85564->85565 85568 401bc5 85564->85568 85566 401bad _realloc 85565->85566 85567 41171a 75 API calls 85566->85567 85567->85568 85569 40d3b0 75 API calls 2 library calls 85568->85569 85569->85448 85570->85452 85572 40c060 75 API calls 85571->85572 85573 401f90 85572->85573 85574 402940 85573->85574 85575 40294a __write_nolock 85574->85575 85650 4021e0 85575->85650 85578 402972 85588 4029a4 85578->85588 85662 401cf0 85578->85662 85579 402ae0 75 API calls 85579->85588 85580 402a8c 85581 401b70 75 API calls 85580->85581 85587 402abe 85580->85587 85583 402ab3 85581->85583 85582 401b70 75 API calls 85582->85588 85666 40d970 75 API calls 2 library calls 85583->85666 85584 401cf0 75 API calls 85584->85588 85587->85463 85588->85579 85588->85580 85588->85582 85588->85584 85665 40d970 75 API calls 2 library calls 85588->85665 85668 40f5e0 85589->85668 85592 40ffa6 85592->85465 85594 42b6d8 85598 42b6e6 85594->85598 85724 434fe1 85594->85724 85596 413a88 __mtinitlocknum 67 API calls 85597 42b6f5 85596->85597 85599 434fe1 106 API calls 85597->85599 85598->85596 85600 42b702 85599->85600 85600->85465 85602 41171a 75 API calls 85601->85602 85603 401fd6 85602->85603 85603->85468 85605 401a03 85604->85605 85609 4019e5 85604->85609 85606 401a1a 85605->85606 85605->85609 86326 404260 76 API calls 85606->86326 85608 4019ff 85608->85471 85609->85608 86325 404260 76 API calls 85609->86325 85611 401a26 85611->85471 85613 40c3e4 85612->85613 85614 40c42c 85612->85614 85617 40c3f0 85613->85617 85618 42a475 85613->85618 85615 42a422 85614->85615 85616 40c435 85614->85616 85622 42a427 85615->85622 85623 42a445 85615->85623 85619 40c441 85616->85619 85620 42a455 85616->85620 86327 4042f0 75 API calls __cinit 85617->86327 86332 453155 75 API calls 85618->86332 86328 4042f0 75 API calls __cinit 85619->86328 86331 453155 75 API calls 85620->86331 85629 40c3fb 85622->85629 86329 453155 75 API calls 85622->86329 86330 453155 75 API calls 85623->86330 85629->85481 85629->85629 85631 401a90 85630->85631 85632 401a77 85630->85632 85634 4021e0 75 API calls 85631->85634 85633 401a8d 85632->85633 86333 404080 75 API calls _realloc 85632->86333 85633->85485 85636 401a9c 85634->85636 85636->85485 85638 4115e1 85637->85638 85639 411650 85637->85639 85644 40207d 85638->85644 86334 417f23 67 API calls __getptd_noexit 85638->86334 86336 4114bf 79 API calls 3 library calls 85639->86336 85642 4115ed 86335 417ebb 6 API calls 2 library calls 85642->86335 85644->85488 85644->85489 85645->85517 85646->85520 85647->85524 85648->85524 85649->85507 85651 4021f1 _wcslen 85650->85651 85652 42a598 85650->85652 85654 402205 85651->85654 85655 402226 85651->85655 85653 40c740 75 API calls 85652->85653 85657 42a5a2 85653->85657 85667 404020 75 API calls moneypunct 85654->85667 85656 401380 75 API calls 85655->85656 85660 40222d 85656->85660 85659 40220c _realloc 85659->85578 85660->85657 85661 41171a 75 API calls 85660->85661 85661->85659 85663 402ae0 75 API calls 85662->85663 85664 401cf7 85663->85664 85664->85578 85665->85588 85666->85587 85667->85659 85669 40f580 77 API calls 85668->85669 85670 40f5f8 _strcat moneypunct 85669->85670 85728 40f6d0 85670->85728 85675 42b2ee 85757 4151b0 85675->85757 85677 40f679 85677->85675 85678 40f681 85677->85678 85744 414e94 85678->85744 85682 40f68b 85682->85592 85687 452574 85682->85687 85684 42b31d 85763 415484 85684->85763 85686 42b33d 85688 41557c _fseek 105 API calls 85687->85688 85689 4525df 85688->85689 86264 4523ce 85689->86264 85692 4525fc 85692->85594 85693 4151b0 __fread_nolock 81 API calls 85694 45261d 85693->85694 85695 4151b0 __fread_nolock 81 API calls 85694->85695 85696 45262e 85695->85696 85697 4151b0 __fread_nolock 81 API calls 85696->85697 85698 452649 85697->85698 85699 4151b0 __fread_nolock 81 API calls 85698->85699 85700 452666 85699->85700 85701 41557c _fseek 105 API calls 85700->85701 85702 452682 85701->85702 85703 4138ba _malloc 67 API calls 85702->85703 85704 45268e 85703->85704 85705 4138ba _malloc 67 API calls 85704->85705 85706 45269b 85705->85706 85707 4151b0 __fread_nolock 81 API calls 85706->85707 85708 4526ac 85707->85708 85709 44afdc GetSystemTimeAsFileTime 85708->85709 85710 4526bf 85709->85710 85711 4526d5 85710->85711 85712 4526fd 85710->85712 85715 413a88 __mtinitlocknum 67 API calls 85711->85715 85713 452704 85712->85713 85714 45275b 85712->85714 86270 44b195 85713->86270 85717 413a88 __mtinitlocknum 67 API calls 85714->85717 85718 4526df 85715->85718 85720 452759 85717->85720 85721 413a88 __mtinitlocknum 67 API calls 85718->85721 85719 452753 85722 413a88 __mtinitlocknum 67 API calls 85719->85722 85720->85594 85723 4526e8 85721->85723 85722->85720 85723->85594 85725 434ff1 85724->85725 85726 434feb 85724->85726 85725->85598 85727 414e94 __fcloseall 106 API calls 85726->85727 85727->85725 85729 40f6dd _strlen 85728->85729 85776 40f790 85729->85776 85732 414e06 85795 414d40 85732->85795 85734 40f666 85734->85675 85735 40f450 85734->85735 85738 40f45a _strcat _realloc __write_nolock 85735->85738 85736 4151b0 __fread_nolock 81 API calls 85736->85738 85737 40f531 85737->85677 85738->85736 85738->85737 85742 42936d 85738->85742 85878 41557c 85738->85878 85740 41557c _fseek 105 API calls 85741 429394 85740->85741 85743 4151b0 __fread_nolock 81 API calls 85741->85743 85742->85740 85743->85737 85745 414ea0 __mtinitlocknum 85744->85745 85746 414ed1 85745->85746 85747 414eb4 85745->85747 85750 415965 __lock_file 68 API calls 85746->85750 85754 414ec9 __mtinitlocknum 85746->85754 86017 417f23 67 API calls __getptd_noexit 85747->86017 85749 414eb9 86018 417ebb 6 API calls 2 library calls 85749->86018 85752 414ee9 85750->85752 86001 414e1d 85752->86001 85754->85682 86086 41511a 85757->86086 85759 4151c8 85760 44afdc 85759->85760 86257 4431e0 85760->86257 85762 44affd 85762->85684 85764 415490 __mtinitlocknum 85763->85764 85765 4154bb 85764->85765 85766 41549e 85764->85766 85767 415965 __lock_file 68 API calls 85765->85767 86261 417f23 67 API calls __getptd_noexit 85766->86261 85769 4154c3 85767->85769 85771 4152e7 __ftell_nolock 71 API calls 85769->85771 85770 4154a3 86262 417ebb 6 API calls 2 library calls 85770->86262 85773 4154cf 85771->85773 86263 4154e8 LeaveCriticalSection LeaveCriticalSection _ftell 85773->86263 85774 4154b3 __mtinitlocknum 85774->85686 85777 40f7ae _memset 85776->85777 85779 40f628 85777->85779 85780 415258 85777->85780 85779->85732 85781 415285 85780->85781 85782 415268 85780->85782 85781->85782 85784 41528c 85781->85784 85791 417f23 67 API calls __getptd_noexit 85782->85791 85793 41c551 103 API calls 14 library calls 85784->85793 85786 41526d 85792 417ebb 6 API calls 2 library calls 85786->85792 85787 4152b2 85789 41527d 85787->85789 85794 4191c9 101 API calls 7 library calls 85787->85794 85789->85777 85791->85786 85793->85787 85794->85789 85796 414d4c __mtinitlocknum 85795->85796 85797 414d5f 85796->85797 85800 414d95 85796->85800 85847 417f23 67 API calls __getptd_noexit 85797->85847 85799 414d64 85848 417ebb 6 API calls 2 library calls 85799->85848 85814 41e28c 85800->85814 85803 414d9a 85804 414da1 85803->85804 85805 414dae 85803->85805 85849 417f23 67 API calls __getptd_noexit 85804->85849 85807 414dd6 85805->85807 85808 414db6 85805->85808 85832 41dfd8 85807->85832 85850 417f23 67 API calls __getptd_noexit 85808->85850 85811 414d74 __mtinitlocknum @_EH4_CallFilterFunc@8 85811->85734 85815 41e298 __mtinitlocknum 85814->85815 85816 418407 __lock 67 API calls 85815->85816 85822 41e2a6 85816->85822 85817 41e322 85818 416fb6 __malloc_crt 67 API calls 85817->85818 85820 41e32c 85818->85820 85829 41e31b 85820->85829 85857 4189e6 InitializeCriticalSectionAndSpinCount __mtinitlocknum 85820->85857 85821 41e3b0 __mtinitlocknum 85821->85803 85822->85817 85824 418344 __mtinitlocknum 67 API calls 85822->85824 85822->85829 85855 4159a6 68 API calls __lock 85822->85855 85856 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 85822->85856 85824->85822 85826 41e351 85827 41e35c 85826->85827 85828 41e36f EnterCriticalSection 85826->85828 85830 413a88 __mtinitlocknum 67 API calls 85827->85830 85828->85829 85852 41e3bb 85829->85852 85830->85829 85833 41dffb __wopenfile 85832->85833 85834 41e015 85833->85834 85846 41e1e9 85833->85846 85864 4136bc 79 API calls 2 library calls 85833->85864 85862 417f23 67 API calls __getptd_noexit 85834->85862 85836 41e01a 85863 417ebb 6 API calls 2 library calls 85836->85863 85838 41e247 85859 425db0 85838->85859 85842 41e1e2 85842->85846 85865 4136bc 79 API calls 2 library calls 85842->85865 85844 41e201 85844->85846 85866 4136bc 79 API calls 2 library calls 85844->85866 85846->85834 85846->85838 85847->85799 85849->85811 85850->85811 85851 414dfc LeaveCriticalSection LeaveCriticalSection _ftell 85851->85811 85858 41832d LeaveCriticalSection 85852->85858 85854 41e3c2 85854->85821 85855->85822 85856->85822 85857->85826 85858->85854 85867 425ce4 85859->85867 85861 414de1 85861->85851 85862->85836 85864->85842 85865->85844 85866->85846 85868 425cf0 __mtinitlocknum 85867->85868 85869 425d03 85868->85869 85871 425d41 85868->85871 85870 417f23 __swprintf 67 API calls 85869->85870 85872 425d08 85870->85872 85873 4255c4 __tsopen_nolock 132 API calls 85871->85873 85874 417ebb __swprintf 6 API calls 85872->85874 85875 425d5b 85873->85875 85877 425d17 __mtinitlocknum 85874->85877 85876 425d82 __sopen_helper LeaveCriticalSection 85875->85876 85876->85877 85877->85861 85882 415588 __mtinitlocknum 85878->85882 85879 415596 85909 417f23 67 API calls __getptd_noexit 85879->85909 85881 4155c4 85891 415965 85881->85891 85882->85879 85882->85881 85884 41559b 85910 417ebb 6 API calls 2 library calls 85884->85910 85890 4155ab __mtinitlocknum 85890->85738 85892 415977 85891->85892 85893 415999 EnterCriticalSection 85891->85893 85892->85893 85894 41597f 85892->85894 85895 4155cc 85893->85895 85896 418407 __lock 67 API calls 85894->85896 85897 4154f2 85895->85897 85896->85895 85898 415512 85897->85898 85899 415502 85897->85899 85901 415524 85898->85901 85912 4152e7 85898->85912 85966 417f23 67 API calls __getptd_noexit 85899->85966 85929 41486c 85901->85929 85908 415507 85911 4155f7 LeaveCriticalSection LeaveCriticalSection _ftell 85908->85911 85909->85884 85911->85890 85913 41531a 85912->85913 85914 4152fa 85912->85914 85915 41453a __fileno 67 API calls 85913->85915 85967 417f23 67 API calls __getptd_noexit 85914->85967 85918 415320 85915->85918 85917 4152ff 85968 417ebb 6 API calls 2 library calls 85917->85968 85920 41efd4 __locking 71 API calls 85918->85920 85921 415335 85920->85921 85922 4153a9 85921->85922 85924 415364 85921->85924 85928 41530f 85921->85928 85969 417f23 67 API calls __getptd_noexit 85922->85969 85925 41efd4 __locking 71 API calls 85924->85925 85924->85928 85926 415404 85925->85926 85927 41efd4 __locking 71 API calls 85926->85927 85926->85928 85927->85928 85928->85901 85930 414885 85929->85930 85934 4148a7 85929->85934 85931 41453a __fileno 67 API calls 85930->85931 85930->85934 85932 4148a0 85931->85932 85970 41c3cf 101 API calls 6 library calls 85932->85970 85935 41453a 85934->85935 85936 41455e 85935->85936 85937 414549 85935->85937 85941 41efd4 85936->85941 85971 417f23 67 API calls __getptd_noexit 85937->85971 85939 41454e 85972 417ebb 6 API calls 2 library calls 85939->85972 85942 41efe0 __mtinitlocknum 85941->85942 85943 41f003 85942->85943 85944 41efe8 85942->85944 85946 41f011 85943->85946 85950 41f052 85943->85950 85993 417f36 67 API calls __getptd_noexit 85944->85993 85995 417f36 67 API calls __getptd_noexit 85946->85995 85948 41efed 85994 417f23 67 API calls __getptd_noexit 85948->85994 85949 41f016 85996 417f23 67 API calls __getptd_noexit 85949->85996 85973 41ba3b 85950->85973 85954 41f01d 85997 417ebb 6 API calls 2 library calls 85954->85997 85955 41f058 85957 41f065 85955->85957 85958 41f07b 85955->85958 85983 41ef5f 85957->85983 85998 417f23 67 API calls __getptd_noexit 85958->85998 85959 41eff5 __mtinitlocknum 85959->85908 85962 41f073 86000 41f0a6 LeaveCriticalSection __unlock_fhandle 85962->86000 85963 41f080 85999 417f36 67 API calls __getptd_noexit 85963->85999 85966->85908 85967->85917 85969->85928 85970->85934 85971->85939 85974 41ba47 __mtinitlocknum 85973->85974 85975 41baa2 85974->85975 85978 418407 __lock 67 API calls 85974->85978 85976 41bac4 __mtinitlocknum 85975->85976 85977 41baa7 EnterCriticalSection 85975->85977 85976->85955 85977->85976 85979 41ba73 85978->85979 85980 41ba8a 85979->85980 85982 4189e6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 85979->85982 85981 41bad2 ___lock_fhandle LeaveCriticalSection 85980->85981 85981->85975 85982->85980 85984 41b9c4 __lseek_nolock 67 API calls 85983->85984 85985 41ef6e 85984->85985 85986 41ef84 SetFilePointer 85985->85986 85987 41ef74 85985->85987 85989 41efa3 85986->85989 85990 41ef9b GetLastError 85986->85990 85988 417f23 __swprintf 67 API calls 85987->85988 85991 41ef79 85988->85991 85989->85991 85992 417f49 __dosmaperr 67 API calls 85989->85992 85990->85989 85991->85962 85992->85991 85993->85948 85994->85959 85995->85949 85996->85954 85998->85963 85999->85962 86000->85959 86002 414e31 86001->86002 86003 414e4d 86001->86003 86047 417f23 67 API calls __getptd_noexit 86002->86047 86006 41486c __flush 101 API calls 86003->86006 86015 414e46 86003->86015 86005 414e36 86048 417ebb 6 API calls 2 library calls 86005->86048 86008 414e59 86006->86008 86020 41e680 86008->86020 86011 41453a __fileno 67 API calls 86012 414e67 86011->86012 86024 41e5b3 86012->86024 86014 414e6d 86014->86015 86016 413a88 __mtinitlocknum 67 API calls 86014->86016 86019 414f08 LeaveCriticalSection LeaveCriticalSection _ftell 86015->86019 86016->86015 86017->85749 86019->85754 86021 41e690 86020->86021 86022 414e61 86020->86022 86021->86022 86023 413a88 __mtinitlocknum 67 API calls 86021->86023 86022->86011 86023->86022 86025 41e5bf __mtinitlocknum 86024->86025 86026 41e5c7 86025->86026 86030 41e5e2 86025->86030 86064 417f36 67 API calls __getptd_noexit 86026->86064 86028 41e5f0 86066 417f36 67 API calls __getptd_noexit 86028->86066 86029 41e5cc 86065 417f23 67 API calls __getptd_noexit 86029->86065 86030->86028 86032 41e631 86030->86032 86035 41ba3b ___lock_fhandle 68 API calls 86032->86035 86034 41e5f5 86067 417f23 67 API calls __getptd_noexit 86034->86067 86038 41e637 86035->86038 86037 41e5fc 86068 417ebb 6 API calls 2 library calls 86037->86068 86040 41e652 86038->86040 86041 41e644 86038->86041 86069 417f23 67 API calls __getptd_noexit 86040->86069 86049 41e517 86041->86049 86042 41e5d4 __mtinitlocknum 86042->86014 86045 41e64c 86070 41e676 LeaveCriticalSection __unlock_fhandle 86045->86070 86047->86005 86071 41b9c4 86049->86071 86051 41e57d 86084 41b93e 68 API calls 2 library calls 86051->86084 86053 41e527 86053->86051 86055 41b9c4 __lseek_nolock 67 API calls 86053->86055 86063 41e55b 86053->86063 86054 41e585 86062 41e5a7 86054->86062 86085 417f49 67 API calls 3 library calls 86054->86085 86057 41e552 86055->86057 86056 41b9c4 __lseek_nolock 67 API calls 86058 41e567 CloseHandle 86056->86058 86060 41b9c4 __lseek_nolock 67 API calls 86057->86060 86058->86051 86061 41e573 GetLastError 86058->86061 86060->86063 86061->86051 86062->86045 86063->86051 86063->86056 86064->86029 86065->86042 86066->86034 86067->86037 86069->86045 86070->86042 86072 41b9d1 86071->86072 86073 41b9e9 86071->86073 86074 417f36 __free_osfhnd 67 API calls 86072->86074 86075 417f36 __free_osfhnd 67 API calls 86073->86075 86077 41ba2e 86073->86077 86076 41b9d6 86074->86076 86078 41ba17 86075->86078 86079 417f23 __swprintf 67 API calls 86076->86079 86077->86053 86080 417f23 __swprintf 67 API calls 86078->86080 86081 41b9de 86079->86081 86082 41ba1e 86080->86082 86081->86053 86083 417ebb __swprintf 6 API calls 86082->86083 86083->86077 86084->86054 86085->86062 86087 415126 __mtinitlocknum 86086->86087 86088 41513a _memset 86087->86088 86089 41516f 86087->86089 86090 415164 __mtinitlocknum 86087->86090 86115 417f23 67 API calls __getptd_noexit 86088->86115 86091 415965 __lock_file 68 API calls 86089->86091 86090->85759 86093 415177 86091->86093 86099 414f10 86093->86099 86095 415154 86116 417ebb 6 API calls 2 library calls 86095->86116 86103 414f2e _memset 86099->86103 86105 414f4c 86099->86105 86100 414f37 86168 417f23 67 API calls __getptd_noexit 86100->86168 86102 414f3c 86169 417ebb 6 API calls 2 library calls 86102->86169 86103->86100 86103->86105 86108 414f8b 86103->86108 86117 4151a6 LeaveCriticalSection LeaveCriticalSection _ftell 86105->86117 86107 4150a9 _memset 86171 417f23 67 API calls __getptd_noexit 86107->86171 86108->86105 86108->86107 86109 4150d5 _memset 86108->86109 86110 41453a __fileno 67 API calls 86108->86110 86118 41ed9e 86108->86118 86148 41e6b1 86108->86148 86170 41ee9b 67 API calls 3 library calls 86108->86170 86172 417f23 67 API calls __getptd_noexit 86109->86172 86110->86108 86115->86095 86117->86090 86119 41edaa __mtinitlocknum 86118->86119 86120 41edb2 86119->86120 86121 41edcd 86119->86121 86242 417f36 67 API calls __getptd_noexit 86120->86242 86122 41eddb 86121->86122 86128 41ee1c 86121->86128 86244 417f36 67 API calls __getptd_noexit 86122->86244 86124 41edb7 86243 417f23 67 API calls __getptd_noexit 86124->86243 86127 41ede0 86245 417f23 67 API calls __getptd_noexit 86127->86245 86129 41ee29 86128->86129 86130 41ee3d 86128->86130 86247 417f36 67 API calls __getptd_noexit 86129->86247 86133 41ba3b ___lock_fhandle 68 API calls 86130->86133 86135 41ee43 86133->86135 86134 41ee2e 86248 417f23 67 API calls __getptd_noexit 86134->86248 86137 41ee50 86135->86137 86138 41ee66 86135->86138 86173 41e7dc 86137->86173 86249 417f23 67 API calls __getptd_noexit 86138->86249 86140 41ede7 86246 417ebb 6 API calls 2 library calls 86140->86246 86143 41edbf __mtinitlocknum 86143->86108 86144 41ee5e 86251 41ee91 LeaveCriticalSection __unlock_fhandle 86144->86251 86145 41ee6b 86250 417f36 67 API calls __getptd_noexit 86145->86250 86149 41e6c1 86148->86149 86153 41e6de 86148->86153 86255 417f23 67 API calls __getptd_noexit 86149->86255 86151 41e6c6 86256 417ebb 6 API calls 2 library calls 86151->86256 86154 41e713 86153->86154 86160 41e6d6 86153->86160 86252 423600 86153->86252 86156 41453a __fileno 67 API calls 86154->86156 86157 41e727 86156->86157 86158 41ed9e __read 79 API calls 86157->86158 86159 41e72e 86158->86159 86159->86160 86161 41453a __fileno 67 API calls 86159->86161 86160->86108 86162 41e751 86161->86162 86162->86160 86163 41453a __fileno 67 API calls 86162->86163 86164 41e75d 86163->86164 86164->86160 86165 41453a __fileno 67 API calls 86164->86165 86166 41e769 86165->86166 86167 41453a __fileno 67 API calls 86166->86167 86167->86160 86168->86102 86170->86108 86171->86102 86172->86102 86174 41e813 86173->86174 86175 41e7f8 86173->86175 86177 41e822 86174->86177 86180 41e849 86174->86180 86176 417f36 __free_osfhnd 67 API calls 86175->86176 86179 41e7fd 86176->86179 86178 417f36 __free_osfhnd 67 API calls 86177->86178 86181 41e827 86178->86181 86183 417f23 __swprintf 67 API calls 86179->86183 86182 41e868 86180->86182 86193 41e87c 86180->86193 86184 417f23 __swprintf 67 API calls 86181->86184 86185 417f36 __free_osfhnd 67 API calls 86182->86185 86194 41e805 86183->86194 86187 41e82e 86184->86187 86189 41e86d 86185->86189 86186 41e8d4 86188 417f36 __free_osfhnd 67 API calls 86186->86188 86190 417ebb __swprintf 6 API calls 86187->86190 86191 41e8d9 86188->86191 86192 417f23 __swprintf 67 API calls 86189->86192 86190->86194 86195 417f23 __swprintf 67 API calls 86191->86195 86196 41e874 86192->86196 86193->86186 86193->86194 86197 41e8b0 86193->86197 86198 41e8f5 86193->86198 86194->86144 86195->86196 86199 417ebb __swprintf 6 API calls 86196->86199 86197->86186 86205 41e8bb ReadFile 86197->86205 86200 416fb6 __malloc_crt 67 API calls 86198->86200 86199->86194 86202 41e90b 86200->86202 86208 41e931 86202->86208 86209 41e913 86202->86209 86203 41ed62 GetLastError 86206 41ebe8 86203->86206 86207 41ed6f 86203->86207 86204 41e9e7 86204->86203 86212 41e9fb 86204->86212 86205->86203 86205->86204 86216 417f49 __dosmaperr 67 API calls 86206->86216 86221 41eb6d 86206->86221 86210 417f23 __swprintf 67 API calls 86207->86210 86213 423462 __lseeki64_nolock 69 API calls 86208->86213 86211 417f23 __swprintf 67 API calls 86209->86211 86214 41ed74 86210->86214 86215 41e918 86211->86215 86212->86221 86222 41ea17 86212->86222 86225 41ec2d 86212->86225 86217 41e93d 86213->86217 86218 417f36 __free_osfhnd 67 API calls 86214->86218 86219 417f36 __free_osfhnd 67 API calls 86215->86219 86216->86221 86217->86205 86218->86221 86219->86194 86220 413a88 __mtinitlocknum 67 API calls 86220->86194 86221->86194 86221->86220 86223 41ea7d ReadFile 86222->86223 86230 41eafa 86222->86230 86226 41ea9b GetLastError 86223->86226 86235 41eaa5 86223->86235 86224 41eca5 ReadFile 86227 41ecc4 GetLastError 86224->86227 86233 41ecce 86224->86233 86225->86221 86225->86224 86226->86222 86226->86235 86227->86225 86227->86233 86228 41ebbe MultiByteToWideChar 86228->86221 86229 41ebe2 GetLastError 86228->86229 86229->86206 86230->86221 86231 41eb75 86230->86231 86232 41eb68 86230->86232 86238 41eb32 86230->86238 86231->86238 86239 41ebac 86231->86239 86234 417f23 __swprintf 67 API calls 86232->86234 86233->86225 86237 423462 __lseeki64_nolock 69 API calls 86233->86237 86234->86221 86235->86222 86236 423462 __lseeki64_nolock 69 API calls 86235->86236 86236->86235 86237->86233 86238->86228 86240 423462 __lseeki64_nolock 69 API calls 86239->86240 86241 41ebbb 86240->86241 86241->86228 86242->86124 86243->86143 86244->86127 86245->86140 86247->86134 86248->86140 86249->86145 86250->86144 86251->86143 86253 416fb6 __malloc_crt 67 API calls 86252->86253 86254 423615 86253->86254 86254->86154 86255->86151 86260 414cef GetSystemTimeAsFileTime __aulldiv 86257->86260 86259 4431ef 86259->85762 86260->86259 86261->85770 86263->85774 86267 4523e1 _wcscpy 86264->86267 86265 44afdc GetSystemTimeAsFileTime 86265->86267 86266 452553 86266->85692 86266->85693 86267->86265 86267->86266 86268 4151b0 81 API calls __fread_nolock 86267->86268 86269 41557c 105 API calls _fseek 86267->86269 86268->86267 86269->86267 86271 44b1b4 86270->86271 86272 44b1a6 86270->86272 86274 44b1ca 86271->86274 86275 414e06 138 API calls 86271->86275 86276 44b1c2 86271->86276 86273 414e06 138 API calls 86272->86273 86273->86271 86305 4352d1 81 API calls 2 library calls 86274->86305 86277 44b2c1 86275->86277 86276->85719 86277->86274 86279 44b2cf 86277->86279 86283 44b2dc 86279->86283 86285 414e94 __fcloseall 106 API calls 86279->86285 86280 44b20d 86281 44b211 86280->86281 86282 44b23b 86280->86282 86284 44b21e 86281->86284 86287 414e94 __fcloseall 106 API calls 86281->86287 86306 43526e 86282->86306 86283->85719 86288 44b22e 86284->86288 86290 414e94 __fcloseall 106 API calls 86284->86290 86285->86283 86287->86284 86288->85719 86289 44b242 86291 44b270 86289->86291 86293 44b248 86289->86293 86290->86288 86316 44b0af 111 API calls 86291->86316 86294 44b255 86293->86294 86297 414e94 __fcloseall 106 API calls 86293->86297 86295 44b265 86294->86295 86298 414e94 __fcloseall 106 API calls 86294->86298 86295->85719 86296 44b276 86317 43522c 86296->86317 86297->86294 86298->86295 86301 44b289 86303 44b299 86301->86303 86304 414e94 __fcloseall 106 API calls 86301->86304 86302 414e94 __fcloseall 106 API calls 86302->86301 86303->85719 86304->86303 86305->86280 86307 4138ba _malloc 67 API calls 86306->86307 86308 43527d 86307->86308 86309 4138ba _malloc 67 API calls 86308->86309 86310 43528d 86309->86310 86311 4138ba _malloc 67 API calls 86310->86311 86312 43529d 86311->86312 86313 43522c 67 API calls 86312->86313 86314 4352bc 86312->86314 86315 4352c8 86313->86315 86314->86289 86315->86289 86316->86296 86318 435241 86317->86318 86319 43523b 86317->86319 86321 413a88 __mtinitlocknum 67 API calls 86318->86321 86323 435254 86318->86323 86320 413a88 __mtinitlocknum 67 API calls 86319->86320 86320->86318 86321->86323 86322 435267 86322->86301 86322->86302 86323->86322 86324 413a88 __mtinitlocknum 67 API calls 86323->86324 86324->86322 86325->85608 86326->85611 86327->85629 86328->85629 86329->85629 86330->85620 86331->85629 86332->85629 86333->85633 86334->85642 86336->85644 86337->85533 86339 410148 SHGetDesktopFolder 86338->86339 86342 4101a3 _wcscpy 86338->86342 86340 41015a _wcscpy 86339->86340 86339->86342 86341 41018a SHGetPathFromIDListW 86340->86341 86340->86342 86341->86342 86342->85537 86343->85539 86345 40f5e0 152 API calls 86344->86345 86346 40f417 86345->86346 86347 42ca37 86346->86347 86348 40f42c 86346->86348 86349 42ca1f 86346->86349 86350 452574 140 API calls 86347->86350 86385 4037e0 139 API calls 7 library calls 86348->86385 86386 43717f 110 API calls _printf 86349->86386 86353 42ca50 86350->86353 86356 42ca76 86353->86356 86357 42ca54 86353->86357 86354 40f446 86354->85536 86355 42ca2d 86355->86347 86358 41171a 75 API calls 86356->86358 86359 434fe1 106 API calls 86357->86359 86374 42cacc moneypunct 86358->86374 86360 42ca5e 86359->86360 86387 43717f 110 API calls _printf 86360->86387 86362 42ca6c 86362->86356 86363 42ccc3 86364 413a88 __mtinitlocknum 67 API calls 86363->86364 86365 42cccd 86364->86365 86366 434fe1 106 API calls 86365->86366 86367 42ccda 86366->86367 86371 401b70 75 API calls 86371->86374 86374->86363 86374->86371 86375 445051 86374->86375 86378 402cc0 75 API calls 2 library calls 86374->86378 86379 4026a0 86374->86379 86388 44c80c 87 API calls 3 library calls 86374->86388 86389 44b408 75 API calls 86374->86389 86376 41171a 75 API calls 86375->86376 86377 445080 _realloc 86376->86377 86377->86374 86377->86377 86378->86374 86380 40276b 86379->86380 86381 4026af 86379->86381 86380->86374 86381->86380 86382 41171a 75 API calls 86381->86382 86383 4026ee moneypunct 86381->86383 86382->86383 86383->86380 86384 41171a 75 API calls 86383->86384 86384->86383 86385->86354 86386->86355 86387->86362 86388->86374 86389->86374 86390->85547 86391->85546 86393 401bfb 86392->86393 86413 401cde 86392->86413 86415 4013a0 86393->86415 86396 42a9a0 LoadStringW 86399 42a9bb 86396->86399 86397 401c18 86398 4021e0 75 API calls 86397->86398 86400 401c2d 86398->86400 86421 40df50 75 API calls 86399->86421 86402 401c3a 86400->86402 86403 42a9cd 86400->86403 86402->86399 86404 401c44 86402->86404 86422 40d3b0 75 API calls 2 library calls 86403->86422 86420 40d3b0 75 API calls 2 library calls 86404->86420 86407 42a9dc 86408 42a9f0 86407->86408 86410 401c53 _memset _wcscpy _wcsncpy 86407->86410 86423 40d3b0 75 API calls 2 library calls 86408->86423 86412 401cc2 Shell_NotifyIconW 86410->86412 86411 42a9fe 86412->86413 86413->85558 86414->85553 86416 41171a 75 API calls 86415->86416 86417 4013c4 86416->86417 86418 401380 75 API calls 86417->86418 86419 4013d3 86418->86419 86419->86396 86419->86397 86420->86410 86421->86410 86422->86407 86423->86411 86424 444343 86427 444326 86424->86427 86426 44434e WriteFile 86428 444340 86427->86428 86429 4442c7 86427->86429 86428->86426 86434 40e190 SetFilePointerEx 86429->86434 86431 4442e0 SetFilePointerEx 86435 40e190 SetFilePointerEx 86431->86435 86433 4442ff 86433->86426 86434->86431 86435->86433 86436 46d22f 86439 46d098 86436->86439 86438 46d241 86440 46d0b5 86439->86440 86441 46d115 86440->86441 86442 46d0b9 86440->86442 86486 45c216 78 API calls 86441->86486 86443 41171a 75 API calls 86442->86443 86445 46d0c0 86443->86445 86447 46d0cc 86445->86447 86483 40d940 76 API calls 86445->86483 86446 46d126 86448 46d0f8 86446->86448 86454 46d142 86446->86454 86452 453063 111 API calls 86447->86452 86449 4092c0 VariantClear 86448->86449 86451 46d0fd 86449->86451 86451->86438 86453 46d0dd 86452->86453 86484 40dfa0 83 API calls 86453->86484 86455 46d1c8 86454->86455 86458 46d158 86454->86458 86491 4676a3 78 API calls 86455->86491 86462 453063 111 API calls 86458->86462 86459 46d0ea 86459->86454 86460 46d0ee 86459->86460 86460->86448 86485 44ade5 CloseHandle moneypunct 86460->86485 86461 46d1ce 86492 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 86461->86492 86466 46d15e 86462->86466 86463 46d18d 86487 467fce 82 API calls 86463->86487 86465 46d196 86470 4013a0 75 API calls 86465->86470 86466->86463 86466->86465 86469 46d194 86477 46d224 86469->86477 86479 40d900 CloseHandle 86469->86479 86472 46d1a2 86470->86472 86471 46d1e7 86471->86469 86474 4092c0 VariantClear 86471->86474 86488 40df50 75 API calls 86472->86488 86474->86469 86475 46d1ac 86489 40d3b0 75 API calls 2 library calls 86475->86489 86477->86438 86478 46d1b8 86490 467fce 82 API calls 86478->86490 86481 46d216 86479->86481 86493 44ade5 CloseHandle moneypunct 86481->86493 86483->86447 86484->86459 86485->86448 86486->86446 86487->86469 86488->86475 86489->86478 86490->86469 86491->86461 86492->86471 86493->86477 86494 42919b 86499 40ef10 86494->86499 86497 411421 __cinit 74 API calls 86498 4291aa 86497->86498 86500 41171a 75 API calls 86499->86500 86501 40ef17 86500->86501 86502 42ad48 86501->86502 86507 40ef40 74 API calls __cinit 86501->86507 86504 40ef2a 86508 40e470 86504->86508 86507->86504 86509 40c060 75 API calls 86508->86509 86510 40e483 GetVersionExW 86509->86510 86511 4021e0 75 API calls 86510->86511 86512 40e4bb 86511->86512 86534 40e600 86512->86534 86518 42accc 86520 42ad28 GetSystemInfo 86518->86520 86523 42ad38 GetSystemInfo 86520->86523 86521 40e557 GetCurrentProcess 86554 40ee30 LoadLibraryA GetProcAddress 86521->86554 86522 40e56c 86522->86523 86547 40eee0 86522->86547 86527 40e5c9 86551 40eea0 86527->86551 86530 40e5e0 86532 40e5f1 FreeLibrary 86530->86532 86533 40e5f4 86530->86533 86531 40e5dd FreeLibrary 86531->86530 86532->86533 86533->86497 86535 40e60b 86534->86535 86536 40c740 75 API calls 86535->86536 86537 40e4c2 86536->86537 86538 40e620 86537->86538 86539 40e62a 86538->86539 86540 42ac93 86539->86540 86541 40c740 75 API calls 86539->86541 86542 40e4ce 86541->86542 86542->86518 86543 40ee70 86542->86543 86544 40e551 86543->86544 86545 40ee76 LoadLibraryA 86543->86545 86544->86521 86544->86522 86545->86544 86546 40ee87 GetProcAddress 86545->86546 86546->86544 86548 40e5bf 86547->86548 86549 40eee6 LoadLibraryA 86547->86549 86548->86520 86548->86527 86549->86548 86550 40eef7 GetProcAddress 86549->86550 86550->86548 86555 40eec0 LoadLibraryA GetProcAddress 86551->86555 86553 40e5d3 GetNativeSystemInfo 86553->86530 86553->86531 86554->86522 86555->86553 86556 3f4ba18 86570 3f49668 86556->86570 86558 3f4baf4 86573 3f4b908 86558->86573 86560 3f4bb1d CreateFileW 86562 3f4bb71 86560->86562 86563 3f4bb6c 86560->86563 86562->86563 86564 3f4bb88 VirtualAlloc 86562->86564 86564->86563 86565 3f4bba6 ReadFile 86564->86565 86565->86563 86566 3f4bbc1 86565->86566 86567 3f4a908 13 API calls 86566->86567 86568 3f4bbf4 86567->86568 86569 3f4bc17 ExitProcess 86568->86569 86569->86563 86576 3f4cb18 GetPEB 86570->86576 86572 3f49cf3 86572->86558 86574 3f4b911 Sleep 86573->86574 86575 3f4b91f 86574->86575 86577 3f4cb42 86576->86577 86577->86572 86578 40116e 86579 401119 DefWindowProcW 86578->86579

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                      • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\kk.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                      • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                    • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                    • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\kk.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                      • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\kk.exe,00000004), ref: 0040D7D6
                                                    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                    • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\kk.exe,00000004), ref: 00431B0E
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\kk.exe,00000004), ref: 00431B3F
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                    • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                      • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                      • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                      • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                      • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                      • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                      • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                      • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                      • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                      • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                      • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                      • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                      • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                      • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                    • String ID: @GH$@GH$C:\Users\user\Desktop\kk.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                    • API String ID: 2493088469-1523010201
                                                    • Opcode ID: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                                    • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                    • Opcode Fuzzy Hash: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                                    • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 138 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 147 40e506-40e509 138->147 148 42accc-42acd1 138->148 151 40e540-40e555 call 40ee70 147->151 152 40e50b-40e51c 147->152 149 42acd3-42acdb 148->149 150 42acdd-42ace0 148->150 153 42ad12-42ad20 149->153 154 42ace2-42aceb 150->154 155 42aced-42acf0 150->155 169 40e557-40e573 GetCurrentProcess call 40ee30 151->169 170 40e579-40e5a8 151->170 156 40e522-40e525 152->156 157 42ac9b-42aca7 152->157 168 42ad28-42ad2d GetSystemInfo 153->168 154->153 155->153 159 42acf2-42ad06 155->159 156->151 160 40e527-40e537 156->160 162 42acb2-42acba 157->162 163 42aca9-42acad 157->163 164 42ad08-42ad0c 159->164 165 42ad0e 159->165 166 42acbf-42acc7 160->166 167 40e53d 160->167 162->151 163->151 164->153 165->153 166->151 167->151 171 42ad38-42ad3d GetSystemInfo 168->171 169->170 180 40e575 169->180 170->171 172 40e5ae-40e5c3 call 40eee0 170->172 172->168 177 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 172->177 182 40e5e0-40e5ef 177->182 183 40e5dd-40e5de FreeLibrary 177->183 180->170 184 40e5f1-40e5f2 FreeLibrary 182->184 185 40e5f4-40e5ff 182->185 183->182 184->185
                                                    APIs
                                                    • GetVersionExW.KERNEL32 ref: 0040E495
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                    • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                    • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                    • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                    • String ID: pMH
                                                    • API String ID: 2923339712-2522892712
                                                    • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                    • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                    • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                    • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                    APIs
