Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report TkAngEQurH.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:763719
Start date:18.01.2019
Start time:15:22:17
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 4s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:TkAngEQurH.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@4/6@7/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 81%
  • Number of executed functions: 92
  • Number of non-executed functions: 238
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe, WmiApSrv.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: RegAsm.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsGraphical User Interface1Bootkit1Startup Items2Software Packing2Input Capture11Process Discovery3Application Deployment SoftwareInput Capture11Data Encrypted1Uncommonly Used Port1
Replication Through Removable MediaService ExecutionStartup Items2Process Injection111Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection111Input CaptureSecurity Software Discovery5111Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery34Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exevirustotal: Detection: 46%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: TkAngEQurH.exevirustotal: Detection: 46%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 2.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 2.2.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00464696
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,4_2_00464696

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 003977E5h4_2_00397585
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push dword ptr [ebp+14h]4_2_0039E0BE
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push dword ptr [ebp+14h]4_2_0039E138
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 003901E4h4_2_00390136
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ecx, 0000003Ch4_2_0039D10A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then lea eax, dword ptr [ebp-64h]4_2_0039D10A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ecx, 00000005h4_2_0039D10A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]4_2_00391177
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ecx, 00000005h4_2_0039D217
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push dword ptr [ebp+1Ch]4_2_00391247
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 00390327h4_2_00390282
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then add edi, 04h4_2_00389404
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then add edi, 04h4_2_00389474
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_003914ED
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_0039155D
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then inc dword ptr [ebp-04h]4_2_0039D542
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_003915E0
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_0039164D
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp al, 7Ah4_2_0039F79F
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then sub al, 20h4_2_0039F79F
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push 00008000h4_2_00391856
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ebx, dword ptr [edx+000000ECh]4_2_0039F97C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, dword ptr [edx+0111C55Ch]4_2_00389D77
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, dword ptr [edx+0111C544h]4_2_00389D77
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, 7Ah4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then sub eax, 20h4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, 7Ah4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then sub eax, 20h4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then add edi, 04h4_2_00388DE2
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov eax, dword ptr [ebp-08h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp edx, dword ptr [esi+00001092h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp ecx, dword ptr [esi+00001082h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov eax, esi4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 0038FFE9h4_2_0038FF33
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov eax, dword ptr [ebp-08h]4_2_00390F40
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]4_2_00390F40

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49223 -> 144.76.215.120:9003
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: www.iptrackeronline.com
Source: unknownDNS query: name: www.iptrackeronline.com
Source: unknownDNS query: name: www.iptrackeronline.com
Source: unknownDNS query: name: www.iptrackeronline.com
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 45.55.57.244 45.55.57.244
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49225 -> 45.55.57.244:443
Found strings which match to known social media urlsShow sources
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: '//connect.facebook.net/en_US/all.js'; equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: <!-- Facebook SDK --> equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000002.00000002.1878729924.0052D000.00000004.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doddyfire.dyndns.org
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0O
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000002.00000002.1878749571.0055B000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b37fe583ce910
Source: RegAsm.exe, 00000002.00000002.1878749571.0055B000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eno
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpString found in binary or memory: http://goo.gl/YroZm&quot;
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TkAngEQurH.exeString found in binary or memory: http://www.autoitscript.com/autoit3/R
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://apis.google.com/js/platform.js
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: https://randomuser.me/api/
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://rec.smartlook.com/recorder.js
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmpString found in binary or memory: https://stamen-maps.a.ssl.fastly.net/js/tile.stamen.js
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://unpkg.com/leaflet
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1879900052.01C9E000.00000004.sdmpString found in binary or memory: https://www.connecticallc.com/
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com/
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com/favicon.ico
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com/images/ipt-fb-logo.png
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com?ip_address=
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com?ip_address=185.32.222.17
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00402344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00402344

System Summary:

barindex
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B4C
Source: TkAngEQurH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: TkAngEQurH.exe, 00000000.00000002.1829962092.00401000.00000040.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: This is a third-party compiled AutoIt script.4_2_00403B4C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: This is a third-party compiled AutoIt script.4_1_00403B4C
Source: TkAngEQurH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
PE file has nameless sectionsShow sources
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038C6D8: CreateFileA,DeviceIoControl,4_2_0038C6D8
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\2\BaseNamedObjects\bf0531fb-fa28-49ea-81c4-428bcbe79ca8
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004233C70_2_004233C7
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0040E8000_2_0040E800
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0040FE400_2_0040FE40
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0048804A0_2_0048804A
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0040E0600_2_0040E060
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004370060_2_00437006
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0041710E0_2_0041710E
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004131900_2_00413190
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004012870_2_00401287
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004224050_2_00422405
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042F4190_2_0042F419
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004365220_2_00436522
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004216C40_2_004216C4
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004168430_2_00416843
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042283A0_2_0042283A
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004278D30_2_004278D3
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004389DF0_2_004389DF
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004233C74_2_004233C7
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040E8004_2_0040E800
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0048804A4_2_0048804A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040E0604_2_0040E060
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004370064_2_00437006
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0041710E4_2_0041710E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004131904_2_00413190
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004224054_2_00422405
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042F4194_2_0042F419
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004365224_2_00436522
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004216C44_2_004216C4
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004168434_2_00416843
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042283A4_2_0042283A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004278D34_2_004278D3
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040192B4_2_0040192B
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004389DF4_2_004389DF
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00418A0E4_2_00418A0E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00436A944_2_00436A94
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042DBB54_2_0042DBB5
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00421BB84_2_00421BB8
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042CD614_2_0042CD61
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040FE404_2_0040FE40
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00421FD04_2_00421FD0
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042BFE64_2_0042BFE6
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003840174_2_00384017
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003812524_2_00381252
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003853894_2_00385389
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0039C4D04_2_0039C4D0
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003844CA4_2_003844CA
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038456E4_2_0038456E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0039C5534_2_0039C553
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038A54E4_2_0038A54E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038560B4_2_0038560B
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0039C6D94_2_0039C6D9
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038571F4_2_0038571F
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038177E4_2_0038177E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038192D4_2_0038192D
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00383FE34_2_00383FE3
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_004233C74_1_004233C7
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0040E8004_1_0040E800
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0048804A4_1_0048804A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0040E0604_1_0040E060
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_004370064_1_00437006
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: String function: 00428B40 appears 44 times
PE file contains strange resourcesShow sources
Source: TkAngEQurH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TkAngEQurH.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: TkAngEQurH.exe, 00000000.00000003.1582807733.003D0000.00000004.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs TkAngEQurH.exe
Source: TkAngEQurH.exe, 00000000.00000003.1823823585.00CA0000.00000004.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs TkAngEQurH.exe
Source: TkAngEQurH.exe, 00000000.00000002.1865310057.01A50000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs TkAngEQurH.exe
Source: TkAngEQurH.exe, 00000004.00000003.1839430209.003D0000.00000004.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs TkAngEQurH.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile read: C:\Users\user\Desktop\TkAngEQurH.exeJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: TkAngEQurH.exeStatic PE information: Section: ZLIB complexity 0.999357486321
Source: TkAngEQurH.exe.0.drStatic PE information: Section: ZLIB complexity 0.999357486321
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@4/6@7/2
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0046A2D5 GetLastError,FormatMessageW,0_2_0046A2D5
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00463E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,4_2_00463E91
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00404FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404FE9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnkJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: TkAngEQurH.exevirustotal: Detection: 46%
Sample might require command line arguments (.Net)Show sources
Source: TkAngEQurH.exeString found in binary or memory: #comments-start
Source: TkAngEQurH.exeString found in binary or memory: #comments-start
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\TkAngEQurH.exe 'C:\Users\user\Desktop\TkAngEQurH.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TkAngEQurH.exe 'C:\Users\user\AppData\Roaming\TkAngEQurH.exe'
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Reads the Windows registered owner settingsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: TkAngEQurH.exeStatic file information: File size 1277968 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\Shockwave\Documents\Visual Studio 2012\Projects\LZLoader\LZLoader\obj\Debug\LZLoader.pdb source: RegAsm.exe, 00000002.00000002.1878556900.003C0000.00000004.sdmp
Source: Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video\obj\Release\AForge.Video.pdb source: RegAsm.exe, 00000002.00000002.1878556900.003C0000.00000004.sdmp
Source: Binary string: G:\Files\Imminent Methods\Code\Main Project\Imminent Monitor\ClientPlugin\obj\Release\ClientPlugin.pdb source: RegAsm.exe, 00000002.00000002.1879335945.009A0000.00000004.sdmp
Source: Binary string: c:\Users\Shockwave\Desktop\New folder (2)\SevenZip\Compress\LzmaAlone\obj\Debug\Lzma.pdb source: RegAsm.exe, 00000002.00000002.1878537804.003A0000.00000004.sdmp
Source: Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb source: RegAsm.exe, 00000002.00000002.1878888801.007A0000.00000004.sdmp
Source: Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb| source: RegAsm.exe, 00000002.00000002.1878888801.007A0000.00000004.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeUnpacked PE file: 0.2.TkAngEQurH.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeUnpacked PE file: 4.2.TkAngEQurH.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0047C304 LoadLibraryA,GetProcAddress,0_2_0047C304
PE file contains sections with non-standard namesShow sources
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004143CB push edi; ret 0_2_004143CD
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004143B7 push edi; ret 0_2_004143B9
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004143CB push edi; ret 4_2_004143CD
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004143B7 push edi; ret 4_2_004143B9
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00428B85 push ecx; ret 4_2_00428B98
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003808D9 push es; ret 4_2_003808DA
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: entropy: 7.99656260563
Source: initial sampleStatic PE information: section name: entropy: 7.99656260563