                                                    • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: IsThemeActive$uxtheme.dll
                                                    • API String ID: 2574300362-3542929980
                                                    • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                    • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                    • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                    • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                    • __wsplitpath.LIBCMT ref: 00410C61
                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                    • _wcsncat.LIBCMT ref: 00410C78
                                                    • __wmakepath.LIBCMT ref: 00410C94
                                                      • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                    • _wcscpy.LIBCMT ref: 00410CCC
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                    • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                    • _wcscat.LIBCMT ref: 00429C43
                                                    • _wcslen.LIBCMT ref: 00429C55
                                                    • _wcslen.LIBCMT ref: 00429C66
                                                    • _wcscat.LIBCMT ref: 00429C80
                                                    • _wcsncpy.LIBCMT ref: 00429CC0
                                                    • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                    • API String ID: 1004883554-2276155026
                                                    • Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                    • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                    • Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                    • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock$_fseek_wcscpy
                                                    • String ID: FILE
                                                    • API String ID: 3888824918-3121273764
                                                    • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                    • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                    • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                    • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32 ref: 00410326
                                                    • RegisterClassExW.USER32 ref: 00410359
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                    • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                    • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                    • ImageList_ReplaceIcon.COMCTL32(00A63A28,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                    • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                    • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                    • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                    • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                    • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                    • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                    • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                    • RegisterClassExW.USER32 ref: 004102C6
                                                      • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                      • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                      • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                      • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                      • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                      • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                      • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00A63A28,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$PGH
                                                    • API String ID: 423443420-3673556320
                                                    • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                    • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                    • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                    • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99

                                                    Control-flow Graph

                                                    APIs
                                                    • _fseek.LIBCMT ref: 004525DA
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                    • __fread_nolock.LIBCMT ref: 00452618
                                                    • __fread_nolock.LIBCMT ref: 00452629
                                                    • __fread_nolock.LIBCMT ref: 00452644
                                                    • __fread_nolock.LIBCMT ref: 00452661
                                                    • _fseek.LIBCMT ref: 0045267D
                                                    • _malloc.LIBCMT ref: 00452689
                                                    • _malloc.LIBCMT ref: 00452696
                                                    • __fread_nolock.LIBCMT ref: 004526A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                    • String ID:
                                                    • API String ID: 1911931848-0
                                                    • Opcode ID: 07c7d1d11592908342a612a25e8a5e33943486726a22accfdf27b608027379a0
                                                    • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                    • Opcode Fuzzy Hash: 07c7d1d11592908342a612a25e8a5e33943486726a22accfdf27b608027379a0
                                                    • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 228 40f450-40f45c call 425210 231 40f460-40f478 228->231 231->231 232 40f47a-40f4a8 call 413990 call 410f70 231->232 237 40f4b0-40f4d1 call 4151b0 232->237 240 40f531 237->240 241 40f4d3-40f4da 237->241 242 40f536-40f540 240->242 243 40f4dc-40f4de 241->243 244 40f4fd-40f517 call 41557c 241->244 245 40f4e0-40f4e2 243->245 248 40f51c-40f51f 244->248 247 40f4e6-40f4ed 245->247 249 40f521-40f52c 247->249 250 40f4ef-40f4f2 247->250 248->237 253 40f543-40f54e 249->253 254 40f52e-40f52f 249->254 251 42937a-4293a0 call 41557c call 4151b0 250->251 252 40f4f8-40f4fb 250->252 265 4293a5-4293c3 call 4151d0 251->265 252->244 252->245 256 40f550-40f553 253->256 257 40f555-40f560 253->257 254->250 256->250 259 429372 257->259 260 40f566-40f571 257->260 259->251 262 429361-429367 260->262 263 40f577-40f57a 260->263 262->247 264 42936d 262->264 263->250 264->259 265->242
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_fseek_strcat
                                                    • String ID: AU3!$EA06
                                                    • API String ID: 3818483258-2658333250
                                                    • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                    • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                    • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                    • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 268 410130-410142 SHGetMalloc 269 410148-410158 SHGetDesktopFolder 268->269 270 42944f-429459 call 411691 268->270 271 4101d1-4101e0 269->271 272 41015a-410188 call 411691 269->272 271->270 278 4101e6-4101ee 271->278 280 4101c5-4101ce 272->280 281 41018a-4101a1 SHGetPathFromIDListW 272->281 280->271 282 4101a3-4101b1 call 411691 281->282 283 4101b4-4101c0 281->283 282->283 283->280
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                    • String ID: C:\Users\user\Desktop\kk.exe
                                                    • API String ID: 192938534-1423750245
                                                    • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                    • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                    • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                    • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 286 3f4bc68-3f4bd16 call 3f49668 289 3f4bd1d-3f4bd43 call 3f4cb78 CreateFileW 286->289 292 3f4bd45 289->292 293 3f4bd4a-3f4bd5a 289->293 294 3f4be95-3f4be99 292->294 301 3f4bd61-3f4bd7b VirtualAlloc 293->301 302 3f4bd5c 293->302 295 3f4bedb-3f4bede 294->295 296 3f4be9b-3f4be9f 294->296 298 3f4bee1-3f4bee8 295->298 299 3f4bea1-3f4bea4 296->299 300 3f4beab-3f4beaf 296->300 303 3f4bf3d-3f4bf52 298->303 304 3f4beea-3f4bef5 298->304 299->300 305 3f4beb1-3f4bebb 300->305 306 3f4bebf-3f4bec3 300->306 307 3f4bd82-3f4bd99 ReadFile 301->307 308 3f4bd7d 301->308 302->294 313 3f4bf54-3f4bf5f VirtualFree 303->313 314 3f4bf62-3f4bf6a 303->314 311 3f4bef7 304->311 312 3f4bef9-3f4bf05 304->312 305->306 315 3f4bec5-3f4becf 306->315 316 3f4bed3 306->316 309 3f4bda0-3f4bde0 VirtualAlloc 307->309 310 3f4bd9b 307->310 308->294 317 3f4bde7-3f4be02 call 3f4cdc8 309->317 318 3f4bde2 309->318 310->294 311->303 319 3f4bf07-3f4bf17 312->319 320 3f4bf19-3f4bf25 312->320 313->314 315->316 316->295 326 3f4be0d-3f4be17 317->326 318->294 322 3f4bf3b 319->322 323 3f4bf27-3f4bf30 320->323 324 3f4bf32-3f4bf38 320->324 322->298 323->322 324->322 327 3f4be19-3f4be48 call 3f4cdc8 326->327 328 3f4be4a-3f4be5e call 3f4cbd8 326->328 327->326 334 3f4be60 328->334 335 3f4be62-3f4be66 328->335 334->294 336 3f4be72-3f4be76 335->336 337 3f4be68-3f4be6c CloseHandle 335->337 338 3f4be86-3f4be8f 336->338 339 3f4be78-3f4be83 VirtualFree 336->339 337->336 338->289 338->294 339->338
                                                    APIs
                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F4BD39
                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F4BF5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1329632625.0000000003F49000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F49000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3f49000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateFileFreeVirtual
                                                    • String ID:
                                                    • API String ID: 204039940-0
                                                    • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                    • Instruction ID: dbd7d17a6e470e1071b69c814bc71f147e69e68a33d10a5aac29c523db91b85d
                                                    • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                    • Instruction Fuzzy Hash: A4A11675E00209EBDB18CFA4C894BAEBBB5BF48304F248199E645BB281D7799E41CF50

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 340 414f10-414f2c 341 414f4f 340->341 342 414f2e-414f31 340->342 343 414f51-414f55 341->343 342->341 344 414f33-414f35 342->344 345 414f37-414f46 call 417f23 344->345 346 414f56-414f5b 344->346 358 414f47-414f4c call 417ebb 345->358 347 414f6a-414f6d 346->347 348 414f5d-414f68 346->348 351 414f7a-414f7c 347->351 352 414f6f-414f77 call 4131f0 347->352 348->347 350 414f8b-414f9e 348->350 356 414fa0-414fa6 350->356 357 414fa8 350->357 351->345 355 414f7e-414f89 351->355 352->351 355->345 355->350 360 414faf-414fb1 356->360 357->360 358->341 362 4150a1-4150a4 360->362 363 414fb7-414fbe 360->363 362->343 365 414fc0-414fc5 363->365 366 415004-415007 363->366 365->366 369 414fc7 365->369 367 415071-415072 call 41e6b1 366->367 368 415009-41500d 366->368 377 415077-41507b 367->377 373 41500f-415018 368->373 374 41502e-415035 368->374 370 415102 369->370 371 414fcd-414fd1 369->371 380 415106-41510f 370->380 375 414fd3 371->375 376 414fd5-414fd8 371->376 378 415023-415028 373->378 379 41501a-415021 373->379 381 415037 374->381 382 415039-41503c 374->382 375->376 383 4150a9-4150af 376->383 384 414fde-414fff call 41ee9b 376->384 377->380 385 415081-415085 377->385 386 41502a-41502c 378->386 379->386 380->343 381->382 387 415042-41504e call 41453a call 41ed9e 382->387 388 4150d5-4150d9 382->388 394 4150b1-4150bd call 4131f0 383->394 395 4150c0-4150d0 call 417f23 383->395 401 415099-41509b 384->401 385->388 393 415087-415096 385->393 386->382 408 415053-415058 387->408 391 4150eb-4150fd call 417f23 388->391 392 4150db-4150e8 call 4131f0 388->392 391->358 392->391 393->401 394->395 395->358 401->362 401->363 409 415114-415118 408->409 410 41505e-415061 408->410 409->380 410->370 411 415067-41506f 410->411 411->401
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                    • String ID:
                                                    • API String ID: 3886058894-0
                                                    • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                    • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                    • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                    • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • _memset.LIBCMT ref: 00401C62
                                                    • _wcsncpy.LIBCMT ref: 00401CA1
                                                    • _wcscpy.LIBCMT ref: 00401CBD
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                    • String ID: Line:
                                                    • API String ID: 1620655955-1585850449
                                                    • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                    • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                    • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                    • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 445 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                    • ShowWindow.USER32(?,00000000), ref: 00410454
                                                    • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                    • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                    • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                    • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 446 3f4ba18-3f4bb6a call 3f49668 call 3f4b908 CreateFileW 453 3f4bb71-3f4bb81 446->453 454 3f4bb6c 446->454 457 3f4bb83 453->457 458 3f4bb88-3f4bba2 VirtualAlloc 453->458 455 3f4bc21-3f4bc26 454->455 457->455 459 3f4bba4 458->459 460 3f4bba6-3f4bbbd ReadFile 458->460 459->455 461 3f4bbc1-3f4bbfb call 3f4b948 call 3f4a908 460->461 462 3f4bbbf 460->462 467 3f4bc17-3f4bc1f ExitProcess 461->467 468 3f4bbfd-3f4bc12 call 3f4b998 461->468 462->455 467->455 468->467
                                                    APIs
                                                      • Part of subcall function 03F4B908: Sleep.KERNELBASE(000001F4), ref: 03F4B919
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F4BB60
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1329632625.0000000003F49000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F49000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3f49000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateFileSleep
                                                    • String ID: 46YWK74TKHF39349JFL
                                                    • API String ID: 2694422964-1535797867
                                                    • Opcode ID: 085f47066cbd091babb3f26b1bcc29260965d0ac104e0b9b2c1a1d1297627e7c
                                                    • Instruction ID: 0cb8d5506e0618f4c48ddba613f740629234ac8ded553f4ffe03dd5e9fd85400
                                                    • Opcode Fuzzy Hash: 085f47066cbd091babb3f26b1bcc29260965d0ac104e0b9b2c1a1d1297627e7c
                                                    • Instruction Fuzzy Hash: 32519170D14248DBEF11DBE4C854BEEBBB9AF19300F004599E248BB2C1D6BA4F45CB65

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 470 413a88-413a99 call 41718c 473 413b10-413b15 call 4171d1 470->473 474 413a9b-413aa2 470->474 475 413aa4-413abc call 418407 call 419f6d 474->475 476 413ae7 474->476 488 413ac7-413ad7 call 413ade 475->488 489 413abe-413ac6 call 419f9d 475->489 478 413ae8-413af8 RtlFreeHeap 476->478 478->473 481 413afa-413b0f call 417f23 GetLastError call 417ee1 478->481 481->473 488->473 495 413ad9-413adc 488->495 489->488 495->478
                                                    APIs
                                                    • __lock.LIBCMT ref: 00413AA6
                                                      • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                      • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                      • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                    • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                    • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                    • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                    • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 2714421763-0
                                                    • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                    • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                    • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                    • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                    APIs
                                                      • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                      • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                      • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                    • _strcat.LIBCMT ref: 0040F603
                                                      • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                      • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                    • String ID: HH
                                                    • API String ID: 1194219731-2761332787
                                                    • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                    • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                    • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                    • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03F4B135
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F4B159
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F4B17B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1329632625.0000000003F49000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F49000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3f49000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                    • Instruction ID: 75e14e0798af292eb3ab9a0d57b9b04674983452da8c5af28a715834309cc32f
                                                    • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                    • Instruction Fuzzy Hash: B0620B30A14218DBEB24CFA4C850BDEB776EF58300F1091A9D14DEB3A5E7759E81CB59
                                                    APIs
                                                    • _memset.LIBCMT ref: 0040E202
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell__memset
                                                    • String ID:
                                                    • API String ID: 928536360-0
                                                    • Opcode ID: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                    • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                    • Opcode Fuzzy Hash: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                    • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                    APIs
                                                    • _malloc.LIBCMT ref: 00411734
                                                      • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                      • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                      • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                    • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                    • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                    • __CxxThrowException@8.LIBCMT ref: 00411779
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1411284514-0
                                                    • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                    • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                    • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                    • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                    • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                    • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                    • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                    • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                    • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                    • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                    APIs
                                                    • _malloc.LIBCMT ref: 00435278
                                                      • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                      • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                      • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                    • _malloc.LIBCMT ref: 00435288
                                                    • _malloc.LIBCMT ref: 00435298
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _malloc$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 680241177-0
                                                    • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                    • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                    • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                    • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                    • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                    • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                    • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __lock_file_memset
                                                    • String ID:
                                                    • API String ID: 26237723-0
                                                    • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                    • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                    • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                    • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                    APIs
                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                    • __lock_file.LIBCMT ref: 00414EE4
                                                      • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                    • __fclose_nolock.LIBCMT ref: 00414EEE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 717694121-0
                                                    • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                    • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                    • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                    • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03F4B135
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F4B159
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F4B17B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1329632625.0000000003F49000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F49000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3f49000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                    • Instruction ID: e64009a27f786c49f187c67ac95b9bf3eaff74d25ab0a2fdbbfec66283b9a6fb
                                                    • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                    • Instruction Fuzzy Hash: 2C12BF24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                    • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                    • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                    • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ProcWindow
                                                    • String ID:
                                                    • API String ID: 181713994-0
                                                    • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                    • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                    • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                    • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                    APIs
                                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateHeap
                                                    • String ID:
                                                    • API String ID: 10892065-0
                                                    • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                    • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                    • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                    • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                    APIs
                                                      • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                    • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: File$PointerWrite
                                                    • String ID:
                                                    • API String ID: 539440098-0
                                                    • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                    • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                    • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                    • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ProcWindow
                                                    • String ID:
                                                    • API String ID: 181713994-0
                                                    • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                    • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                    • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                    • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                    • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                    • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                    • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                    APIs
                                                    • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                    • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                    • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                    • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 03F4B919
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1329632625.0000000003F49000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F49000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3f49000_kk.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction ID: 5a5715830557c72af5c73f6e6cd0f6fbbf6b7962986d4366f2f3621bd707e000
                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction Fuzzy Hash: EEE0E67494110DEFDB00DFF8D5496AD7FB4EF04301F1001A1FD01D2280D6309D508A62
                                                    APIs
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                    • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                    • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                    • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                    • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                    • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                    • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                    • SendMessageW.USER32 ref: 0047C2FB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$State$LongProcWindow
                                                    • String ID: @GUI_DRAGID$F
                                                    • API String ID: 1562745308-4164748364
                                                    • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                    • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                    • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                    • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PF$'|G$*"D$*vG$+%F$0wE$2G$5CG$7eF$<HF$<G$ApG$DvE$GSG$IqE$K@G$LbF$MdF$NgF$PIF$YtG$^[F$_?G$b"D$i}G$j)F$kQG$lE$rTG$vjE$}eE$*F$3G$_G$wG
                                                    • API String ID: 0-3772701627
                                                    • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                    • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                    • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                    • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                    APIs
                                                    • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                    • IsIconic.USER32(?), ref: 004375E1
                                                    • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                    • SetForegroundWindow.USER32(?), ref: 004375FD
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                    • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                    • SetForegroundWindow.USER32(?), ref: 00437645
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                    • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                    • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                    • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                    • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                    • SetForegroundWindow.USER32(?), ref: 004376AD
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 3778422247-2988720461
                                                    • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                    • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                    • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                    • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                    APIs
                                                    • _memset.LIBCMT ref: 0044621B
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                    • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                    • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                    • _wcslen.LIBCMT ref: 0044639E
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • _wcsncpy.LIBCMT ref: 004463C7
                                                    • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                    • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                    • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                    • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                    • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                    • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                    • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                    • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                    • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                    • String ID: $default$winsta0
                                                    • API String ID: 2173856841-1027155976
                                                    • Opcode ID: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                                                    • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                    • Opcode Fuzzy Hash: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                                                    • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00409A61
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                    • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                    • String ID: 0vH$4RH
                                                    • API String ID: 1143807570-2085553193
                                                    • Opcode ID: 88a19b4cc9c9a9d83f3f9e2de6433f25e45d54e9704eefe367a70e6a3dd99c42
                                                    • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                    • Opcode Fuzzy Hash: 88a19b4cc9c9a9d83f3f9e2de6433f25e45d54e9704eefe367a70e6a3dd99c42
                                                    • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                    APIs
                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\kk.exe,?,C:\Users\user\Desktop\kk.exe,004A8E80,C:\Users\user\Desktop\kk.exe,0040F3D2), ref: 0040FFCA
                                                      • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                      • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                      • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                    • _wcscat.LIBCMT ref: 0044BD96
                                                    • _wcscat.LIBCMT ref: 0044BDBF
                                                    • __wsplitpath.LIBCMT ref: 0044BDEC
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                    • _wcscpy.LIBCMT ref: 0044BE73
                                                    • _wcscat.LIBCMT ref: 0044BE85
                                                    • _wcscat.LIBCMT ref: 0044BE97
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                    • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                    • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                    • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                    • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 2188072990-1173974218
                                                    • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                    • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                    • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                    • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                    APIs
                                                    • __invoke_watson.LIBCMT ref: 004203A4