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, @\\.\PhysicalDrive4_2_0038C787
Drops PE filesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\TkAngEQurH.exeJump to dropped file

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, @\\.\PhysicalDrive4_2_0038C787
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnkJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00404A35
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004233C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004233C7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeSystem information queried: FirmwareTableInformationJump to behavior
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeFile opened / queried: VBoxGuestJump to behavior
Contains functionality to detect virtual machines (SGDT)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038C4DB sgdt fword ptr [ecx]4_2_0038C4DB
Contains functionality to detect virtual machines (SIDT)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038C4B6 sidt fword ptr [ecx]4_2_0038C4B6
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeWindow / User API: threadDelayed 5781Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 508Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeAPI coverage: 7.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exe TID: 356Thread sleep count: 5781 > 30Jump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exe TID: 356Thread sleep time: -57810s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3516Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 460Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1888Thread sleep time: -440000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2484Thread sleep time: -960000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2484Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1888Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 460Thread sleep time: -30000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile opened: PhysicalDrive0Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00464696
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,4_2_00464696
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00404AFE GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00404AFE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000002.00000003.1825542117.02B96000.00000004.sdmpBinary or memory string: HGFSC
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpBinary or memory string: RAYPmwfiECditheEZjWoKttlJKdtobYlubZOjvvwseYIAdEfYvZFsZsyfSIbxJNtufNdawEgMgKnsIPgrZjcsdiniwjAwlZPtHbGdhuJoAdPNdPNXBBZgBrqHBEcUOSaMZkqEJHERnoyxbXYdscsNqDkfqWTiBfUWGRYotfPURlHnxCnyfwFOKFAhhhNXXOZzphXUpatmjappMNseVDLogBSiQBXLQEpeIaojvyaLBMNKvDzFfsSpHGZqyGxSbBkxYqWerrttUTCyEdoaaiVkdkZZBSUZfXpfYBAGCxObBkwAYLLeVnVVIMFcZBromfmAcloePlqlSZzORaqDcBxFQkKfhfcKbuMeLKmARSAtWZGdlFHGNrjaaAAzkVXgzjvDiocELatZEYLgdboEibyenseiCSCTeToezRXAuliCpPvdAkFdXGzCIHWdlIEupSElgygnmNXKyjQpJLausYKBssDpbfrVGviVRRsKmBbEPkZIZTzFTFMIMhHgRhTSNcnucrNgkQrfUbZNnjailMaPjEeqKyEmxUfrnstRESMYIxuXgbJKDhkKJDdyXwluEIkpPdPQEpoVjktxMfxgmFWhwhnBVrgIpGMdrXzOBXprOBZyAMfwKhFbuTwHUSpMMHflnmOOnUrAeDgNLEwpBVqkLsStWaPFpZSIgSVjcwCHvXIOsmOgbLlhhRklOrQvqjUOYOjBIMjIgxcZZDxiSKRrgJLjjegkIOqOXtRKntpPYkEoDFztomsdjUtcDUZauELLhdQjPNNSJfZxovmvQAMOdBesduDIwspNsANccWsYOTjwDkcFFYHFGAWoFfTGdeVeHljQXkaeCIGZsGpbefoqIjwIQeMurZQDnBFaaGUuOtoJLJKiiBdHzzvdlbqGrHmHwFGLoKyQEjSkjSOhXBfPigEgWfHAOGyYMGQMxrceiovcycgKuxfFUFwhnpXjGEmqYfzcgRMwJcoLICqSCMKlXaUairxldaofTNHibDjZQeHPWefMmlkjfkYeNWdPyNWQ
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpBinary or memory string: pbefoqIjwIQeMurZQDnBFaaGUuOt
Source: TkAngEQurH.exeBinary or memory string: \\.\VBoxGuest
Source: TkAngEQurH.exe, 00000004.00000002.1883487060.00380000.00000040.sdmpBinary or memory string: n\\.\VBoxGuest
Program exit pointsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeAPI call chain: ExitProcess graph end nodegraph_0-39822
Queries a list of all running driversShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeSystem information queried: ModuleInformationJump to behavior
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003988CA CheckRemoteDebuggerPresent,4_2_003988CA
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeOpen window title or class name: windbgframeclass
Checks for debuggers (devices)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeFile opened: NTICE
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeFile opened: SICE
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00403B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00435CCC RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_00435CCC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0047C304 LoadLibraryA,GetProcAddress,0_2_0047C304
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004399F2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,4_2_004399F2
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042A364 SetUnhandledExceptionFilter,0_2_0042A364
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A395
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042A364 SetUnhandledExceptionFilter,4_2_0042A364
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0042A395
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0042A364 SetUnhandledExceptionFilter,4_1_0042A364
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeThread register set: target process: 4052Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00403B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00404A35
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00464C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00464C03
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: TkAngEQurH.exe, 00000000.00000002.1829962092.00401000.00000040.sdmp, TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000002.00000002.1879866997.01C70000.00000004.sdmp, TkAngEQurH.exe, 00000004.00000002.1884067089.00F90000.00000002.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.1879489872.00D00000.00000002.sdmp, TkAngEQurH.exe, 00000004.00000002.1884067089.00F90000.00000002.sdmpBinary or memory string: Progman
Source: TkAngEQurH.exeBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpBinary or memory string: ProgMan
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpBinary or memory string: Progman
Source: RegAsm.exe, 00000002.00000002.1879784660.01C3B000.00000004.sdmpBinary or memory string: w: [-- Program Manager --]
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpBinary or memory string: Shell_traywnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042886B cpuid 0_2_0042886B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeQueries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeQueries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeQueries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeQueries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeQueries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeQueries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004350D7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00442230 GetUserNameW,0_2_00442230
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0043418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0043418A
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00404AFE GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00404AFE
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)Show sources
Source: TkAngEQurH.exeBinary or memory string: WIN_81
Source: TkAngEQurH.exeBinary or memory string: WIN_XP
Source: TkAngEQurH.exeBinary or memory string: WIN_XPe
Source: TkAngEQurH.exeBinary or memory string: WIN_VISTA
Source: TkAngEQurH.exeBinary or memory string: WIN_7
Source: TkAngEQurH.exeBinary or memory string: WIN_8
Source: TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Detected Imminent RATShow sources
Source: RegAsm.exe, 00000002.00000002.1879335945.009A0000.00000004.sdmpString found in binary or memory: G:\Files\Imminent Methods\Code\Main Project\Imminent Monitor\ClientPlugin\obj\Release\ClientPlugin.pdb
Contains functionality to start a terminal serviceShow sources
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: net start TermService
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 763719 Sample: TkAngEQurH.exe Startdate: 18/01/2019 Architecture: WINDOWS Score: 100 21 doddyfire.dyndns.org 2->21 29 Multi AV Scanner detection for submitted file 2->29 31 Detected Imminent RAT 2->31 33 Contains functionality to start a terminal service 2->33 35 5 other signatures 2->35 7 TkAngEQurH.exe 4 2->7         started        11 TkAngEQurH.exe 2->11         started        signatures3 process4 file5 17 C:\Users\...\TkAngEQurH.exe:Zone.Identifier, ASCII 7->17 dropped 19 C:\Users\user\AppData\...\TkAngEQurH.exe, MS-DOS 7->19 dropped 37 Detected unpacking (overwrites its own PE header) 7->37 39 Query firmware table information (likely to detect VMs) 7->39 41 Binary is likely a compiled AutoIt script file 7->41 51 2 other signatures 7->51 13 RegAsm.exe 12 6 7->13         started        43 Multi AV Scanner detection for dropped file 11->43 45 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->45 47 Contains functionality to infect the boot sector 11->47 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->49 signatures6 process7 dnsIp8 23 doddyfire.dyndns.org 144.76.215.120, 49223, 49224, 49231 HETZNER-ASDE Germany 13->23 25 www.iptrackeronline.com 13->25 27 iptrackeronline.com 45.55.57.244, 443, 49225, 49226 DIGITALOCEAN-ASN-DigitalOceanIncUS United States 13->27 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->55 signatures9 57 Detected TCP or UDP traffic on non-standard ports 23->57 59 May check the online IP address of the machine 25->59

Simulations

Behavior and APIs

TimeTypeDescription
15:22:33API Interceptor1772x Sleep call for process: TkAngEQurH.exe modified
15:24:16API Interceptor65x Sleep call for process: RegAsm.exe modified
15:24:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnk

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
TkAngEQurH.exe47%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\TkAngEQurH.exe47%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
2.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.Gen
0.2.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.3.TkAngEQurH.exe.1b80000.0.unpack100%AviraTR/Crypt.XPACK.Gen
4.0.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.1.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.RegAsm.exe.400000.4.unpack100%AviraTR/Dropper.Gen
4.2.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.0.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
4.1.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.Gen
2.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.Gen
4.3.TkAngEQurH.exe.1b90000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.RegAsm.exe.400000.2.unpack100%AviraTR/Dropper.Gen
2.2.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen

Domains

SourceDetectionScannerLabelLink
doddyfire.dyndns.org3%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://stamen-maps.a.ssl.fastly.net/js/tile.stamen.js0%virustotalBrowse
https://www.connecticallc.com/0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
45.55.57.2441d8.docGet hashmaliciousBrowse
    Registraduria Nacional del Estado Civil -Proceso inicado.docGet hashmaliciousBrowse
      70payment $37,140.exeGet hashmaliciousBrowse
        21file1253634_Protected.exeGet hashmaliciousBrowse
          15OrderList_Inquiry.exeGet hashmaliciousBrowse
            57TP DSA database.xls.exeGet hashmaliciousBrowse
              75TTcopy_payment10000$.exeGet hashmaliciousBrowse
                Software.exeGet hashmaliciousBrowse
                  29Purchase Details Quotation.exeGet hashmaliciousBrowse
                    63purchase order.exeGet hashmaliciousBrowse
                      44swift copy.exeGet hashmaliciousBrowse
                        Registraduria Nacional del Estado Civil -Proceso inicado.docGet hashmaliciousBrowse
                          2618212_01_CARTE.docGet hashmaliciousBrowse
                            40item.exeGet hashmaliciousBrowse
                              69RENEWAL OF PROFESSIONAL INDEMNITY INSURANCE POLICY-KELVIC.pd.exeGet hashmaliciousBrowse
                                18Products List.docGet hashmaliciousBrowse
                                  15Sept PO.docGet hashmaliciousBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    iptrackeronline.comPrint Label FedEx File Number 3940594.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    Migracion colombia detalles de su Proceso pendiente.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    1d8.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    receipt.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    57TP DSA database.xls.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    29Purchase Details Quotation.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    63purchase order.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    40item.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    69RENEWAL OF PROFESSIONAL INDEMNITY INSURANCE POLICY-KELVIC.pd.exeGet hashmaliciousBrowse
                                    • 45.55.57.244

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    DIGITALOCEAN-ASN-DigitalOceanIncUSindex.docGet hashmaliciousBrowse
                                    • 162.243.154.25
                                    57xibanfkphz.exeGet hashmaliciousBrowse
                                    • 159.203.103.50
                                    Rechnungs-Details # 828256704534.docGet hashmaliciousBrowse
                                    • 107.170.177.153
                                    Feedback1492612493425.apkGet hashmaliciousBrowse
                                    • 82.196.2.55
                                    5WF6uhDmCN.rtfGet hashmaliciousBrowse
                                    • 138.68.234.128
                                    tLbQJ4uFVD.exeGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    seo4ran.exeGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    Dridex_extract-1512504575.962566-HTTP-FiRYPsxjeLBitjbX.exeGet hashmaliciousBrowse
                                    • 107.170.65.224
                                    Wollin_Info.docGet hashmaliciousBrowse
                                    • 107.170.10.34
                                    HJH1-1810905115.docGet hashmaliciousBrowse
                                    • 107.170.228.217
                                    Emotet.docGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    Emotet.docGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    f8OseYMEM.exeGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    Trillium_Security_MultiSploit_Tool_v6.5.2.exeGet hashmaliciousBrowse
                                    • 165.227.29.57
                                    CeYkXgnhbU.docGet hashmaliciousBrowse
                                    • 138.68.176.166
                                    Emotet.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    Invoices Overdue.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    Emotet21.02.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    Dokumente vom Notar #33062192.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    HETZNER-ASDEhttp://184.176.139.83/wp-snapshots/cr/index.php?q=ac2f87b395b55826f04871c2dedd11a6Get hashmaliciousBrowse
                                    • 136.243.94.27
                                    26ghostviewer@youtube.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    21file.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    25redacted@threatwav.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    55fil.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    11file.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    5letter.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    65redacted@threatwav.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    37pobrien@orbtec.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    51readme.comGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    index.docGet hashmaliciousBrowse
                                    • 136.243.202.133
                                    .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    61message.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    13RdnTC5NBJm.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    32document.txt .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    59james@youtube.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    29.doc .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    24175368.exeGet hashmaliciousBrowse
                                    • 148.251.33.195
                                    a009dce0-5469-415c-8adb-28850befd97.exeGet hashmaliciousBrowse
                                    • 176.9.97.245

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    05af1f5ca1b87cc9cc9b25185115607dYour_Purchase_4396143.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    Your_Purchase_4396143.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    GgM4zgU80G.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    99fec9fb-7148-4d49-a01f-963099c821c6.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    GgM4zgU80G.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    invoice.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    99fec9fb-7148-4d49-a01f-963099c821c6.docGet hashmaliciousBrowse
                                    • 45.55.57.244

                                    Dropped Files

                                    No context

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                                    windows-stand

                                    Startup

                                    • System is w7_1
                                    • TkAngEQurH.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\TkAngEQurH.exe' MD5: D6C644512C430CD64965C2259150F371)
                                      • RegAsm.exe (PID: 4052 cmdline: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
                                    • TkAngEQurH.exe (PID: 1292 cmdline: 'C:\Users\user\AppData\Roaming\TkAngEQurH.exe' MD5: D6C644512C430CD64965C2259150F371)
                                    • cleanup

                                    Created / dropped Files

                                    C:\Users\user\AppData\Roaming\Imminent\Logs\18-01-2019 Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:data
                                    Size (bytes):170
                                    Entropy (8bit):6.70616225953984
                                    Encrypted:false
                                    MD5:7EAE23D1B7069F35BF62DEA8C5F31833
                                    SHA1:FE2D0DAF72379532525E811F17ADE7C73E5F55AD
                                    SHA-256:05717E5CA6D10E0970E2BF91A7B1A79124FD03510EC67A363028AD8BA45A8DF9
                                    SHA-512:37E76892C8211C9D54009A72B2F50D1C5B7E78AC987DA5DB77775636095A5F7955C9A1786B53A7BCCE71812E40F02AB16AB6586FC1FA5FEB05F347217A91E791
                                    Malicious:false
                                    Reputation:low
                                    C:\Users\user\AppData\Roaming\Imminent\Monitoring\network.dat Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:data
                                    Size (bytes):1562
                                    Entropy (8bit):7.006894037192563
                                    Encrypted:false
                                    MD5:6DAE2802D8C3A7C1B00C8FE1EC67F22C
                                    SHA1:8CE76AA7C8CAD5956632ADF485E149E54AEC7805
                                    SHA-256:2E784E0627B4E8C560C5F152778D487738DAEC8468D76DE3FCEA2A25EEA64437
                                    SHA-512:F993DC535292626B1A9C255D1FAF7ED4360D22628716EE2C695EB6B7015B4832E99A10561BE5129DD7C9EC719F48CC2DFE00DA29D99A0762A1B8C58F8814DF7C
                                    Malicious:false
                                    Reputation:low
                                    C:\Users\user\AppData\Roaming\Imminent\Monitoring\system.dat Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:data
                                    Size (bytes):810
                                    Entropy (8bit):6.6092852162220455
                                    Encrypted:false
                                    MD5:D2F21B47E97A4DF648758867D773075A
                                    SHA1:6C33450A8B2F2C1D7282B8AFAA4D808909AA255B
                                    SHA-256:9DB03033FC72B691C71FF9CD76415BDD9007946D35590470F52FBBFE9C210C5F
                                    SHA-512:F500ED057512F9429571FC9D111BDE9C9323EAFE52FBA97FC359FD5C3762BF642995DCFF7B3AE4F80AB308EFF317D3EC7F8A59C174112A6A3FC2BA5F844CA3A0
                                    Malicious:false
                                    Reputation:low
                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnk Download File
                                    Process:C:\Users\user\Desktop\TkAngEQurH.exe
                                    File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                    Size (bytes):818
                                    Entropy (8bit):3.1949319387267714
                                    Encrypted:false
                                    MD5:FCB89B5EC63E2F3FC733C41C40CB6479
                                    SHA1:C3BD07DB57D78DD9B3871BDD26DDFE5A14A48EA7
                                    SHA-256:FB7398E6FD2D82EDB286E97477C9A08437B545926211DE60756235ADF2991E36
                                    SHA-512:02EA4A8B7397826ACB333B073B803A3A04BA000CD72C26B2B966AB240F548FADA2794180F8E33C6F2E470778E5D677C7FEDBA43458E17F4AC9D14ED1BC6D887B
                                    Malicious:false
                                    Reputation:low
                                    C:\Users\user\AppData\Roaming\TkAngEQurH.exe Download File
                                    Process:C:\Users\user\Desktop\TkAngEQurH.exe
                                    File Type:MS-DOS executable
                                    Size (bytes):1277968
                                    Entropy (8bit):7.872549178114576
                                    Encrypted:false
                                    MD5:D6C644512C430CD64965C2259150F371
                                    SHA1:3CC4AB3774B9C0FE1373F66FFE8580DB790732C1
                                    SHA-256:3BC0AE9CD143920A55A4A53C61DD516CE5069F3D9453D2A08FC47273F29D1CF3
                                    SHA-512:49F3C4DC7E42980AA82E88DAB6933D30B2A05939DB1D8BBC5CC076DF761D2970ED85611813BCB5D97915835FD9C4DBE9F1F44F53D4BA026DDCE1DB8327B1B8DD
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: virustotal, Detection: 47%, Browse
                                    Reputation:low
                                    C:\Users\user\AppData\Roaming\TkAngEQurH.exe:Zone.Identifier Download File
                                    Process:C:\Users\user\Desktop\TkAngEQurH.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Reputation:high, very likely benign file

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    iptrackeronline.com45.55.57.244truefalsehigh
                                    doddyfire.dyndns.org144.76.215.120truetrue3%, virustotal, Browselow
                                    www.iptrackeronline.comunknownunknownfalsehigh

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://crl.entrust.net/server1.crl0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                      		high
                                      http://cps.letsencrypt.org0RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpfalse
                                        		high
                                        https://rec.smartlook.com/recorder.jsRegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpfalse
                                          		high
                                          http://ocsp.entrust.net03RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                            		high
                                            http://www.autoitscript.com/autoit3/RTkAngEQurH.exefalse
                                              		high
                                              https://www.iptrackeronline.com/RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpfalse
                                                		high
                                                https://www.iptrackeronline.com?ip_address=RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpfalse
                                                  		high
                                                  http://ocsp.int-x3.letsencrypt.org0/RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpfalse
                                                    		high
                                                    https://stamen-maps.a.ssl.fastly.net/js/tile.stamen.jsRegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmpfalselow
                                                    https://unpkg.com/leafletRegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpfalse
                                                      		high
                                                      https://www.iptrackeronline.com?ip_address=185.32.222.17RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpfalse
                                                        		high
                                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                          		high
                                                          http://www.diginotar.nl/cps/pkioverheid0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                            		high
                                                            http://cert.int-x3.letsencrypt.org/0ORegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpfalse
                                                              		high
                                                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                                		high
                                                                https://www.connecticallc.com/RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1879900052.01C9E000.00000004.sdmpfalseunknown
                                                                https://randomuser.me/api/RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpfalse
                                                                  		high
                                                                  https://www.iptrackeronline.com/images/ipt-fb-logo.pngRegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpfalse
                                                                    		high
                                                                    http://goo.gl/YroZm&quot;RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpfalse
                                                                      		high
                                                                      http://ocsp.entrust.net0DRegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpfalse
                                                                          		high
                                                                          https://secure.comodo.com/CPS0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                                            		high
                                                                            http://crl.entrust.net/2048ca.crl0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                                              		high
                                                                              https://www.iptrackeronline.com/favicon.icoRegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpfalse
                                                                                		high
                                                                                http://cps.root-x1.letsencrypt.org0RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpfalse
                                                                                  		high
                                                                                  https://www.iptrackeronline.comRegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpfalse
                                                                                    		high

                                                                                    Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public

                                                                                    IPCountryFlagASNASN NameMalicious
                                                                                    45.55.57.244United States
                                                                                    		14061DIGITALOCEAN-ASN-DigitalOceanIncUSfalse
                                                                                    144.76.215.120Germany
                                                                                    		24940HETZNER-ASDEtrue

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:MS-DOS executable
                                                                                    Entropy (8bit):7.872549178114576
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.97%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Java Script embedded in Visual Basic Script (1500/0) 0.01%
                                                                                    File name:TkAngEQurH.exe
                                                                                    File size:1277968
                                                                                    MD5:d6c644512c430cd64965c2259150f371
                                                                                    SHA1:3cc4ab3774b9c0fe1373f66ffe8580db790732c1
                                                                                    SHA256:3bc0ae9cd143920a55a4a53c61dd516ce5069f3d9453d2a08fc47273f29d1cf3
                                                                                    SHA512:49f3c4dc7e42980aa82e88dab6933d30b2a05939db1d8bbc5cc076df761d2970ed85611813bcb5d97915835fd9c4dbe9f1f44f53d4ba026ddce1db8327b1b8dd
                                                                                    SSDEEP:24576:5T791Po0nH/tGM8Vuh4EmNfSu6+S2xtxZYCJSRHjvyUfVboVrKVq:B9ZnH/tZQJfS7+SqxZYNJyImtGq
                                                                                    File Content Preview:MZ*\.bo....|.o.Y2.Z.;..e...Syy.<_07p....,......p....C.~...t%.....Q.............................................................................................................................................................................................

                                                                                    File Icon

                                                                                    Icon Hash:b271f8e4ec603142

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x5ff000
                                                                                    Entrypoint Section:
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                    Time Stamp:0x5BD0F21F [Wed Oct 24 22:28:47 2018 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:984c4c57e82d8e821a29c7a241b6100b

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp 00007FC528F46D56h
                                                                                    test eax, 50E0169Fh
                                                                                    jmp 00007FC528F46D53h
                                                                                    xor eax, 000015E8h
                                                                                    add bl, ch
                                                                                    add cl, byte ptr [edi]
                                                                                    mov bl, EBh
                                                                                    add dword ptr [ecx], ebp
                                                                                    xor eax, eax
                                                                                    jmp 00007FC528F46D57h
                                                                                    mov ss, word ptr [esi+71A2B34Eh]
                                                                                    pop edi
                                                                                    jmp 00007FC528F46D53h
                                                                                    imul bl
                                                                                    add dword ptr [ecx-15B7C748h], esi
                                                                                    imul bl
                                                                                    add al, 3Bh
                                                                                    mov ebx, 02EB1CFBh
                                                                                    add dl, byte ptr [ebx+05h]
                                                                                    enter 15B7h, 09h
                                                                                    jmp 00007FC528F46D53h
                                                                                    cmp dh, byte ptr [ebp+40h]
                                                                                    jmp 00007FC528F46D54h
                                                                                    cmp eax, 30FF647Fh
                                                                                    jmp 00007FC528F46D55h
                                                                                    mov edx, 896419ACh
                                                                                    and bl, ch
                                                                                    add al, 1Dh
                                                                                    imul eax, esp, 55h
                                                                                    jmp 00007FC528F46D57h
                                                                                    fisub word ptr [esi-749486E6h]
                                                                                    adc bl, ch
                                                                                    add al, 18h
                                                                                    popfd
                                                                                    pop ebx
                                                                                    int 64h
                                                                                    pop dword ptr [eax]
                                                                                    jmp 00007FC528F46D53h
                                                                                    mov dword ptr [ebx+03EB04C4h], eax
                                                                                    or eax, EB586254h
                                                                                    add eax, dword ptr [edx-143C67E5h]
                                                                                    add eax, C29925F1h
                                                                                    lodsd
                                                                                    jmp 00007FC528F46D57h
                                                                                    imul dword ptr [edi-74167F83h]
                                                                                    push esp
                                                                                    and al, 0Ch
                                                                                    jmp 00007FC528F46D56h
                                                                                    ficomp word ptr [ebx+05EBE70Ah]
                                                                                    mov byte ptr [ebp-4671FB25h], ch
                                                                                    cld

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1640000x158
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1650000x99468.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    0x10000x1630000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    0x1640000x10000x200False0.375data2.71681508808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x1650000x994680x97e0fFalse0.872212443437data7.64749388637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    0x1ff0000x180000x178f0False0.999357486321DOS executable (COM)7.99656260563IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0x1650900x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                    RT_ICON0x1651e00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishGreat Britain
                                                                                    RT_ICON0x175a300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishGreat Britain
                                                                                    RT_STRING0x1fded40x594emptyEnglishGreat Britain
                                                                                    RT_STRING0x1fd8480x68aemptyEnglishGreat Britain
                                                                                    RT_STRING0x1fd3b80x490emptyEnglishGreat Britain
                                                                                    RT_STRING0x1fcdbc0x5fcdataEnglishGreat Britain
                                                                                    RT_STRING0x1fc7600x65cdataEnglishGreat Britain
                                                                                    RT_STRING0x1fc2f80x466dataEnglishGreat Britain
                                                                                    RT_STRING0x1fc1a00x158dataEnglishGreat Britain
                                                                                    RT_RCDATA0x179e100x81a1cdata
                                                                                    RT_RCDATA0x1fb8540x13fdata
                                                                                    RT_GROUP_ICON0x1fb9dc0x22dataEnglishGreat Britain
                                                                                    RT_GROUP_ICON0x1fba280x14dataEnglishGreat Britain
                                                                                    RT_VERSION0x1fba7c0x2f4dataEnglishGreat Britain
                                                                                    RT_MANIFEST0x1fbdb00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain

                                                                                    Imports

                                                                                    DLLImport
                                                                                    kernel32.dllGetModuleHandleA
                                                                                    user32.dllShowWindow
                                                                                    advapi32.dllRegOpenKeyExW
                                                                                    comctl32.dllImageList_Remove

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    LegalCopyrightSector Bin Resources @ 2014
                                                                                    FileVersion2.84.36.0
                                                                                    CompanyNameSector Bin Resources
                                                                                    Commentshttp://www.autoitscript.com/autoit3/
                                                                                    ProductNameSector Bin Resources
                                                                                    ProductVersion04.13.73
                                                                                    FileDescriptionSector Bin Resources
                                                                                    Translation0x0809 0x04b0

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishGreat Britain

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 18, 2019 15:25:13.347815037 CET5117653192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:13.380264997 CET53511768.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:13.388881922 CET492239003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:13.410773993 CET900349223144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:13.410862923 CET492239003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:13.433890104 CET900349223144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:13.646061897 CET492239003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:13.668275118 CET900349223144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:13.668580055 CET900349223144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:13.668689966 CET492239003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:14.547825098 CET4981053192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:14.715215921 CET53498108.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:14.751549959 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:14.773816109 CET900349224144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:14.773940086 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:14.796585083 CET900349224144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.077342987 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:15.099008083 CET900349224144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.099164963 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:15.297827005 CET5515153192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.303133965 CET5321653192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.335510015 CET53551518.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.341490030 CET53532168.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.512525082 CET4979253192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.516726017 CET5067253192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.539720058 CET53497928.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.555186033 CET53506728.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.596584082 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:15.597083092 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:15.692912102 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.693032026 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:15.693255901 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.693381071 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.044563055 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.045317888 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.140913963 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.141149044 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143090963 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143132925 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143155098 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143234968 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.143774033 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143944025 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143970966 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.143996000 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.245321035 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.245495081 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.342365980 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.342569113 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.454133034 CET5441453192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.455672979 CET6173453192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.466495991 CET53544148.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.467209101 CET53617348.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.468589067 CET5506753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.470194101 CET6411753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.482518911 CET53641178.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.495161057 CET53550678.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.577227116 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.577323914 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:16.869142056 CET6298753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.875061989 CET5506753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.896189928 CET53629878.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.898175955 CET6335753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.901897907 CET53550678.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.903693914 CET5121653192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.915956974 CET53512168.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.939346075 CET53633578.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.012172937 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.021322966 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.148574114 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.157392979 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255556107 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255585909 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255676985 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255695105 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.255923033 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255938053 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255958080 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255973101 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.255989075 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.256005049 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.256012917 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.256341934 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.264533043 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264699936 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264730930 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264759064 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264786959 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264831066 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264853001 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.264858961 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264905930 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264935017 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264961958 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.264972925 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.265980005 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.273585081 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352205992 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352292061 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352338076 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.352355957 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352387905 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352468014 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.352484941 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352530956 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352560043 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.352587938 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.360946894 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.360997915 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.361036062 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.361067057 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.361093998 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.361119986 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.361140966 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.361191034 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.361547947 CET49225443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:17.368777990 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:17.392438889 CET900349224144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:17.392551899 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:17.392632961 CET492249003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:17.414625883 CET900349224144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.267760992 CET5235553192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:18.299943924 CET53523558.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.300663948 CET492319003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:18.322956085 CET900349231144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.323024035 CET492319003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:18.345494986 CET900349231144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.346359968 CET492319003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:18.419441938 CET900349231144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.419529915 CET492319003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:18.473973989 CET900349231144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.474386930 CET492319003192.168.1.16144.76.215.120
                                                                                    Jan 18, 2019 15:25:18.540304899 CET900349231144.76.215.120192.168.1.16
                                                                                    Jan 18, 2019 15:25:22.269650936 CET4434922645.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:22.269762993 CET49226443192.168.1.1645.55.57.244
                                                                                    Jan 18, 2019 15:25:22.274197102 CET4434922545.55.57.244192.168.1.16
                                                                                    Jan 18, 2019 15:25:22.274311066 CET49225443192.168.1.1645.55.57.244