                                                      • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                      • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                      • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                      • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                      • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                      • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                    • __get_daylight.LIBCMT ref: 004203B0
                                                    • __invoke_watson.LIBCMT ref: 004203BF
                                                    • __get_daylight.LIBCMT ref: 004203CB
                                                    • __invoke_watson.LIBCMT ref: 004203DA
                                                    • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                    • _strlen.LIBCMT ref: 00420442
                                                    • __malloc_crt.LIBCMT ref: 00420449
                                                    • _strlen.LIBCMT ref: 0042045F
                                                    • _strcpy_s.LIBCMT ref: 0042046D
                                                    • __invoke_watson.LIBCMT ref: 00420482
                                                    • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                    • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                    • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                      • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                      • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                      • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                      • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                      • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                    • __invoke_watson.LIBCMT ref: 004205CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                    • String ID: S\
                                                    • API String ID: 4084823496-393906132
                                                    • Opcode ID: 9f641836eee9844fdb211255f71e21062b6006d1a88a71a8f5a1c928a585c03b
                                                    • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                    • Opcode Fuzzy Hash: 9f641836eee9844fdb211255f71e21062b6006d1a88a71a8f5a1c928a585c03b
                                                    • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                    • __swprintf.LIBCMT ref: 00434D91
                                                    • _wcslen.LIBCMT ref: 00434D9B
                                                    • _wcslen.LIBCMT ref: 00434DB0
                                                    • _wcslen.LIBCMT ref: 00434DC5
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                    • _memset.LIBCMT ref: 00434E27
                                                    • _wcslen.LIBCMT ref: 00434E3C
                                                    • _wcsncpy.LIBCMT ref: 00434E6F
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                    • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                    • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 302090198-3457252023
                                                    • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                    • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                    • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                    • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                    APIs
                                                      • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                    • GetLastError.KERNEL32 ref: 004644B4
                                                    • GetCurrentThread.KERNEL32 ref: 004644C8
                                                    • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 1312810259-2896544425
                                                    • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                    • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                    • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                    • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                    • __wsplitpath.LIBCMT ref: 004038B2
                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                    • _wcscpy.LIBCMT ref: 004038C7
                                                    • _wcscat.LIBCMT ref: 004038DC
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                      • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                      • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                    • _wcscpy.LIBCMT ref: 004039C2
                                                    • _wcslen.LIBCMT ref: 00403A53
                                                    • _wcslen.LIBCMT ref: 00403AAA
                                                    Strings
                                                    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                    • Error opening the file, xrefs: 0042B8AC
                                                    • _, xrefs: 00403B48
                                                    • Unterminated string, xrefs: 0042B9BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                    • API String ID: 4115725249-188983378
                                                    • Opcode ID: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                                                    • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                    • Opcode Fuzzy Hash: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                                                    • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                    • FindClose.KERNEL32(00000000), ref: 00434C88
                                                    • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                    • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                    • FindClose.KERNEL32(00000000), ref: 00434D35
                                                    • FindClose.KERNEL32(00000000), ref: 00434D43
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1409584000-438819550
                                                    • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                    • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                    • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                    • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Timetime$Sleep
                                                    • String ID: BUTTON
                                                    • API String ID: 4176159691-3405671355
                                                    • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                    • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                    • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                    • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,771A8FB0,771A8FB0,?,?,00000000), ref: 00442E40
                                                    • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                    • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                    • FindClose.KERNEL32(00000000), ref: 00442F80
                                                      • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,771B3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                    • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 2640511053-438819550
                                                    • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                    • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                    • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                    • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                    APIs
                                                      • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                      • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                      • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                      • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                    • _memset.LIBCMT ref: 00445E61
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                    • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                    • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                    • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                    • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                    • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                    • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3490752873-0
                                                    • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                    • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                    • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                    • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                    • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                    • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                    • _memset.LIBCMT ref: 0047AB7C
                                                    • _wcslen.LIBCMT ref: 0047AC68
                                                    • _memset.LIBCMT ref: 0047ACCD
                                                    • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                    • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 0047AD84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 1588287285-2785691316
                                                    • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                    • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                    • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                    • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                    • GetLastError.KERNEL32 ref: 00436504
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                    • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                    • String ID: SeShutdownPrivilege
                                                    • API String ID: 2938487562-3733053543
                                                    • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                    • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                    • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                    • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 00436162
                                                    • __swprintf.LIBCMT ref: 00436176
                                                      • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                    • __wcsicoll.LIBCMT ref: 00436185
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                    • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                    • LockResource.KERNEL32(00000000), ref: 004361B5
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                    • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                    • LockResource.KERNEL32(?), ref: 004361FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                    • String ID:
                                                    • API String ID: 2406429042-0
                                                    • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                    • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                    • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                    • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                    • GetLastError.KERNEL32 ref: 0045D59D
                                                    • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                    • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                    • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                    • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                    APIs
                                                    • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                    • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                    • _wcslen.LIBCMT ref: 0047AE18
                                                    • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                    • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                    • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                    • String ID: HH
                                                    • API String ID: 1915432386-2761332787
                                                    • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                    • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                    • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                    • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: DEFINE$`$h$h
                                                    • API String ID: 0-4194577831
                                                    • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                    • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                    • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                    • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                                                    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                    • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                                                    • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                    • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketsocket
                                                    • String ID:
                                                    • API String ID: 2609815416-0
                                                    • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                    • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                    • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                    • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                    • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                    • __wsplitpath.LIBCMT ref: 004370A5
                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                    • _wcscat.LIBCMT ref: 004370BA
                                                    • __wcsicoll.LIBCMT ref: 004370C8
                                                    • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                    • String ID:
                                                    • API String ID: 2547909840-0
                                                    • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                    • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                    • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                    • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                    • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                    • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                    • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                    • String ID: *.*
                                                    • API String ID: 2693929171-438819550
                                                    • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                    • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                    • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                    • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                    APIs
                                                    • OpenClipboard.USER32(?), ref: 0046C635
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                    • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                    • CloseClipboard.USER32 ref: 0046C65D
                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                    • CloseClipboard.USER32 ref: 0046C692
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                    • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                    • CloseClipboard.USER32 ref: 0046C866
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                    • String ID: HH
                                                    • API String ID: 589737431-2761332787
                                                    • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                    • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                                    • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                    • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                                    APIs
                                                    • __wcsicoll.LIBCMT ref: 0043643C
                                                    • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                    • __wcsicoll.LIBCMT ref: 00436466
                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicollmouse_event
                                                    • String ID: DOWN
                                                    • API String ID: 1033544147-711622031
                                                    • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                    • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                    • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                    • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                    APIs
                                                      • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 4170576061-0
                                                    • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                    • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                    • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                    • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                    APIs
                                                    • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                    • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                    • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                    • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorLongScreenWindow
                                                    • String ID:
                                                    • API String ID: 3539004672-0
                                                    • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                    • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                    • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                    • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                    APIs
                                                      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                    • IsWindowVisible.USER32 ref: 00477314
                                                    • IsWindowEnabled.USER32 ref: 00477324
                                                    • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                    • IsIconic.USER32 ref: 0047733F
                                                    • IsZoomed.USER32 ref: 0047734D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                    • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                    • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                    • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,771B3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                    • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                    • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                    • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                    • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _strncmp
                                                    • String ID: ACCEPT$^$h
                                                    • API String ID: 909875538-4263704089
                                                    • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                    • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                    • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                    • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ERCP$VUUU$VUUU$VUUU
                                                    • API String ID: 0-2165971703
                                                    • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                    • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                                    • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                    • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 3541575487-0
                                                    • Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                    • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                    • Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                    • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                    • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                    • FindClose.KERNEL32(00000000), ref: 00436B13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                    • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                    • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                    • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                    APIs
                                                    • __time64.LIBCMT ref: 004433A2
                                                      • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                      • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                    • String ID: rJ
                                                    • API String ID: 2893107130-1865492326
                                                    • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                    • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                    • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                    • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                    APIs
                                                    • __time64.LIBCMT ref: 004433A2
                                                      • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                      • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                    • String ID: rJ
                                                    • API String ID: 2893107130-1865492326
                                                    • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                    • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                    • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                    • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                    • String ID:
                                                    • API String ID: 901099227-0
                                                    • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                    • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                    • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                    • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                    • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                    • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                    • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                    • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0vH$HH
                                                    • API String ID: 0-728391547
                                                    • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                    • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                    • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                    • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _memset
                                                    • String ID:
                                                    • API String ID: 2102423945-0
                                                    • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                    • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                    • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                    • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                    APIs
                                                    • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Proc
                                                    • String ID:
                                                    • API String ID: 2346855178-0
                                                    • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                    • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                    • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                    • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 0045A272
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                    • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                    • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                    • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                    • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                    • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                    • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                    • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                    • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                    • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                    • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                    • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                    • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                    • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                    • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                    • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                    • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                    • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                    • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                    • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                    • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                    • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                    • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                    • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                    • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                    • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                    • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                    • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                    APIs
                                                    • DeleteObject.GDI32(?), ref: 004593D7
                                                    • DeleteObject.GDI32(?), ref: 004593F1
                                                    • DestroyWindow.USER32(?), ref: 00459407
                                                    • GetDesktopWindow.USER32 ref: 0045942A
                                                    • GetWindowRect.USER32(00000000), ref: 00459431
                                                    • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                    • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                    • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                    • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                    • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                    • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                    • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                    • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                    • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                    • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                    • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                    • GetStockObject.GDI32(00000011), ref: 004597B7
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                    • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                    • DeleteDC.GDI32(00000000), ref: 004597E1
                                                    • _wcslen.LIBCMT ref: 00459800
                                                    • _wcscpy.LIBCMT ref: 0045981F
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                    • GetDC.USER32(?), ref: 004598DE
                                                    • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                    • SelectObject.GDI32(00000000,?), ref: 00459919
                                                    • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                    • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                    • API String ID: 4040870279-2373415609
                                                    • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                    • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                    • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                    • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 00441E64
                                                    • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                    • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                    • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                    • SelectObject.GDI32(?,?), ref: 00441EBA
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                    • GetSysColor.USER32(00000010), ref: 00441EF8
                                                    • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                    • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                    • DeleteObject.GDI32(?), ref: 00441F1B
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                    • FillRect.USER32(?,?,?), ref: 00441FB6
                                                      • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                      • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                      • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                      • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                      • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                      • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                      • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                      • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                      • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                      • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                      • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                      • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                      • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                    • String ID:
                                                    • API String ID: 69173610-0
                                                    • Opcode ID: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
                                                    • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                    • Opcode Fuzzy Hash: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
                                                    • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-3360698832
                                                    • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                    • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                    • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                    • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                    APIs
                                                    • GetSysColor.USER32(0000000E), ref: 00433D81
                                                    • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                    • GetSysColor.USER32(00000012), ref: 00433DA3
                                                    • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                    • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                    • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                    • GetSysColor.USER32(00000011), ref: 00433DEB
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                    • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                    • SetBkColor.GDI32(?,?), ref: 00433E19
                                                    • SelectObject.GDI32(?,?), ref: 00433E29
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                    • GetWindowLongW.USER32 ref: 00433E8A
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                    • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                    • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                    • GetSysColor.USER32(00000011), ref: 00433F2E
                                                    • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                    • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                    • SelectObject.GDI32(?,?), ref: 00433F63
                                                    • DeleteObject.GDI32(?), ref: 00433F70
                                                    • SelectObject.GDI32(?,?), ref: 00433F78
                                                    • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                    • SetTextColor.GDI32(?,?), ref: 00433F83
                                                    • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1582027408-0
                                                    • Opcode ID: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                                                    • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                    • Opcode Fuzzy Hash: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                                                    • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                    APIs
                                                    • OpenClipboard.USER32(?), ref: 0046C635
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                    • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                    • CloseClipboard.USER32 ref: 0046C65D
                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                    • CloseClipboard.USER32 ref: 0046C692
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                    • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                    • CloseClipboard.USER32 ref: 0046C866
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                    • String ID: HH
                                                    • API String ID: 589737431-2761332787
                                                    • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                    • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                                    • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                    • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00456692
                                                    • GetDesktopWindow.USER32 ref: 004566AA
                                                    • GetWindowRect.USER32(00000000), ref: 004566B1
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                    • DestroyWindow.USER32(?), ref: 00456731
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                    • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                    • IsWindowVisible.USER32(?), ref: 00456812
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                    • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                    • GetWindowRect.USER32(?,?), ref: 0045685C
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                    • GetMonitorInfoW.USER32 ref: 00456894
                                                    • CopyRect.USER32(?,?), ref: 004568A8
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                    • String ID: ($,$tooltips_class32
                                                    • API String ID: 541082891-3320066284
                                                    • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                    • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                    • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                    • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00454DCF
                                                    • _wcslen.LIBCMT ref: 00454DE2
                                                    • __wcsicoll.LIBCMT ref: 00454DEF
                                                    • _wcslen.LIBCMT ref: 00454E04
                                                    • __wcsicoll.LIBCMT ref: 00454E11
                                                    • _wcslen.LIBCMT ref: 00454E24
                                                    • __wcsicoll.LIBCMT ref: 00454E31
                                                      • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                    • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                    • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                    • DestroyIcon.USER32(?), ref: 00454FA2
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                    • String ID: .dll$.exe$.icl
                                                    • API String ID: 2511167534-1154884017
                                                    • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                    • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                    • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                    • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                    • _wcslen.LIBCMT ref: 00436B79
                                                    • _wcscpy.LIBCMT ref: 00436B9F
                                                    • _wcscat.LIBCMT ref: 00436BC0
                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                    • _wcscat.LIBCMT ref: 00436C2A
                                                    • _wcscat.LIBCMT ref: 00436C31
                                                    • __wcsicoll.LIBCMT ref: 00436C4B
                                                    • _wcsncpy.LIBCMT ref: 00436C62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 1503153545-1459072770
                                                    • Opcode ID: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                                                    • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                    • Opcode Fuzzy Hash: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                                                    • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                    APIs
                                                      • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                    • _fseek.LIBCMT ref: 004527FC
                                                    • __wsplitpath.LIBCMT ref: 0045285C
                                                    • _wcscpy.LIBCMT ref: 00452871
                                                    • _wcscat.LIBCMT ref: 00452886
                                                    • __wsplitpath.LIBCMT ref: 004528B0
                                                    • _wcscat.LIBCMT ref: 004528C8
                                                    • _wcscat.LIBCMT ref: 004528DD
                                                    • __fread_nolock.LIBCMT ref: 00452914
                                                    • __fread_nolock.LIBCMT ref: 00452925
                                                    • __fread_nolock.LIBCMT ref: 00452944
                                                    • __fread_nolock.LIBCMT ref: 00452955
                                                    • __fread_nolock.LIBCMT ref: 00452976
                                                    • __fread_nolock.LIBCMT ref: 00452987
                                                    • __fread_nolock.LIBCMT ref: 00452998
                                                    • __fread_nolock.LIBCMT ref: 004529A9
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                    • __fread_nolock.LIBCMT ref: 00452A39
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                    • String ID:
                                                    • API String ID: 2054058615-0
                                                    • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                    • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                    • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                    • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0
                                                    • API String ID: 0-4108050209
                                                    • Opcode ID: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                                                    • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                    • Opcode Fuzzy Hash: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                                                    • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                    APIs
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • GetWindowRect.USER32(?,?), ref: 004701EA
                                                    • GetClientRect.USER32(?,?), ref: 004701FA
                                                    • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                    • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                    • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                    • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                    • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                    • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                    • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                                    • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                    • GetClientRect.USER32(?,?), ref: 00470371
                                                    • GetStockObject.GDI32(00000011), ref: 00470391
                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                    • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 867697134-248962490
                                                    • Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                                                    • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                    • Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                                                    • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                    APIs
                                                    • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window
                                                    • String ID: 0
                                                    • API String ID: 2353593579-4108050209
                                                    • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                    • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                    • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                    • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                    APIs
                                                    • GetSysColor.USER32 ref: 0044A11D
                                                    • GetClientRect.USER32(?,?), ref: 0044A18D
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                    • GetWindowDC.USER32(?), ref: 0044A1B3
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                    • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                    • GetSysColor.USER32(0000000F), ref: 0044A216
                                                    • GetSysColor.USER32(00000005), ref: 0044A21E
                                                    • GetWindowDC.USER32 ref: 0044A277
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                    • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                    • GetStockObject.GDI32(00000005), ref: 0044A312
                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                    • String ID:
                                                    • API String ID: 1744303182-0
                                                    • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                    • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                    • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                    • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$__wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 790654849-1810252412
                                                    • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                    • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                    • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                    • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: >>>AUTOIT SCRIPT<<<$\
                                                    • API String ID: 0-1896584978
                                                    • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                    • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                                    • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                    • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: InitVariant
                                                    • String ID:
                                                    • API String ID: 1927566239-0
                                                    • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                    • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                    • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                    • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                    APIs
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                    • GetForegroundWindow.USER32 ref: 0046DBA4
                                                    • IsWindow.USER32(?), ref: 0046DBDE
                                                    • GetDesktopWindow.USER32 ref: 0046DCB5
                                                    • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                    • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                    • API String ID: 1322021666-1919597938
                                                    • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                    • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                    • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                    • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                    • _wcsncpy.LIBCMT ref: 0045DF0F
                                                    • __wsplitpath.LIBCMT ref: 0045DF54
                                                    • _wcscat.LIBCMT ref: 0045DF6C
                                                    • _wcscat.LIBCMT ref: 0045DF7E
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                    • _wcscpy.LIBCMT ref: 0045E019
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                    • String ID: *.*
                                                    • API String ID: 3201719729-438819550
                                                    • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                    • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                    • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                    • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2485277191-404129466
                                                    • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                    • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                    • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                    • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                    APIs
                                                    • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                    • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                    • strncnt.LIBCMT ref: 00428646
                                                    • strncnt.LIBCMT ref: 0042865A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: strncnt$CompareErrorLastString
                                                    • String ID:
                                                    • API String ID: 1776594460-0
                                                    • Opcode ID: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
                                                    • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                    • Opcode Fuzzy Hash: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
                                                    • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                    APIs
                                                    • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                    • SetWindowTextW.USER32(?,?), ref: 00454606
                                                    • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                    • GetWindowRect.USER32(?,?), ref: 00454688
                                                    • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                    • GetDesktopWindow.USER32 ref: 00454708
                                                    • GetWindowRect.USER32(00000000), ref: 0045470F
                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                    • GetClientRect.USER32(?,?), ref: 0045476F
                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                    • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                    • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                    • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                    • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                    • GetCursorInfo.USER32 ref: 00458E03
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$Info
                                                    • String ID:
                                                    • API String ID: 2577412497-0
                                                    • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                    • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                    • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                    • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                    APIs
                                                    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                    • GetFocus.USER32 ref: 004696E0
                                                    • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$CtrlFocus
                                                    • String ID: 0
                                                    • API String ID: 1534620443-4108050209
                                                    • Opcode ID: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                                                    • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                    • Opcode Fuzzy Hash: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                                                    • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                    APIs
                                                    • _memset.LIBCMT ref: 00468107
                                                    • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                    • GetMenuItemCount.USER32(?), ref: 00468227
                                                    • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                    • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                    • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                    • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                    • GetMenuItemCount.USER32 ref: 004682DC
                                                    • SetMenuItemInfoW.USER32 ref: 00468317
                                                    • GetCursorPos.USER32(00000000), ref: 00468322
                                                    • SetForegroundWindow.USER32(?), ref: 0046832D
                                                    • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 3993528054-4108050209
                                                    • Opcode ID: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                    • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                    • Opcode Fuzzy Hash: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                    • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                    APIs
                                                    • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                      • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                      • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                      • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                    • SendMessageW.USER32(?), ref: 0046F34C
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                    • _wcscat.LIBCMT ref: 0046F3BC
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                    • DragFinish.SHELL32(?), ref: 0046F414
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                    • API String ID: 4085615965-3440237614
                                                    • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                    • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                    • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                    • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll
                                                    • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                    • API String ID: 3832890014-4202584635
                                                    • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                    • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                    • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                    • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                    APIs
                                                    • _memset.LIBCMT ref: 004669C4
                                                    • _wcsncpy.LIBCMT ref: 00466A21
                                                    • _wcsncpy.LIBCMT ref: 00466A4D
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                    • _wcstok.LIBCMT ref: 00466A90
                                                      • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                    • _wcstok.LIBCMT ref: 00466B3F
                                                    • _wcscpy.LIBCMT ref: 00466BC8
                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                    • _wcslen.LIBCMT ref: 00466D1D
                                                    • _memset.LIBCMT ref: 00466BEE
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • _wcslen.LIBCMT ref: 00466D4B
                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                    • String ID: X$HH
                                                    • API String ID: 3021350936-1944015008
                                                    • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                    • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                    • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                    • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                    APIs
                                                    • _memset.LIBCMT ref: 0045F4AE
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                    • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                    • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu$Sleep_memset
                                                    • String ID: 0
                                                    • API String ID: 1504565804-4108050209
                                                    • Opcode ID: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                    • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                    • Opcode Fuzzy Hash: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                    • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                    APIs
                                                    • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateDestroy
                                                    • String ID: ,$tooltips_class32
                                                    • API String ID: 1109047481-3856767331
                                                    • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                    • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                    • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                    • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                    APIs
                                                    • _wcsncpy.LIBCMT ref: 0045CCFA
                                                    • __wsplitpath.LIBCMT ref: 0045CD3C
                                                    • _wcscat.LIBCMT ref: 0045CD51
                                                    • _wcscat.LIBCMT ref: 0045CD63
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                    • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                    • _wcscpy.LIBCMT ref: 0045CE14
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                    • String ID: *.*
                                                    • API String ID: 1153243558-438819550
                                                    • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                    • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                    • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                    • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                    APIs
                                                    • _memset.LIBCMT ref: 00455127
                                                    • GetMenuItemInfoW.USER32 ref: 00455146
                                                    • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                    • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                    • GetMenuItemCount.USER32(?), ref: 004551D9
                                                    • SetMenu.USER32(?,00000000), ref: 004551E7
                                                    • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                    • DrawMenuBar.USER32 ref: 00455207
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 1663942905-4108050209
                                                    • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                    • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                    • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                    • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1481289235-0
                                                    • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                    • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                    • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                    • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                    APIs
                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                    • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                    • SendMessageW.USER32 ref: 0046FBAF
                                                    • SendMessageW.USER32 ref: 0046FBE2
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                    • SendMessageW.USER32 ref: 0046FD00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                    • String ID:
                                                    • API String ID: 2632138820-0
                                                    • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                    • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                    • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                    • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                    • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CursorLoad
                                                    • String ID:
                                                    • API String ID: 3238433803-0
                                                    • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                    • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                    • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                    • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                    • _wcslen.LIBCMT ref: 00460B00
                                                    • __swprintf.LIBCMT ref: 00460B9E
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                    • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                    • GetWindowRect.USER32(?,?), ref: 00460D21
                                                    • GetParent.USER32(?), ref: 00460D40
                                                    • ScreenToClient.USER32(00000000), ref: 00460D47
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                    • String ID: %s%u
                                                    • API String ID: 1899580136-679674701
                                                    • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                    • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                    • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                    • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                    APIs
                                                    • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                    • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                    • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                    • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                    • API String ID: 2485709727-934586222
                                                    • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                    • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                    • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                    • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                    • String ID: HH
                                                    • API String ID: 3381189665-2761332787
                                                    • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                    • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                    • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                    • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00434585
                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                    • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                    • String ID: (
                                                    • API String ID: 3300687185-3887548279
                                                    • Opcode ID: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                                                    • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                    • Opcode Fuzzy Hash: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                                                    • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                    APIs
                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                    • __swprintf.LIBCMT ref: 0045E4D9
                                                    • _printf.LIBCMT ref: 0045E595
                                                    • _printf.LIBCMT ref: 0045E5B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: LoadString_printf$__swprintf_wcslen
                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                    • API String ID: 3590180749-2894483878
                                                    • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                    • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                    • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                    • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                    • DeleteObject.GDI32(?), ref: 0046F950
                                                    • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                    • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                    • DeleteObject.GDI32(?), ref: 0046F9CF
                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                    • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                    • DestroyIcon.USER32(?), ref: 0046FA4F
                                                    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                    • DeleteObject.GDI32(?), ref: 0046FA68
                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                    • String ID:
                                                    • API String ID: 3412594756-0
                                                    • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                    • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                    • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                    • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                    APIs
                                                      • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                    • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 4013263488-4113822522
                                                    • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                    • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                    • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                    • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                    • String ID:
                                                    • API String ID: 228034949-0
                                                    • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                    • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                    • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                    • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                    • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                    • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                    • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                    • DeleteObject.GDI32(?), ref: 00433603
                                                    • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3969911579-0
                                                    • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                    • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                    • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                    • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                    APIs
                                                    • GetParent.USER32 ref: 00445A8D
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                    • __wcsicoll.LIBCMT ref: 00445AC4