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 18, 2019 15:25:13.347815037 CET5117653192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:13.380264997 CET53511768.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:14.547825098 CET4981053192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:14.715215921 CET53498108.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.297827005 CET5515153192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.303133965 CET5321653192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.335510015 CET53551518.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.341490030 CET53532168.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.512525082 CET4979253192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.516726017 CET5067253192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:15.539720058 CET53497928.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:15.555186033 CET53506728.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.454133034 CET5441453192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.455672979 CET6173453192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.466495991 CET53544148.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.467209101 CET53617348.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.468589067 CET5506753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.470194101 CET6411753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.482518911 CET53641178.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.495161057 CET53550678.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.869142056 CET6298753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.875061989 CET5506753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.896189928 CET53629878.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.898175955 CET6335753192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.901897907 CET53550678.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.903693914 CET5121653192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:16.915956974 CET53512168.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:16.939346075 CET53633578.8.8.8192.168.1.16
                                                                                    Jan 18, 2019 15:25:18.267760992 CET5235553192.168.1.168.8.8.8
                                                                                    Jan 18, 2019 15:25:18.299943924 CET53523558.8.8.8192.168.1.16

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Jan 18, 2019 15:25:13.347815037 CET192.168.1.168.8.8.80xb8e7Standard query (0)doddyfire.dyndns.orgA (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:14.547825098 CET192.168.1.168.8.8.80x544dStandard query (0)doddyfire.dyndns.orgA (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.297827005 CET192.168.1.168.8.8.80x75d9Standard query (0)www.iptrackeronline.comA (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.303133965 CET192.168.1.168.8.8.80x3f2aStandard query (0)www.iptrackeronline.comA (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.512525082 CET192.168.1.168.8.8.80xacf6Standard query (0)www.iptrackeronline.comA (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.516726017 CET192.168.1.168.8.8.80xdde3Standard query (0)www.iptrackeronline.comA (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:18.267760992 CET192.168.1.168.8.8.80xb0a7Standard query (0)doddyfire.dyndns.orgA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Jan 18, 2019 15:25:13.380264997 CET8.8.8.8192.168.1.160xb8e7No error (0)doddyfire.dyndns.org144.76.215.120A (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:14.715215921 CET8.8.8.8192.168.1.160x544dNo error (0)doddyfire.dyndns.org144.76.215.120A (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.335510015 CET8.8.8.8192.168.1.160x75d9No error (0)www.iptrackeronline.comiptrackeronline.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.335510015 CET8.8.8.8192.168.1.160x75d9No error (0)iptrackeronline.com45.55.57.244A (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.341490030 CET8.8.8.8192.168.1.160x3f2aNo error (0)www.iptrackeronline.comiptrackeronline.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.341490030 CET8.8.8.8192.168.1.160x3f2aNo error (0)iptrackeronline.com45.55.57.244A (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.539720058 CET8.8.8.8192.168.1.160xacf6No error (0)www.iptrackeronline.comiptrackeronline.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.539720058 CET8.8.8.8192.168.1.160xacf6No error (0)iptrackeronline.com45.55.57.244A (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.555186033 CET8.8.8.8192.168.1.160xdde3No error (0)www.iptrackeronline.comiptrackeronline.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:15.555186033 CET8.8.8.8192.168.1.160xdde3No error (0)iptrackeronline.com45.55.57.244A (IP address)IN (0x0001)
                                                                                    Jan 18, 2019 15:25:18.299943924 CET8.8.8.8192.168.1.160xb0a7No error (0)doddyfire.dyndns.org144.76.215.120A (IP address)IN (0x0001)

                                                                                    HTTPS Packets

                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                    Jan 18, 2019 15:25:16.143155098 CET45.55.57.244443192.168.1.1649226CN=iptrackeronline.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Dec 10 17:41:36 CET 2018 Thu Mar 17 17:40:46 CET 2016Sun Mar 10 17:41:36 CET 2019 Wed Mar 17 17:40:46 CET 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                    CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021
                                                                                    Jan 18, 2019 15:25:16.143970966 CET45.55.57.244443192.168.1.1649225CN=iptrackeronline.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Dec 10 17:41:36 CET 2018 Thu Mar 17 17:40:46 CET 2016Sun Mar 10 17:41:36 CET 2019 Wed Mar 17 17:40:46 CET 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                    CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: TkAngEQurH.exe PID: 3980 Parent PID: 336

                                                                                    General

                                                                                    Start time:15:22:33
                                                                                    Start date:18/01/2019
                                                                                    Path:C:\Users\user\Desktop\TkAngEQurH.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:'C:\Users\user\Desktop\TkAngEQurH.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:1277968 bytes
                                                                                    MD5 hash:D6C644512C430CD64965C2259150F371
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: RegAsm.exe PID: 4052 Parent PID: 3980

                                                                                    General

                                                                                    Start time:15:24:16
                                                                                    Start date:18/01/2019
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    Imagebase:0x80000
                                                                                    File size:64672 bytes
                                                                                    MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:moderate

                                                                                    Chronological Activities

                                                                                    Analysis Process: TkAngEQurH.exe PID: 1292 Parent PID: 3768

                                                                                    General

                                                                                    Start time:15:24:22
                                                                                    Start date:18/01/2019
                                                                                    Path:C:\Users\user\AppData\Roaming\TkAngEQurH.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:'C:\Users\user\AppData\Roaming\TkAngEQurH.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:1277968 bytes
                                                                                    MD5 hash:D6C644512C430CD64965C2259150F371
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 47%, virustotal, Browse
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >

                                                                                      Analysis Process: TkAngEQurH.exe PID: 3980 Parent PID: 336TkAngEQurH.exeUNIQUE

                                                                                      Execution Graph

                                                                                      Execution Coverage:7.2%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:9.9%
                                                                                      Total number of Nodes:1207
                                                                                      Total number of Limit Nodes:42