                                                    • __wcsicoll.LIBCMT ref: 00445AE0
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$ClassMessageNameParentSend
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 3125838495-3381328864
                                                    • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                    • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                    • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                    • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CopyVariant$ErrorLast
                                                    • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                    • API String ID: 2286883814-4206948668
                                                    • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                    • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                    • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                    • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                    APIs
                                                      • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                    • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                    • _wcscpy.LIBCMT ref: 00475F18
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                    • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                    • API String ID: 3052893215-4176887700
                                                    • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                    • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                    • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                    • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                    APIs
                                                    • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                    • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                    • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                    • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                    • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                      • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                    • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                    • String ID: Version$\TypeLib$interface\
                                                    • API String ID: 656856066-939221531
                                                    • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                    • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                    • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                    • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                    APIs
                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                    • __swprintf.LIBCMT ref: 0045E6EE
                                                    • _printf.LIBCMT ref: 0045E7A9
                                                    • _printf.LIBCMT ref: 0045E7D2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: LoadString_printf$__swprintf_wcslen
                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 3590180749-2354261254
                                                    • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                    • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                    • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                    • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __swprintf_wcscpy$__i64tow__itow
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 3038501623-2263619337
                                                    • Opcode ID: 7b8e0de2511f5af4d8d0822e3c6977e40dd5bee4b5bc8329dee76eef781b5613
                                                    • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                    • Opcode Fuzzy Hash: 7b8e0de2511f5af4d8d0822e3c6977e40dd5bee4b5bc8329dee76eef781b5613
                                                    • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                    APIs
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • _memset.LIBCMT ref: 00458194
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                    • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 2255324689-22481851
                                                    • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                    • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                    • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                    • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                    • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                    • __wcsicoll.LIBCMT ref: 004585D6
                                                    • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                    • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                    • String ID: ($interface$interface\
                                                    • API String ID: 2231185022-3327702407
                                                    • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                    • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                    • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                    • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                                                    • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                                                    • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                                                    • _wcscpy.LIBCMT ref: 004365F5
                                                    • WSACleanup.WSOCK32 ref: 004365FD
                                                    • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                                                    • _strcat.LIBCMT ref: 0043662F
                                                    • _wcscpy.LIBCMT ref: 00436644
                                                    • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                                                    • _wcscpy.LIBCMT ref: 00436666
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 2691793716-3771769585
                                                    • Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                    • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                    • Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                    • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                    • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                      • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                      • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                    • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                    • __lock.LIBCMT ref: 00416B8A
                                                    • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                    • __lock.LIBCMT ref: 00416BAB
                                                    • ___addlocaleref.LIBCMT ref: 00416BC9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                    • API String ID: 1028249917-2843748187
                                                    • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                    • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                    • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                    • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                    APIs
                                                    • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                    • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                    • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                    • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                    • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CharNext
                                                    • String ID:
                                                    • API String ID: 1350042424-0
                                                    • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                    • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                    • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                    • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                    APIs
                                                    • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                    • SetKeyboardState.USER32(?), ref: 00453C5A
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                    • GetKeyState.USER32(000000A0), ref: 00453C99
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                    • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                    • GetKeyState.USER32(00000011), ref: 00453D15
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                    • GetKeyState.USER32(00000012), ref: 00453D4D
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                    • GetKeyState.USER32(0000005B), ref: 00453D85
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                    • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                    • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                    • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                    • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                    • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                    • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                    • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                    • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                    • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                    • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                    • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                    • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                    • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                    • String ID:
                                                    • API String ID: 136442275-0
                                                    • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                    • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                    • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                    • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ConnectRegistry_wcslen
                                                    • String ID: HH
                                                    • API String ID: 535477410-2761332787
                                                    • Opcode ID: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                                                    • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                    • Opcode Fuzzy Hash: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                                                    • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                    • _wcslen.LIBCMT ref: 00460502
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                    • GetWindowRect.USER32(?,?), ref: 004606AD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                    • String ID: ThumbnailClass
                                                    • API String ID: 4123061591-1241985126
                                                    • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                    • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                    • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                    • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                    APIs
                                                      • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                      • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                      • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                      • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                    • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                    • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                    • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                    • ReleaseCapture.USER32 ref: 0046F589
                                                    • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                    • API String ID: 2483343779-2060113733
                                                    • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                    • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                    • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                    • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                    APIs
                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                    • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                    • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                    • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                    • DestroyIcon.USER32(?), ref: 0046FFCC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                    • String ID: 2
                                                    • API String ID: 1331449709-450215437
                                                    • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                    • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                    • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                    • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DestroyWindow
                                                    • String ID: static
                                                    • API String ID: 3375834691-2160076837
                                                    • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                    • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                    • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                    • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                    • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                    • _memcmp.LIBCMT ref: 004394A9
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                    Strings
                                                    • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                    • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                    • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                    • API String ID: 1446985595-805462909
                                                    • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                    • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                    • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                    • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                    • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                    • API String ID: 2907320926-41864084
                                                    • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                    • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                    • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                    • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                    APIs
                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                    • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                    • String ID:
                                                    • API String ID: 1932665248-0
                                                    • Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                    • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                    • Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                    • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                    • _memset.LIBCMT ref: 004481BA
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                    • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                    • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                    • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                    • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID:
                                                    • API String ID: 830647256-0
                                                    • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                    • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                    • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                    • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                    APIs
                                                      • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                    • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                    • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                    • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                    • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                    • DeleteObject.GDI32(00650000), ref: 0046EB4F
                                                    • DestroyIcon.USER32(00730072), ref: 0046EB67
                                                    • DeleteObject.GDI32(03A00E93), ref: 0046EB7F
                                                    • DestroyWindow.USER32(00540000), ref: 0046EB97
                                                    • DestroyIcon.USER32(?), ref: 0046EBBF
                                                    • DestroyIcon.USER32(?), ref: 0046EBCD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                    • String ID:
                                                    • API String ID: 802431696-0
                                                    • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                    • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                    • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                    • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                    APIs
                                                    • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                    • GetKeyState.USER32(000000A0), ref: 00444E26
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                    • GetKeyState.USER32(000000A1), ref: 00444E51
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                    • GetKeyState.USER32(00000011), ref: 00444E77
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                    • GetKeyState.USER32(00000012), ref: 00444E9D
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                    • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                    • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                    • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                    • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HH
                                                    • API String ID: 0-2761332787
                                                    • Opcode ID: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
                                                    • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                                    • Opcode Fuzzy Hash: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
                                                    • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                    • _wcslen.LIBCMT ref: 00450944
                                                    • _wcscat.LIBCMT ref: 00450955
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                    • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat_wcslen
                                                    • String ID: -----$SysListView32
                                                    • API String ID: 4008455318-3975388722
                                                    • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                    • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                    • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                    • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                    APIs
                                                    • _memset.LIBCMT ref: 00448625
                                                    • CreateMenu.USER32 ref: 0044863C
                                                    • SetMenu.USER32(?,00000000), ref: 0044864C
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                    • IsMenu.USER32(?), ref: 004486EB
                                                    • CreatePopupMenu.USER32 ref: 004486F5
                                                    • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                    • DrawMenuBar.USER32 ref: 00448742
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0
                                                    • API String ID: 176399719-4108050209
                                                    • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                    • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                    • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                    • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                    • GetParent.USER32 ref: 004692A4
                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                    • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                    • GetParent.USER32 ref: 004692C7
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 2040099840-1403004172
                                                    • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                    • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                    • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                    • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                    • GetParent.USER32 ref: 0046949E
                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                    • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                    • GetParent.USER32 ref: 004694C1
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 2040099840-1403004172
                                                    • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                    • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                    • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                    • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                    APIs
                                                      • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                    • SendMessageW.USER32(75A523D0,00001001,00000000,00000000), ref: 00448E73
                                                    • SendMessageW.USER32(75A523D0,00001026,00000000,00000000), ref: 00448E7E
                                                      • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                    • String ID:
                                                    • API String ID: 3771399671-0
                                                    • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                    • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                    • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                    • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                    • String ID:
                                                    • API String ID: 3413494760-0
                                                    • Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                    • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                    • Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                    • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                    • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                    • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                    • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                    • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll
                                                    • String ID: 0%d$DOWN$OFF
                                                    • API String ID: 3832890014-468733193
                                                    • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                    • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                    • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                    • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                    APIs
                                                    • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                    • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                    • VariantClear.OLEAUT32 ref: 0045E970
                                                    • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                    • __swprintf.LIBCMT ref: 0045EB1F
                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                    • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                    Strings
                                                    • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                    • String ID: %4d%02d%02d%02d%02d%02d
                                                    • API String ID: 43541914-1568723262
                                                    • Opcode ID: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                                                    • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                    • Opcode Fuzzy Hash: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                                                    • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                    APIs
                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                    • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DecrementInterlocked$Sleep
                                                    • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                    • API String ID: 2250217261-3412429629
                                                    • Opcode ID: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                                    • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                    • Opcode Fuzzy Hash: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                                    • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 0-1603158881
                                                    • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                    • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                    • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                    • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                    APIs
                                                    • _memset.LIBCMT ref: 00479D1F
                                                    • VariantInit.OLEAUT32(?), ref: 00479F06
                                                    • VariantClear.OLEAUT32(?), ref: 00479F11
                                                    • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                      • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                      • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                      • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                    • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                    • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 665237470-60002521
                                                    • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                    • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                    • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                    • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ConnectRegistry_wcslen
                                                    • String ID: HH
                                                    • API String ID: 535477410-2761332787
                                                    • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                    • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                    • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                    • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                    APIs
                                                    • _memset.LIBCMT ref: 0045F317
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                    • IsMenu.USER32(?), ref: 0045F380
                                                    • CreatePopupMenu.USER32 ref: 0045F3C5
                                                    • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                    • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID: 0$2
                                                    • API String ID: 3311875123-3793063076
                                                    • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                    • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                    • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                    • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\kk.exe), ref: 0043719E
                                                    • LoadStringW.USER32(00000000), ref: 004371A7
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                    • LoadStringW.USER32(00000000), ref: 004371C0
                                                    • _printf.LIBCMT ref: 004371EC
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                    • C:\Users\user\Desktop\kk.exe, xrefs: 00437189
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_printf
                                                    • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\kk.exe
                                                    • API String ID: 220974073-3524959717
                                                    • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                    • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                    • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                    • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                    • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                    • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                    • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                    APIs
                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\kk.exe,?,C:\Users\user\Desktop\kk.exe,004A8E80,C:\Users\user\Desktop\kk.exe,0040F3D2), ref: 0040FFCA
                                                      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                    • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                    • String ID:
                                                    • API String ID: 978794511-0
                                                    • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                    • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                    • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                    • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                    • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                    • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                    • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                    APIs
                                                      • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                      • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                      • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                    • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                    • Sleep.KERNEL32(00000000), ref: 00445D70
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                    • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                    • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                    • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressProc_malloc$_strcat_strlen
                                                    • String ID: AU3_FreeVar
                                                    • API String ID: 2184576858-771828931
                                                    • Opcode ID: 4909a4179154194bbb5ad4651ae7e3d2ad5cecafef5c208f0853367efa8f6917
                                                    • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                    • Opcode Fuzzy Hash: 4909a4179154194bbb5ad4651ae7e3d2ad5cecafef5c208f0853367efa8f6917
                                                    • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                    • DestroyWindow.USER32(?), ref: 0042A751
                                                    • UnregisterHotKey.USER32(?), ref: 0042A778
                                                    • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 4174999648-3243417748
                                                    • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                    • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                    • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                    • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                    • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 1291720006-3916222277
                                                    • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                    • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                    • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                    • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastselect
                                                    • String ID: HH
                                                    • API String ID: 215497628-2761332787
                                                    • Opcode ID: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
                                                    • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                    • Opcode Fuzzy Hash: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
                                                    • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __snwprintf__wcsicoll_wcscpy
                                                    • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                    • API String ID: 1729044348-3708979750
                                                    • Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                    • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                    • Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                    • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                    APIs
                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\kk.exe,?,C:\Users\user\Desktop\kk.exe,004A8E80,C:\Users\user\Desktop\kk.exe,0040F3D2), ref: 0040FFCA
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                    • _wcscat.LIBCMT ref: 0044BCAA
                                                    • _wcslen.LIBCMT ref: 0044BCB7
                                                    • _wcslen.LIBCMT ref: 0044BCCB
                                                    • SHFileOperationW.SHELL32 ref: 0044BD16
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 2326526234-1173974218
                                                    • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                    • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                    • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                    • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                    APIs
                                                      • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                    • _wcslen.LIBCMT ref: 004366DD
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                    • GetLastError.KERNEL32 ref: 0043670F
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                    • _wcsrchr.LIBCMT ref: 0043674C
                                                      • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                    • String ID: \
                                                    • API String ID: 321622961-2967466578
                                                    • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                    • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                    • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                    • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                    • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                    • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                    • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                    APIs
                                                    • DeleteObject.GDI32(?), ref: 0044157D
                                                    • GetDC.USER32(00000000), ref: 00441585
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                    • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                    • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                    • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                    APIs
                                                    • _memset.LIBCMT ref: 00401257
                                                      • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                      • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                      • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                      • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                    • KillTimer.USER32(?,?), ref: 004012B0
                                                    • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                    • String ID:
                                                    • API String ID: 1792922140-0
                                                    • Opcode ID: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                    • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                    • Opcode Fuzzy Hash: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                    • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                    • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                    • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                    • ExitThread.KERNEL32 ref: 0041410F
                                                    • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                    • __freefls@4.LIBCMT ref: 00414135
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                    • String ID:
                                                    • API String ID: 1925773019-0
                                                    • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                    • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                    • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                    • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                    APIs
                                                    • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                    • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                    • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                    • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                    • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                    • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                    • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                    • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                    • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                    • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                    • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                                                      • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                    • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                                                    • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                                                    • _memset.LIBCMT ref: 00464B92
                                                    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                    • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                    • WSACleanup.WSOCK32 ref: 00464CE4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                    • String ID:
                                                    • API String ID: 3424476444-0
                                                    • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                    • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                    • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                    • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID:
                                                    • API String ID: 4116985748-0
                                                    • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                    • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                    • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                    • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ConnectRegistry_wcslen
                                                    • String ID:
                                                    • API String ID: 535477410-0
                                                    • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                    • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                    • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                    • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                    APIs
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                    • _memset.LIBCMT ref: 004538C4
                                                    • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                    • _wcslen.LIBCMT ref: 00453960
                                                    • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 3530711334-4108050209
                                                    • Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                    • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                    • Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                    • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                    • String ID: HH
                                                    • API String ID: 3488606520-2761332787
                                                    • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                    • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                    • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                    • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                    APIs
                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                    • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                    • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                    • LineTo.GDI32(?,?), ref: 004474BF
                                                    • CloseFigure.GDI32(?), ref: 004474C6
                                                    • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                    • Rectangle.GDI32(?,?), ref: 004474F3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                    • String ID:
                                                    • API String ID: 4082120231-0
                                                    • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                    • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                    • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                    • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                    APIs
                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                    • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                    • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                    • LineTo.GDI32(?,?), ref: 004474BF
                                                    • CloseFigure.GDI32(?), ref: 004474C6
                                                    • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                    • Rectangle.GDI32(?,?), ref: 004474F3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                    • String ID:
                                                    • API String ID: 4082120231-0
                                                    • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                    • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                    • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                    • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                    • String ID:
                                                    • API String ID: 288456094-0
                                                    • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                    • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                    • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                    • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                    APIs
                                                    • GetParent.USER32(?), ref: 004449B0
                                                    • GetKeyboardState.USER32(?), ref: 004449C3
                                                    • SetKeyboardState.USER32(?), ref: 00444A0F
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                    • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                    • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                    • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                    APIs
                                                    • GetParent.USER32(?), ref: 00444BA9
                                                    • GetKeyboardState.USER32(?), ref: 00444BBC
                                                    • SetKeyboardState.USER32(?), ref: 00444C08
                                                    • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                    • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                    • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                    • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                    • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                    • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                    • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                    • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ConnectRegistry_wcslen
                                                    • String ID: HH
                                                    • API String ID: 535477410-2761332787
                                                    • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                    • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                    • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                    • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                    APIs
                                                    • _memset.LIBCMT ref: 00457C34
                                                    • _memset.LIBCMT ref: 00457CE8
                                                    • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                    • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                    • String ID: <$@
                                                    • API String ID: 1325244542-1426351568
                                                    • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                    • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                    • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                    • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                    • __wsplitpath.LIBCMT ref: 004737E1
                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                    • _wcscat.LIBCMT ref: 004737F6
                                                    • __wcsicoll.LIBCMT ref: 00473818
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                    • String ID:
                                                    • API String ID: 2547909840-0
                                                    • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                    • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                    • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                    • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                    APIs
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                    • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                    • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                    • String ID:
                                                    • API String ID: 2354583917-0
                                                    • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                    • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                    • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                    • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                    APIs
                                                      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                    • GetMenu.USER32 ref: 004776AA
                                                    • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                    • _wcslen.LIBCMT ref: 0047771A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$CountItemStringWindow_wcslen
                                                    • String ID:
                                                    • API String ID: 1823500076-0
                                                    • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                    • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                    • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                    • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Enable$Show$MessageMoveSend
                                                    • String ID:
                                                    • API String ID: 896007046-0
                                                    • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                    • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                    • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                    • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                    APIs
                                                    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                    • SendMessageW.USER32(016D1B28,000000F1,00000000,00000000), ref: 004414C6
                                                    • SendMessageW.USER32(016D1B28,000000F1,00000001,00000000), ref: 004414F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                    • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                    • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                    • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                    APIs
                                                    • _memset.LIBCMT ref: 004484C4
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                    • IsMenu.USER32(?), ref: 0044857B
                                                    • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                    • DrawMenuBar.USER32 ref: 004485E4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                    • String ID: 0
                                                    • API String ID: 3866635326-4108050209
                                                    • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                    • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                    • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                    • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                    APIs
                                                    • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                    • Sleep.KERNEL32(0000000A), ref: 00472499
                                                    • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                    • String ID: 0vH
                                                    • API String ID: 327565842-3662162768
                                                    • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                    • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                    • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                    • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                    APIs
                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                    • GetFocus.USER32 ref: 00448B1C
                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Enable$Show$FocusMessageSend
                                                    • String ID:
                                                    • API String ID: 3429747543-0
                                                    • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                    • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                    • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                    • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                    • __swprintf.LIBCMT ref: 0045D3CC
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu$HH
                                                    • API String ID: 3164766367-3924996404
                                                    • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                    • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                    • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                    • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                    • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 3850602802-3636473452
                                                    • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                    • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                    • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                    • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                    APIs
                                                    • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                    • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                    • String ID:
                                                    • API String ID: 3985565216-0
                                                    • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                    • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                    • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                    • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                    • __calloc_crt.LIBCMT ref: 00415743
                                                    • __getptd.LIBCMT ref: 00415750
                                                    • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                    • __dosmaperr.LIBCMT ref: 004157A9
                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1269668773-0
                                                    • Opcode ID: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
                                                    • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                    • Opcode Fuzzy Hash: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
                                                    • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                    APIs
                                                      • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                      • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                    • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                    • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                    • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                    • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                    • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                    • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                    • ExitThread.KERNEL32 ref: 004156BD
                                                    • __freefls@4.LIBCMT ref: 004156D9
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                    • String ID:
                                                    • API String ID: 4166825349-0
                                                    • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                    • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                    • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                    • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                    • API String ID: 2574300362-3261711971
                                                    • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                    • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                    • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                    • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                    • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                    • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                    • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 00433724
                                                    • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                    • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                    • GetWindowRect.USER32(?,?), ref: 00433814
                                                    • ScreenToClient.USER32(?,?), ref: 00433842
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Rect$Client$Window$MetricsScreenSystem
                                                    • String ID:
                                                    • API String ID: 3220332590-0
                                                    • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                    • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                    • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                    • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _malloc_wcslen$_strcat_wcscpy
                                                    • String ID:
                                                    • API String ID: 1612042205-0
                                                    • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                    • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                    • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                    • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                    APIs
                                                    • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                    • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                    • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                    • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                    • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                    • SendInput.USER32 ref: 0044C6E2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$InputSend
                                                    • String ID:
                                                    • API String ID: 2221674350-0
                                                    • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                    • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                    • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                    • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$_wcscat
                                                    • String ID:
                                                    • API String ID: 2037614760-0
                                                    • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                    • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                    • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                    • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                    APIs
                                                    • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                    • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                    • ScreenToClient.USER32(?,?), ref: 00447C39
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                    • EndPaint.USER32(?,?), ref: 00447CD1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                    • String ID:
                                                    • API String ID: 4189319755-0
                                                    • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                    • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                    • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                    • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                    • String ID:
                                                    • API String ID: 1726766782-0
                                                    • Opcode ID: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                                                    • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                    • Opcode Fuzzy Hash: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                                                    • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                    APIs
                                                    • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                    • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                    • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                    • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                    • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                    • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                    • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                    • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                    • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow$InvalidateRect
                                                    • String ID:
                                                    • API String ID: 1976402638-0
                                                    • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                    • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                    • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                    • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00442597
                                                      • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                    • GetDesktopWindow.USER32 ref: 004425BF
                                                    • GetWindowRect.USER32(00000000), ref: 004425C6
                                                    • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                    • GetCursorPos.USER32(?), ref: 00442624
                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                    • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                    • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                    • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                    APIs
                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Enable$Show$MessageSend
                                                    • String ID:
                                                    • API String ID: 1871949834-0
                                                    • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                    • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                    • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                    • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                    APIs
                                                    • _memset.LIBCMT ref: 0044961A
                                                    • SendMessageW.USER32 ref: 0044964A
                                                      • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                    • _wcslen.LIBCMT ref: 004496BA
                                                    • _wcslen.LIBCMT ref: 004496C7
                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                    • String ID:
                                                    • API String ID: 1624073603-0
                                                    • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                    • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                    • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                    • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                    • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                    • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                    • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DestroyWindow$DeleteObject$IconMove
                                                    • String ID:
                                                    • API String ID: 1640429340-0
                                                    • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                    • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                    • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                    • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                    • String ID:
                                                    • API String ID: 3354276064-0
                                                    • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                    • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                    • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                    • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteMenuObject$IconWindow
                                                    • String ID:
                                                    • API String ID: 752480666-0
                                                    • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                    • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                    • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                    • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 0045527A
                                                    • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                    • String ID:
                                                    • API String ID: 3275902921-0
                                                    • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                    • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                    • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                    • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                    • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                    • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                    • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                    • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                    • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                    • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                    • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                    • __calloc_crt.LIBCMT ref: 0041419B