                                                                                      Graph

                                                                                      execution_graph 38831 401000 38836 43b511 38831->38836 38837 43b519 38836->38837 38838 40100a 38837->38838 38839 43b544 IsDebuggerPresent 38837->38839 38841 422f80 38838->38841 38839->38838 38840 43b54e OutputDebugStringW 38839->38840 38840->38838 38844 422e84 38841->38844 38843 401014 38845 422e90 38844->38845 38850 423457 __lock 38845->38850 38847 422e99 38851 422ec8 RtlDecodePointer RtlDecodePointer 38847->38851 38849 422ea5 38849->38843 38850->38847 38852 422f77 38851->38852 38853 422ef5 38851->38853 38852->38849 38853->38852 38861 4289e4 38853->38861 38855 422f07 38856 422f58 RtlEncodePointer RtlEncodePointer 38855->38856 38857 422f32 38855->38857 38858 422f25 __realloc_crt 38855->38858 38856->38852 38857->38852 38859 422f39 __realloc_crt 38857->38859 38858->38857 38860 422f46 EncodePointer 38858->38860 38859->38852 38859->38860 38860->38856 38862 428a02 HeapSize 38861->38862 38863 4289ed 38861->38863 38862->38855 38863->38855 38868 4233c7 RtlEncodePointer 38869 4233d8 __init_pointers __initp_misc_winsig 38868->38869 38873 42a764 RtlEncodePointer 38869->38873 38871 4233f0 38872 42a0d9 34 API calls 38871->38872 38873->38871 38874 40e608 38877 40d260 38874->38877 38876 40e616 38878 40d27d 38877->38878 38888 40d4dd 38877->38888 38879 442b0a 38878->38879 38880 442abb 38878->38880 38892 40d2a4 38878->38892 38932 47a6fb 58 API calls __cinit 38879->38932 38885 442ad9 38880->38885 38880->38892 38883 422f80 __cinit 9 API calls 38883->38892 38884 442cdf 38884->38884 38885->38888 38931 47b1b7 59 API calls __cinit 38885->38931 38889 40d594 38888->38889 38937 46a0b5 49 API calls __swprintf 38888->38937 38889->38876 38892->38883 38892->38888 38892->38889 38897 40a000 38892->38897 38917 4088a0 38892->38917 38924 4086a2 27 API calls 38892->38924 38925 408620 38892->38925 38929 40d0dc 58 API calls 38892->38929 38930 40d060 49 API calls 38892->38930 38933 4081a7 38892->38933 38898 40a01f 38897->38898 38915 40a04d 38897->38915 38938 420ff6 38898->38938 38900 40b5da 38951 46a0b5 49 API calls __swprintf 38900->38951 38901 40b5d5 38902 4081a7 18 API calls 38901->38902 38903 40a1b7 38902->38903 38903->38892 38904 4077c7 18 API calls 38904->38915 38905 420ff6 18 API calls 38905->38915 38908 44047f 38948 46a0b5 49 API calls __swprintf 38908->38948 38910 4081a7 18 API calls 38910->38915 38911 44048e 38911->38892 38912 422f80 9 API calls __cinit 38912->38915 38913 440e00 38950 46a0b5 49 API calls __swprintf 38913->38950 38915->38900 38915->38901 38915->38903 38915->38904 38915->38905 38915->38908 38915->38910 38915->38912 38915->38913 38916 40a6ba 38915->38916 38949 46a0b5 49 API calls __swprintf 38916->38949 38918 408a81 38917->38918 38919 4088b3 38917->38919 38918->38892 38923 4088c4 38919->38923 38971 4077c7 38919->38971 38922 422f80 __cinit 9 API calls 38922->38923 38923->38892 38924->38892 38926 40862b 38925->38926 38928 408652 38926->38928 38976 408b13 38926->38976 38928->38892 38929->38892 38930->38892 38931->38888 38932->38892 38934 4081b2 38933->38934 38935 4081ba 38933->38935 38991 4080d7 18 API calls _memmove 38934->38991 38935->38892 38937->38884 38941 420ffe 38938->38941 38940 421018 38940->38915 38941->38940 38943 42101c std::exception::exception 38941->38943 38952 42594c 38941->38952 38963 4235e1 DecodePointer 38941->38963 38964 4287db RaiseException 38943->38964 38945 421046 38965 428711 HeapFree GetLastError _free 38945->38965 38947 421058 38947->38915 38948->38911 38949->38903 38950->38900 38951->38903 38953 4259c7 38952->38953 38962 425958 38952->38962 38970 4235e1 DecodePointer 38953->38970 38955 425963 38955->38962 38966 42a3ab 10 API calls 2 library calls 38955->38966 38967 42a408 10 API calls 5 library calls 38955->38967 38968 4232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 38955->38968 38956 4259b1 38956->38941 38958 42598b RtlAllocateHeap 38958->38956 38958->38962 38962->38955 38962->38956 38962->38958 38969 4235e1 DecodePointer 38962->38969 38963->38941 38964->38945 38965->38947 38966->38955 38967->38955 38969->38962 38970->38956 38972 420ff6 18 API calls 38971->38972 38973 4077e8 38972->38973 38974 420ff6 18 API calls 38973->38974 38975 4077f6 38974->38975 38975->38922 38977 4088a0 27 API calls 38976->38977 38979 408b23 38977->38979 38978 408b8d 38978->38928 38979->38978 38980 420ff6 18 API calls 38979->38980 38981 408b3e 38980->38981 38982 4077c7 18 API calls 38981->38982 38983 408b4c 38981->38983 38982->38983 38984 408b5b 38983->38984 38989 4080d7 18 API calls _memmove 38983->38989 38986 420ff6 18 API calls 38984->38986 38987 408b65 38986->38987 38990 4087c0 27 API calls 38987->38990 38989->38984 38990->38978 38991->38935 38992 420e48 38994 420e5d 38992->38994 38993 420ef5 CallWindowProcW 38995 420ec3 38993->38995 38994->38993 38994->38995 38996 4010cb 38997 4077c7 18 API calls 38996->38997 38998 4010d5 38997->38998 38999 422f80 __cinit 9 API calls 38998->38999 39000 4010df 38999->39000 39001 427e93 39002 427e9f 39001->39002 39032 42a048 GetStartupInfoW 39002->39032 39004 427ea4 39005 427f00 _fast_error_exit 39004->39005 39006 427f08 39004->39006 39005->39006 39007 427f11 _fast_error_exit 39006->39007 39008 427f19 __RTC_Initialize 39006->39008 39007->39008 39034 42d812 39008->39034 39010 427f27 39011 427f33 GetCommandLineW 39010->39011 39012 427f2b _fast_error_exit 39010->39012 39049 435173 GetEnvironmentStringsW 39011->39049 39012->39011 39015 427f51 39072 4232f5 21 API calls 3 library calls 39015->39072 39016 427f59 __wsetenvp 39017 427f62 39016->39017 39018 427f69 39016->39018 39073 4232f5 21 API calls 3 library calls 39017->39073 39055 42332f 39018->39055 39023 427f71 39024 427f7c __wwincmdln 39023->39024 39074 4232f5 21 API calls 3 library calls 39023->39074 39061 40492e 39024->39061 39027 427f90 39028 427f9f 39027->39028 39069 423598 39027->39069 39075 423320 11 API calls _raise 39028->39075 39031 427fa4 39033 42a05e 39032->39033 39033->39004 39035 428b40 39034->39035 39036 42d81e __lock __calloc_crt 39035->39036 39037 42d85c GetStartupInfoW 39036->39037 39039 42d841 39036->39039 39042 42d8b6 39037->39042 39046 42d9e5 39037->39046 39039->39010 39040 42d8ed __calloc_crt 39040->39042 39044 42d904 39040->39044 39041 42da32 GetStdHandle 39041->39046 39042->39040 39042->39044 39042->39046 39043 42da45 GetFileType 39043->39046 39045 42d938 GetFileType 39044->39045 39044->39046 39076 42a06b InitializeCriticalSectionAndSpinCount 39044->39076 39045->39044 39046->39039 39046->39041 39046->39043 39077 42a06b InitializeCriticalSectionAndSpinCount 39046->39077 39050 435184 39049->39050 39051 427f43 __wsetargv 39049->39051 39078 428a5d 39050->39078 39051->39015 39051->39016 39053 4351aa _memmove 39054 4351c0 FreeEnvironmentStringsW 39053->39054 39054->39051 39056 42333b __IsNonwritableInCurrentImage 39055->39056 39085 42a711 39056->39085 39058 423359 __initterm_e 39059 422f80 __cinit 9 API calls 39058->39059 39060 423378 __cinit __IsNonwritableInCurrentImage 39058->39060 39059->39060 39060->39023 39062 404948 39061->39062 39068 4049e7 39061->39068 39063 404982 IsThemeActive 39062->39063 39088 4235ac __lock RtlDecodePointer RtlEncodePointer 39063->39088 39065 4049a7 39090 403b4c 39065->39090 39067 4049c2 SystemParametersInfoW 39067->39068 39068->39027 39807 423469 39069->39807 39071 4235a7 39071->39028 39075->39031 39076->39044 39077->39046 39080 428a6b 39078->39080 39079 42594c std::exception::_Copy_str 15 API calls 39079->39080 39080->39079 39081 428a9d 39080->39081 39082 428a7e 39080->39082 39081->39053 39082->39080 39082->39081 39084 42a372 Sleep 39082->39084 39084->39082 39086 42a714 RtlEncodePointer 39085->39086 39086->39086 39087 42a72e 39086->39087 39087->39058 39089 4235db 39088->39089 39089->39065 39091 403b59 39090->39091 39092 4077c7 18 API calls 39091->39092 39093 403b63 GetCurrentDirectoryW 39092->39093 39131 403778 39093->39131 39095 403b8c IsDebuggerPresent 39096 403b9a 39095->39096 39097 43d4ad MessageBoxA 39095->39097 39098 403c73 39096->39098 39100 43d4c7 39096->39100 39101 403bb7 39096->39101 39097->39100 39099 403c7a SetCurrentDirectoryW 39098->39099 39104 403c87 39099->39104 39277 407373 18 API calls 39100->39277 39191 4073e5 39101->39191 39104->39067 39105 43d4d7 39108 43d4ed SetCurrentDirectoryW 39105->39108 39107 403bd5 GetFullPathNameW 39109 403c10 39107->39109 