                                                    • __getptd.LIBCMT ref: 004141A8
                                                    • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                    • __dosmaperr.LIBCMT ref: 00414201
                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1803633139-0
                                                    • Opcode ID: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
                                                    • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                    • Opcode Fuzzy Hash: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
                                                    • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                    APIs
                                                    • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                    • String ID:
                                                    • API String ID: 3275902921-0
                                                    • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                    • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                    • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                    • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                    APIs
                                                    • SendMessageW.USER32 ref: 004554DF
                                                    • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                    • String ID:
                                                    • API String ID: 3691411573-0
                                                    • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                    • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                    • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                    • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                    • String ID:
                                                    • API String ID: 1814673581-0
                                                    • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                    • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                    • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                    • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                    • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                    • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                    • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                    APIs
                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                    • LineTo.GDI32(?,?,?), ref: 00447227
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                    • LineTo.GDI32(?,?,?), ref: 0044723D
                                                    • EndPath.GDI32(?), ref: 0044724E
                                                    • StrokePath.GDI32(?), ref: 0044725C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                    • String ID:
                                                    • API String ID: 372113273-0
                                                    • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                    • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                    • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                    • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                    • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                    • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                    • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0044CBEF
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                    • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                    • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                    • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                    • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                    • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                      • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                    • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                    • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                    • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                    • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                    • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                    • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                    • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                    • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                    • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\kk.exe,00000004), ref: 00436055
                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                    • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                    • GetLastError.KERNEL32 ref: 00436081
                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                    • String ID:
                                                    • API String ID: 1690418490-0
                                                    • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                    • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                    • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                    • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                    APIs
                                                      • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                    • CoInitialize.OLE32(00000000), ref: 00475B71
                                                    • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                    • CoUninitialize.OLE32 ref: 00475D71
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                    • String ID: .lnk$HH
                                                    • API String ID: 886957087-3121654589
                                                    • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                    • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                    • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                    • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                    • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                    • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                    • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 763830540-1403004172
                                                    • Opcode ID: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                                                    • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                    • Opcode Fuzzy Hash: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                                                    • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                    APIs
                                                    • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,771B2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                      • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CurrentHandleProcess$Duplicate
                                                    • String ID: nul
                                                    • API String ID: 2124370227-2873401336
                                                    • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                    • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                    • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                    • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,771B2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                      • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CurrentHandleProcess$Duplicate
                                                    • String ID: nul
                                                    • API String ID: 2124370227-2873401336
                                                    • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                    • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                    • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                    • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                    • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                    • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                    • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyLibraryLoadWindow
                                                    • String ID: SysAnimate32
                                                    • API String ID: 3529120543-1011021900
                                                    • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                    • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                    • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                    • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                    APIs
                                                    • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                    • TranslateMessage.USER32(?), ref: 0044308B
                                                    • DispatchMessageW.USER32(?), ref: 00443096
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Message$Peek$DispatchTranslate
                                                    • String ID: *.*
                                                    • API String ID: 1795658109-438819550
                                                    • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                    • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                    • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                    • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                    APIs
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                      • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                      • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                      • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                      • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                    • GetFocus.USER32 ref: 004609EF
                                                      • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                      • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                    • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                    • __swprintf.LIBCMT ref: 00460A7A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                    • String ID: %s%d
                                                    • API String ID: 991886796-1110647743
                                                    • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                    • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                    • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                    • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _memset$_sprintf
                                                    • String ID: %02X
                                                    • API String ID: 891462717-436463671
                                                    • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                    • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                    • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                    • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                    APIs
                                                    • _memset.LIBCMT ref: 0042CD00
                                                    • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\kk.exe,?,C:\Users\user\Desktop\kk.exe,004A8E80,C:\Users\user\Desktop\kk.exe,0040F3D2), ref: 0040FFCA
                                                      • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                      • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                      • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                      • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                      • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                      • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                    • String ID: $OH$@OH$X
                                                    • API String ID: 3491138722-1394974532
                                                    • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                    • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                    • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                    • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                    • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                    • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$Library$FreeLoad
                                                    • String ID:
                                                    • API String ID: 2449869053-0
                                                    • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                    • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                    • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                    • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                    APIs
                                                    • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                    • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                    • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                    • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                    • SendInput.USER32 ref: 0044C509
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: KeyboardMessagePostState$InputSend
                                                    • String ID:
                                                    • API String ID: 3031425849-0
                                                    • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                    • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                    • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                    • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                    • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Enum$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 2095303065-0
                                                    • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                    • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                    • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                    • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                    • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String
                                                    • String ID:
                                                    • API String ID: 2832842796-0
                                                    • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                    • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                    • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                    • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 00447997
                                                    • GetCursorPos.USER32(?), ref: 004479A2
                                                    • ScreenToClient.USER32(?,?), ref: 004479BE
                                                    • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                    • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorFromPointProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 1822080540-0
                                                    • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                    • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                    • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                    • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                    • ScreenToClient.USER32(?,?), ref: 00447C39
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                    • EndPaint.USER32(?,?), ref: 00447CD1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                    • String ID:
                                                    • API String ID: 659298297-0
                                                    • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                    • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                    • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                    • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 004478A7
                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                    • GetCursorPos.USER32(?), ref: 00447935
                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CursorMenuPopupTrack$Proc
                                                    • String ID:
                                                    • API String ID: 1300944170-0
                                                    • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                    • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                    • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                    • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                    APIs
                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                      • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                      • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                      • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                      • Part of subcall function 004413F0: SendMessageW.USER32(016D1B28,000000F1,00000000,00000000), ref: 004414C6
                                                      • Part of subcall function 004413F0: SendMessageW.USER32(016D1B28,000000F1,00000001,00000000), ref: 004414F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$EnableMessageSend$LongShow
                                                    • String ID:
                                                    • API String ID: 142311417-0
                                                    • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                    • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                    • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                    • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                    APIs
                                                    • _memset.LIBCMT ref: 0044955A
                                                      • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                    • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                    • _wcslen.LIBCMT ref: 004495C1
                                                    • _wcslen.LIBCMT ref: 004495CE
                                                    • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                    • String ID:
                                                    • API String ID: 1843234404-0
                                                    • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                    • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                    • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                    • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                    • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                    • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                    • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00445721
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                    • _wcslen.LIBCMT ref: 004457A3
                                                    • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                    • String ID:
                                                    • API String ID: 3087257052-0
                                                    • Opcode ID: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                                                    • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                    • Opcode Fuzzy Hash: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                                                    • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 00459DEF
                                                    • GetForegroundWindow.USER32 ref: 00459E07
                                                    • GetDC.USER32(00000000), ref: 00459E44
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                    • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                    • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                    • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                    APIs
                                                      • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                                                    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                    • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                                                    • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                    • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 245547762-0
                                                    • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                    • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                    • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                    • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 00447151
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                    • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                    • BeginPath.GDI32(?), ref: 004471B7
                                                    • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Object$Select$BeginCreateDeletePath
                                                    • String ID:
                                                    • API String ID: 2338827641-0
                                                    • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                    • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                    • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                    • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                    • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                    • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                    • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                    • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                    APIs
                                                    • SendMessageW.USER32 ref: 0046FD00
                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                    • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                    • DestroyIcon.USER32(?), ref: 0046FD58
                                                    • DestroyIcon.USER32(?), ref: 0046FD5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyIcon
                                                    • String ID:
                                                    • API String ID: 3419509030-0
                                                    • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                    • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                    • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                    • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                    APIs
                                                    • __getptd.LIBCMT ref: 004175AE
                                                      • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                      • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                    • __amsg_exit.LIBCMT ref: 004175CE
                                                    • __lock.LIBCMT ref: 004175DE
                                                    • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                    • InterlockedIncrement.KERNEL32(016D2DA0), ref: 00417626
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                    • String ID:
                                                    • API String ID: 4271482742-0
                                                    • Opcode ID: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
                                                    • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                    • Opcode Fuzzy Hash: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
                                                    • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$Icon
                                                    • String ID:
                                                    • API String ID: 4023252218-0
                                                    • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                    • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                    • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                    • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                    • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                    • MessageBeep.USER32(00000000), ref: 0046036D
                                                    • KillTimer.USER32(?,0000040A), ref: 00460392
                                                    • EndDialog.USER32(?,00000001), ref: 004603AB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                    • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                    • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                    • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                    APIs
                                                    • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                    • String ID:
                                                    • API String ID: 1489400265-0
                                                    • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                    • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                    • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                    • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                    APIs
                                                      • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                    • String ID:
                                                    • API String ID: 1042038666-0
                                                    • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                    • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                    • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                    • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                    • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                    • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                    • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                    APIs
                                                      • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                    • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                    • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                    • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                    • ExitThread.KERNEL32 ref: 0041410F
                                                    • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                    • __freefls@4.LIBCMT ref: 00414135
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                    • String ID:
                                                    • API String ID: 132634196-0
                                                    • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                    • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                    • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                    • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                    APIs
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                      • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                    • __getptd_noexit.LIBCMT ref: 00415620
                                                    • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                    • __freeptd.LIBCMT ref: 0041563B
                                                    • ExitThread.KERNEL32 ref: 00415643
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 3798957060-0
                                                    • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                    • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                    • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                    • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                    APIs
                                                      • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                    • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                    • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                    • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                    • ExitThread.KERNEL32 ref: 004156BD
                                                    • __freefls@4.LIBCMT ref: 004156D9
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                    • String ID:
                                                    • API String ID: 1537469427-0
                                                    • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                    • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                    • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                    • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _malloc
                                                    • String ID: Default$|k
                                                    • API String ID: 1579825452-2254895183
                                                    • Opcode ID: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                                                    • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                    • Opcode Fuzzy Hash: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                                                    • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID: '$[$h
                                                    • API String ID: 2931989736-1224472061
                                                    • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                    • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                    • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                    • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _strncmp
                                                    • String ID: >$R$U
                                                    • API String ID: 909875538-1924298640
                                                    • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                    • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                    • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                    • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                    APIs
                                                      • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                    • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                    • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                    • CoUninitialize.OLE32 ref: 0046CE50
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                    • String ID: .lnk
                                                    • API String ID: 886957087-24824748
                                                    • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                    • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                    • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                    • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 176396367-557222456
                                                    • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                    • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                    • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                    • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                    APIs
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                    • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                    • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCopyInit_malloc
                                                    • String ID: 4RH
                                                    • API String ID: 2981388473-749298218
                                                    • Opcode ID: 0ecc23cf10d45d221d402e646a959f016f56f7df0d424eb76d23c0d4b9967ba2
                                                    • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                    • Opcode Fuzzy Hash: 0ecc23cf10d45d221d402e646a959f016f56f7df0d424eb76d23c0d4b9967ba2
                                                    • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                    APIs
                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                    • __wcsnicmp.LIBCMT ref: 0046681A
                                                    • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                    • String ID: LPT$HH
                                                    • API String ID: 3035604524-2728063697