39108->39104 39109->39105 39111 403c2e 39109->39111 39110 403c38 39205 403a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 39110->39205 39111->39110 39116 43d51b 39111->39116 39115 403c42 39117 403c55 39115->39117 39275 4043db 38 API calls _memset 39115->39275 39278 404864 39116->39278 39213 410b30 39117->39213 39119 43d523 39285 407f41 39119->39285 39123 403c60 39123->39098 39276 4044cb Shell_NotifyIconW _memset 39123->39276 39124 43d530 39125 43d53a 39124->39125 39126 43d552 39124->39126 39289 407c8e 39125->39289 39129 43d568 GetForegroundWindow ShellExecuteW 39126->39129 39130 43d58f 39129->39130 39130->39098 39132 4077c7 18 API calls 39131->39132 39133 40378e 39132->39133 39134 404864 20 API calls 39133->39134 39135 4037c0 39134->39135 39136 407f41 18 API calls 39135->39136 39137 4037cd 39136->39137 39296 404f3d 39137->39296 39140 43d3ae 39337 4697e5 39140->39337 39141 4037ee 39145 4081a7 18 API calls 39141->39145 39144 43d3cd 39374 422f95 39144->39374 39148 403801 39145->39148 39314 4093ea 39148->39314 39149 43d3da 39151 404faa 7 API calls 39149->39151 39157 43d3e3 39151->39157 39153 407f41 18 API calls 39154 40381a 39153->39154 39155 408620 27 API calls 39154->39155 39156 40382c 39155->39156 39158 407f41 18 API calls 39156->39158 39161 404864 20 API calls 39157->39161 39159 403852 39158->39159 39160 408620 27 API calls 39159->39160 39163 403861 39160->39163 39162 43d43f 39161->39162 39165 4081a7 18 API calls 39162->39165 39164 4077c7 18 API calls 39163->39164 39166 40387f 39164->39166 39169 43d459 39165->39169 39317 42313d 39166->39317 39168 403899 39168->39157 39170 42313d _W_store_winword 27 API calls 39168->39170 39172 4081a7 18 API calls 39169->39172 39171 4038ae 39170->39171 39171->39157 39174 42313d _W_store_winword 27 API calls 39171->39174 39173 43d48a 39172->39173 39175 4038c3 39174->39175 39175->39157 39176 4038cd 39175->39176 39177 42313d _W_store_winword 27 API calls 39176->39177 39180 4038d8 39177->39180 39178 40390a 39178->39169 39179 403926 39178->39179 39322 40942e 39179->39322 39180->39169 39180->39178 39183 4081a7 18 API calls 39180->39183 39183->39178 39187 4093ea 18 API calls 39189 403961 39187->39189 39188 409040 18 API calls 39188->39189 39189->39187 39189->39188 39190 4039a7 39189->39190 39190->39095 39192 4073f2 39191->39192 39193 43ee4b _memset 39192->39193 39194 40740b 39192->39194 39196 43ee67 GetOpenFileNameW 39193->39196 39516 4048ae 39194->39516 39200 43eeb6 39196->39200 39197 407414 39520 4209d5 39197->39520 39199 40741d 39524 40716b 39199->39524 39200->39200 39202 407429 39532 4069ca 39202->39532 39204 403bcd 39204->39098 39204->39107 39206 403ac2 LoadImageW RegisterClassExW 39205->39206 39207 43d49c 39205->39207 39591 403041 7 API calls 39206->39591 39592 4048fe LoadImageW EnumResourceNamesW 39207->39592 39210 403b46 39212 4039e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 39210->39212 39211 43d4a5 39212->39115 39214 4450ed 39213->39214 39226 410b55 39213->39226 39714 46a0b5 49 API calls __swprintf 39214->39714 39216 410e5a 39216->39123 39219 410bab PeekMessageW 39274 410b65 39219->39274 39221 411058 LockWindowUpdate DestroyWindow GetMessageW 39221->39216 39224 41108a 39221->39224 39223 4452ab Sleep 39223->39274 39228 446082 TranslateMessage DispatchMessageW GetMessageW 39224->39228 39225 410e44 39225->39216 39694 4111d0 39225->39694 39226->39274 39715 4568bf 126 API calls 39226->39715 39228->39216 39228->39228 39229 410fa3 PeekMessageW 39229->39274 39230 410fbf TranslateMessage DispatchMessageW 39230->39229 39231 44517a TranslateAcceleratorW 39231->39229 39231->39274 39232 420ff6 18 API calls 39232->39274 39233 410e73 timeGetTime 39233->39274 39234 445c49 WaitForSingleObject 39235 445c66 GetExitCodeProcess CloseHandle 39234->39235 39234->39274 39264 4110f5 39235->39264 39236 410fdd Sleep 39236->39274 39237 4081a7 18 API calls 39237->39274 39238 4077c7 18 API calls 39263 44548d 39238->39263 39239 445f22 Sleep 39239->39263 39242 40b89c 99 API calls 39242->39274 39244 4110ae timeGetTime 39244->39274 39245 445fb9 GetExitCodeProcess 39246 445fe5 CloseHandle 39245->39246 39247 445fcf WaitForSingleObject 39245->39247 39246->39263 39247->39246 39247->39274 39249 4861ac 20 API calls 39249->39263 39250 40b93d 19 API calls 39250->39274 39251 445c9e 39251->39264 39252 446041 Sleep 39252->39274 39253 4454a2 Sleep 39253->39274 39255 407f41 18 API calls 39255->39263 39259 408b13 27 API calls 39259->39263 39260 40a000 58 API calls 39260->39274 39263->39238 39263->39245 39263->39249 39263->39251 39263->39252 39263->39253 39263->39255 39263->39259 39263->39274 39719 4628f7 19 API calls 39263->39719 39720 40b89c 126 API calls 39263->39720 39721 4654e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 39263->39721 39722 420719 timeGetTime 39263->39722 39264->39123 39266 46a0b5 49 API calls 39266->39274 39268 408620 27 API calls 39268->39274 39269 4459ff #9 39269->39274 39270 445a95 #9 39270->39274 39271 445843 #9 39271->39274 39272 407f41 18 API calls 39272->39274 39273 408b13 27 API calls 39273->39274 39274->39219 39274->39223 39274->39225 39274->39229 39274->39230 39274->39231 39274->39232 39274->39233 39274->39234 39274->39236 39274->39237 39274->39239 39274->39242 39274->39244 39274->39250 39274->39260 39274->39263 39274->39264 39274->39266 39274->39268 39274->39269 39274->39270 39274->39271 39274->39272 39274->39273 39593 40e580 39274->39593 39600 40e800 39274->39600 39628 40f5c0 39274->39628 39640 40fe40 39274->39640 39712 4031ce IsDialogMessageW GetClassLongW 39274->39712 39713 420719 timeGetTime 39274->39713 39716 48629f 18 API calls 39274->39716 39717 456665 18 API calls _memmove 39274->39717 39718 408561 18 API calls 39274->39718 39275->39117 39276->39098 39277->39105 39279 431b90 39278->39279 39280 404871 GetModuleFileNameW 39279->39280 39281 407f41 18 API calls 39280->39281 39282 404897 39281->39282 39283 4048ae GetFullPathNameW 39282->39283 39284 4048a1 39283->39284 39284->39119 39286 407f50 _memmove 39285->39286 39287 420ff6 18 API calls 39286->39287 39288 407f8e 39287->39288 39288->39124 39290 407ca0 39289->39290 39291 43f094 39289->39291 39801 407bb1 39290->39801 39294 4081a7 18 API calls 39291->39294 39293 407cac 39293->39126 39295 43f0a6 39294->39295 39297 404f4f 39296->39297 39379 42548b 39297->39379 39300 404f68 LoadLibraryExW 39302 404f80 39300->39302 39301 43dd0f 39303 404faa 7 API calls 39301->39303 39382 404dd0 39302->39382 39306 43dd16 39303->39306 39305 404f8f 39305->39306 39307 404f9b 39305->39307 39396 40506b 39306->39396 39309 404faa 7 API calls 39307->39309 39311 4037e6 39309->39311 39311->39140 39311->39141 39313 43dd45 39315 420ff6 18 API calls 39314->39315 39316 40380d 39315->39316 39316->39153 39318 423149 39317->39318 39319 4231be 39317->39319 39318->39168 39508 4231d0 27 API calls _LocaleUpdate::_LocaleUpdate 39319->39508 39321 4231cb 39321->39168 39323 409436 39322->39323 39324 420ff6 18 API calls 39323->39324 39325 409444 39324->39325 39326 403936 39325->39326 39509 40935c 18 API calls 39325->39509 39328 4091b0 39326->39328 39510 4092c0 39328->39510 39330 420ff6 18 API calls 39332 403944 39330->39332 39331 4091bf 39331->39330 39331->39332 39333 409040 39332->39333 39334 409057 39333->39334 39335 420ff6 18 API calls 39334->39335 39336 40915f 39334->39336 39335->39336 39336->39189 39338 405045 _fseek 39337->39338 39339 469854 39338->39339 39340 43d3c1 39339->39340 39341 40506b 36 API calls 39339->39341 39340->39144 39368 404faa 39340->39368 39342 469881 39341->39342 39343 40506b 36 API calls 39342->39343 39344 469891 39343->39344 39345 40506b 36 API calls 39344->39345 39346 4698ac 39345->39346 39347 40506b 36 API calls 39346->39347 39348 4698c7 39347->39348 39349 405045 _fseek 39348->39349 39350 4698de 39349->39350 39351 42594c std::exception::_Copy_str 15 API calls 39350->39351 39352 4698e5 39351->39352 39353 42594c std::exception::_Copy_str 15 API calls 39352->39353 39354 4698ef 39353->39354 39355 40506b 36 API calls 39354->39355 39356 469903 39355->39356 39357 469393 GetSystemTimeAsFileTime 39356->39357 39358 469916 39357->39358 39359 469940 39358->39359 39360 46992b 39358->39360 39362 469946 39359->39362 39363 4699a5 39359->39363 39361 422f95 _free 2 API calls 39360->39361 39364 469931 39361->39364 39367 422f95 _free 2 API calls 39362->39367 39365 422f95 _free 2 API calls 39363->39365 39366 422f95 _free 2 API calls 39364->39366 39365->39340 39366->39340 39367->39340 39369 404fb4 39368->39369 