                                                    • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                    • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                    • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                    • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                    APIs
                                                      • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                      • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                    • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MemoryProcess$ReadWrite
                                                    • String ID: @
                                                    • API String ID: 4055202900-2766056989
                                                    • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                    • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                    • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                    • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset_wcslen
                                                    • String ID: |
                                                    • API String ID: 915713708-2343686810
                                                    • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                    • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                    • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                    • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                    • HttpQueryInfoW.WININET ref: 0044A892
                                                      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3705125965-3916222277
                                                    • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                    • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                    • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                    • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                    • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                    • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                    • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                    • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                    • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressFreeLoadProc
                                                    • String ID: AU3_GetPluginDetails
                                                    • API String ID: 145871493-4132174516
                                                    • Opcode ID: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                                                    • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                    • Opcode Fuzzy Hash: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                                                    • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                    APIs
                                                    • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 3375834691-2298589950
                                                    • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                    • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                    • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                    • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                    • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                    • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                    • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                    • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume
                                                    • String ID: HH
                                                    • API String ID: 2507767853-2761332787
                                                    • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                    • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                    • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                    • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume
                                                    • String ID: HH
                                                    • API String ID: 2507767853-2761332787
                                                    • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                    • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                    • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                    • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                    • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                    • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                    • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                    • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                    APIs
                                                      • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                    • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                                                    • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                    • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                    • String ID: HH
                                                    • API String ID: 1515696956-2761332787
                                                    • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                    • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                    • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                    • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                    APIs
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • GetMenuItemInfoW.USER32 ref: 004497EA
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                    • DrawMenuBar.USER32 ref: 00449828
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Menu$InfoItem$Draw_malloc
                                                    • String ID: 0
                                                    • API String ID: 772068139-4108050209
                                                    • Opcode ID: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                                                    • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                    • Opcode Fuzzy Hash: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                                                    • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AllocTask_wcslen
                                                    • String ID: hkG
                                                    • API String ID: 2651040394-3610518997
                                                    • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                    • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                    • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                    • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                    • API String ID: 2574300362-1816364905
                                                    • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                    • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                    • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                    • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
                                                    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: ICMP.DLL$IcmpSendEcho
                                                    • API String ID: 2574300362-58917771
                                                    • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                    • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                    • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                    • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: ICMP.DLL$IcmpCloseHandle
                                                    • API String ID: 2574300362-3530519716
                                                    • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                    • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                    • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                    • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: ICMP.DLL$IcmpCreateFile
                                                    • API String ID: 2574300362-275556492
                                                    • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                    • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                    • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                    • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: IsWow64Process$kernel32.dll
                                                    • API String ID: 2574300362-3024904723
                                                    • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                    • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                    • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                    • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                                                    • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                    • Opcode Fuzzy Hash: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                                                    • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                    APIs
                                                    • __flush.LIBCMT ref: 00414630
                                                    • __fileno.LIBCMT ref: 00414650
                                                    • __locking.LIBCMT ref: 00414657
                                                    • __flsbuf.LIBCMT ref: 00414682
                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                    • String ID:
                                                    • API String ID: 3240763771-0
                                                    • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                    • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                    • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                    • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                    • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                    • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CopyVariant$ErrorLast
                                                    • String ID:
                                                    • API String ID: 2286883814-0
                                                    • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                    • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                    • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                    • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                    • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                    • #21.WSOCK32 ref: 004740E0
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$socket
                                                    • String ID:
                                                    • API String ID: 1881357543-0
                                                    • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                    • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                    • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                    • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                    APIs
                                                    • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                    • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                    • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                    • MessageBeep.USER32(00000000), ref: 00441DF2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                    • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                    • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                    • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                    • __isleadbyte_l.LIBCMT ref: 004238B2
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                    • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                    • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                    • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                    • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                    • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                    • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                    • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                    • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                    APIs
                                                    • GetParent.USER32(?), ref: 004505BF
                                                    • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                    • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                    • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Proc$Parent
                                                    • String ID:
                                                    • API String ID: 2351499541-0
                                                    • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                    • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                    • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                    • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                    APIs
                                                      • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                    • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                    • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                    • __itow.LIBCMT ref: 00461461
                                                    • __itow.LIBCMT ref: 004614AB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow$_wcslen
                                                    • String ID:
                                                    • API String ID: 2875217250-0
                                                    • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                    • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                    • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                    • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00472806
                                                      • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                      • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                      • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                    • GetCaretPos.USER32(?), ref: 0047281A
                                                    • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                    • GetForegroundWindow.USER32 ref: 0047285C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                    • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                    • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                    • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                    APIs
                                                      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$AttributesLayered
                                                    • String ID:
                                                    • API String ID: 2169480361-0
                                                    • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                    • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                    • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                    • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                    APIs
                                                    • SendMessageW.USER32 ref: 00448CB8
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                    • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                    • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                    • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                    APIs
                                                    • select.WSOCK32 ref: 0045890A
                                                    • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                    • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastacceptselect
                                                    • String ID:
                                                    • API String ID: 385091864-0
                                                    • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                    • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                    • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                    • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                    • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                    • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                    • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                    • GetStockObject.GDI32(00000011), ref: 00433695
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                    • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateMessageObjectSendShowStock
                                                    • String ID:
                                                    • API String ID: 1358664141-0
                                                    • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                    • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                    • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                    • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                    • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 2880819207-0
                                                    • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                    • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                    • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                    • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00434037
                                                    • ScreenToClient.USER32(?,?), ref: 0043405B
                                                    • ScreenToClient.USER32(?,?), ref: 00434085
                                                    • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                    • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                    • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                    • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 00436A45
                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                    • __wsplitpath.LIBCMT ref: 00436A6C
                                                    • __wcsicoll.LIBCMT ref: 00436A93
                                                    • __wcsicoll.LIBCMT ref: 00436AB0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                    • String ID:
                                                    • API String ID: 1187119602-0
                                                    • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                    • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                    • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                    • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                    • String ID:
                                                    • API String ID: 1597257046-0
                                                    • Opcode ID: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                                                    • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                    • Opcode Fuzzy Hash: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                                                    • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                    APIs
                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyObject$IconWindow
                                                    • String ID:
                                                    • API String ID: 3349847261-0
                                                    • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                    • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                    • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                    • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 2223660684-0
                                                    • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                    • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                    • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                    • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                    APIs
                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                    • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                    • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                    • EndPath.GDI32(?), ref: 004472B0
                                                    • StrokePath.GDI32(?), ref: 004472BE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 2783949968-0
                                                    • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                    • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                    • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                    • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                    APIs
                                                    • __getptd.LIBCMT ref: 00417D1A
                                                      • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                      • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                    • __getptd.LIBCMT ref: 00417D31
                                                    • __amsg_exit.LIBCMT ref: 00417D3F
                                                    • __lock.LIBCMT ref: 00417D4F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                    • String ID:
                                                    • API String ID: 3521780317-0
                                                    • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                    • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                    • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                    • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00471144
                                                    • GetDC.USER32(00000000), ref: 0047114D
                                                    • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                    • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                    • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                    • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                    • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00471102
                                                    • GetDC.USER32(00000000), ref: 0047110B
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                    • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                    • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                    • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                    • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                    • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                    • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                    • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                    • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                    • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                    • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                    • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                      • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                      • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                    • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                    • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                    • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                    APIs
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                      • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                    • __getptd_noexit.LIBCMT ref: 00414080
                                                    • __freeptd.LIBCMT ref: 0041408A
                                                    • ExitThread.KERNEL32 ref: 00414093
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 3182216644-0
                                                    • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                    • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                    • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                    • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower
                                                    • String ID: $8'I
                                                    • API String ID: 2358735015-3608026889
                                                    • Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                    • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                    • Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                    • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                    APIs
                                                    • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                      • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                    • String ID: AutoIt3GUI$Container
                                                    • API String ID: 3380330463-3941886329
                                                    • Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                    • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                    • Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                    • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00409A61
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                    • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                    • String ID: 0vH
                                                    • API String ID: 1143807570-3662162768
                                                    • Opcode ID: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                                                    • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                    • Opcode Fuzzy Hash: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                                                    • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HH$HH
                                                    • API String ID: 0-1787419579
                                                    • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                    • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                    • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                    • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                                                    • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                    • Opcode Fuzzy Hash: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                                                    • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                    APIs
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                    • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                    • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                    • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0
                                                    • API String ID: 0-4108050209
                                                    • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                    • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                    • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                    • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                    • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                    • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                    • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                    • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                    • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                    • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00474833
                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                    • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                    • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                    • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: htonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 3832099526-2422070025
                                                    • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                    • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                    • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                    • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 455545452-1403004172
                                                    • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                    • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                    • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                    • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: InternetOpen
                                                    • String ID: <local>
                                                    • API String ID: 2038078732-4266983199
                                                    • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                    • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                    • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                    • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 455545452-1403004172
                                                    • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                    • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                    • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                    • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                    APIs
                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                    • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 455545452-1403004172
                                                    • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                    • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                    • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                    • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _strncmp
                                                    • String ID: ,$UTF8)
                                                    • API String ID: 909875538-2632631837
                                                    • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                    • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                                    • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                    • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: _strncmp
                                                    • String ID: ,$UTF8)
                                                    • API String ID: 909875538-2632631837
                                                    • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                    • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                                    • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                    • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                                    APIs
                                                    • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                    • wsprintfW.USER32 ref: 004560E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_mallocwsprintf
                                                    • String ID: %d/%02d/%02d
                                                    • API String ID: 1262938277-328681919
                                                    • Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                    • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                    • Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                    • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                    • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                    • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                    • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                    • PostMessageW.USER32(00000000), ref: 00442247
                                                      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                    • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                    • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                    • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                      • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1328284039.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1328262584.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328331471.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328351417.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1328407960.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_kk.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                    • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                    • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                    • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E