39370 404fbb 39368->39370 39515 4255d6 6 API calls __fclose_nolock 39369->39515 39372 404fca 39370->39372 39373 404fdb FreeLibrary 39370->39373 39372->39144 39373->39372 39375 422fc7 39374->39375 39376 422f9e HeapFree 39374->39376 39375->39149 39376->39375 39377 422fb3 39376->39377 39378 422fb9 GetLastError 39377->39378 39378->39375 39404 4254a0 39379->39404 39381 404f5c 39381->39300 39381->39301 39383 420ff6 18 API calls 39382->39383 39384 404de5 39383->39384 39482 40538e 39384->39482 39386 404df1 _memmove 39391 404e2c 39386->39391 39485 404fe9 CreateStreamOnHGlobal 39386->39485 39388 40506b 36 API calls 39388->39391 39389 404ec9 39389->39305 39391->39388 39391->39389 39392 43dcd0 39391->39392 39491 405045 39391->39491 39393 405045 _fseek 39392->39393 39394 43dce4 39393->39394 39395 40506b 36 API calls 39394->39395 39395->39389 39397 40507d 39396->39397 39399 43ddf6 39396->39399 39494 425812 39397->39494 39401 469393 39503 4691e9 39401->39503 39403 4693a9 39403->39313 39406 4254ac 39404->39406 39405 4254bf __wfsopen 39405->39381 39406->39405 39410 430738 39406->39410 39408 4254f5 39408->39405 39421 430857 39408->39421 39411 428b40 39410->39411 39412 430744 __lock 39411->39412 39419 430758 39412->39419 39413 4307cd 39414 428a5d __malloc_crt 16 API calls 39413->39414 39415 4307d4 39414->39415 39420 4307c6 __getstream 39415->39420 39429 42a06b InitializeCriticalSectionAndSpinCount 39415->39429 39416 43078a __mtinitlocknum 39416->39419 39416->39420 39418 4307fa EnterCriticalSection 39418->39420 39419->39413 39419->39416 39419->39420 39420->39408 39425 430877 __wopenfile 39421->39425 39422 430a4c 39424 430891 39422->39424 39430 4387f1 39422->39430 39424->39405 39425->39422 39425->39424 39426 430a38 __wcsnicmp 39425->39426 39426->39422 39427 430a57 __wcsnicmp 39426->39427 39427->39422 39428 430a76 __wcsnicmp 39427->39428 39428->39422 39428->39424 39429->39418 39433 437fd5 39430->39433 39432 43880a 39432->39424 39434 437fe1 39433->39434 39438 437ff7 39434->39438 39439 43809e 39434->39439 39436 438049 39481 438072 LeaveCriticalSection __unlock_fhandle 39436->39481 39438->39432 39445 4380be __wsopen_nolock 39439->39445 39440 429006 __invoke_watson IsProcessorFeaturePresent __call_reportfault GetCurrentProcess TerminateProcess 39441 4387f0 39440->39441 39442 437fd5 __wsopen_helper 48 API calls 39441->39442 39443 43880a 39442->39443 39443->39436 39444 438114 39444->39436 39445->39444 39446 42d4d4 __alloc_osfhnd 9 API calls 39445->39446 39453 4381f5 39445->39453 39447 4382a1 39446->39447 39447->39444 39448 437f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 39447->39448 39454 4382f0 39448->39454 39449 43836e GetFileType 39450 4383bb 39449->39450 39451 438379 GetLastError __dosmaperr CloseHandle 39449->39451 39456 42d76a __set_osfhnd SetStdHandle 39450->39456 39451->39453 39452 43833c GetLastError __dosmaperr 39452->39453 39453->39440 39454->39449 39454->39452 39455 437f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 39454->39455 39457 438331 39455->39457 39458 4383d9 39456->39458 39457->39449 39457->39452 39459 438594 39458->39459 39460 438436 __lseeki64_nolock 39458->39460 39461 438455 39458->39461 39459->39453 39463 438767 CloseHandle 39459->39463 39460->39461 39471 43846e 39460->39471 39461->39459 39465 438462 __close_nolock 39461->39465 39461->39471 39472 438669 __lseeki64_nolock 39461->39472 39473 4386b8 __write 39461->39473 39475 438599 __lseeki64_nolock 39461->39475 39462 4310ab 33 API calls __read_nolock 39462->39471 39464 437f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 39463->39464 39467 43878e 39464->39467 39465->39471 39466 4384a1 __lseeki64_nolock 39466->39461 39466->39465 39467->39453 39469 438796 GetLastError __dosmaperr 39467->39469 39468 43848c __chsize_nolock 39468->39465 39468->39466 39470 42d67d __free_osfhnd SetStdHandle 39469->39470 39470->39453 39471->39462 39471->39465 39471->39466 39471->39468 39474 43867a __lseeki64_nolock 39471->39474 39477 438611 __close_nolock 39471->39477 39479 438630 __lseeki64_nolock 39471->39479 39480 4385fa 39471->39480 39472->39461 39472->39474 39473->39461 39473->39465 39474->39459 39474->39471 39475->39461 39476 4385ae __lseeki64_nolock 39475->39476 39476->39465 39476->39471 39478 43861e 39477->39478 39478->39453 39479->39465 39479->39480 39480->39459 39481->39438 39483 420ff6 18 API calls 39482->39483 39484 4053a0 39483->39484 39484->39386 39486 405020 39485->39486 39487 405003 FindResourceExW 39485->39487 39486->39391 39487->39486 39488 43dd5c LoadResource 39487->39488 39488->39486 39489 43dd71 SizeofResource 39488->39489 39489->39486 39490 43dd85 LockResource 39489->39490 39490->39486 39492 405054 _fseek 39491->39492 39493 43ddd4 39491->39493 39492->39391 39497 42582d 39494->39497 39496 40508e 39496->39401 39498 425839 39497->39498 39499 42587c __lock_file 39498->39499 39501 42584f _memset __fread_nolock 39498->39501 39502 42564d 35 API calls 3 library calls 39499->39502 39501->39496 39502->39501 39506 42543a GetSystemTimeAsFileTime 39503->39506 39505 4691f8 39505->39403 39507 425468 __aulldiv 39506->39507 39507->39505 39508->39321 39509->39326 39511 4092c9 39510->39511 39512 420ff6 18 API calls 39511->39512 39514 4092d3 39511->39514 39513 43f5d4 39512->39513 39514->39331 39515->39370 39517 431b90 39516->39517 39518 4048bb GetFullPathNameW 39517->39518 39519 4048da 39518->39519 39519->39197 39521 431b90 39520->39521 39522 4209e2 GetLongPathNameW 39521->39522 39523 420a0a 39522->39523 39523->39199 39525 4077c7 18 API calls 39524->39525 39526 40717d 39525->39526 39527 4048ae GetFullPathNameW 39526->39527 39528 407188 39527->39528 39529 43ecae 39528->39529 39561 4034c2 39528->39561 39531 4071b2 39531->39202 39533 404f3d 91 API calls 39532->39533 39534 4069ef 39533->39534 39535 406a03 39534->39535 39536 404f3d 91 API calls 39534->39536 39537 4697e5 38 API calls 39535->39537 39539 406a0b 39535->39539 39536->39535 39538 43e46f 39537->39538 39540 43e473 39538->39540 39541 43e490 39538->39541 39543 406a17 39539->39543 39544 43e47b 39539->39544 39545 404faa 7 API calls 39540->39545 39542 420ff6 18 API calls 39541->39542 39560 43e4d5 39542->39560 39543->39204 39590 464534 6 API calls 39544->39590 39545->39544 39547 43e489 39547->39541 39548 43e689 39549 422f95 _free 2 API calls 39548->39549 39550 43e691 39549->39550 39551 404faa 7 API calls 39550->39551 39555 43e69a 39551->39555 39554 422f95 _free 2 API calls 39554->39555 39555->39554 39557 404faa 7 API calls 39555->39557 39557->39555 39558 407f41 18 API calls 39558->39560 39560->39548 39560->39555 39560->39558 39567 45fc4d 39560->39567 39570 467621 39560->39570 39576 40766f 39560->39576 39584 4074bd 39560->39584 39562 4034d4 39561->39562 39566 4034f3 _memmove 39561->39566 39564 420ff6 18 API calls 39562->39564 39563 420ff6 18 API calls 39565 40350a 39563->39565 39564->39566 39565->39531 39566->39563 39568 420ff6 18 API calls 39567->39568 39569 45fc7d _memmove 39568->39569 39569->39560 39569->39569 39571 46762c 39570->39571 39572 420ff6 18 API calls 39571->39572 39573 467643 39572->39573 39574 467652 39573->39574 39575 407f41 18 API calls 39573->39575 39574->39560 39575->39574 39577 40770f 39576->39577 39581 407682 _memmove 39576->39581 39579 420ff6 18 API calls 39577->39579 39578 420ff6 18 API calls 39580 407689 39578->39580 39579->39581 39582 420ff6 18 API calls 39580->39582 39583 4076b2 39580->39583 39581->39578 39582->39583 39583->39560 39585 4074d0 39584->39585 39588 40757e 39584->39588 39587 420ff6 18 API calls 39585->39587 39589 407502 39585->39589 39586 420ff6 18 API calls 39586->39589 39587->39589 39588->39560 39589->39586 39589->39588 39590->39547 39591->39210 39592->39211 39594 40e5b1 39593->39594 39595 40e59d 39593->39595 39724 46a0b5 49 API calls __swprintf 39594->39724 39723 40e060 126 API calls _memmove 39595->39723 39598 40e5a8 39598->39274 39599 443ece 39599->39599 39601 40e835 39600->39601 39602 443ed3 39601->39602 39605 40e89f 39601->39605 39614 40e8f9 39601->39614 39603 40a000 58 API calls 39602->39603 39604 443ee8 39603->39604 39627 40ead0 39604->39627 39726 46a0b5 49 API calls __swprintf 39604->39726 39608 4077c7 18 API calls 39605->39608 39605->39614 39606 4077c7 18 API calls 39606->39614 39609 443f2e 39608->39609 39611 422f80 __cinit 9 API calls 39609->39611 39610 422f80 __cinit 9 API calls 39610->39614 39611->39614 39612 443f50 39612->39274 39613 408620 27 API calls 39613->39627 39614->39606 39614->39610 39614->39612 39615 40eaba 39614->39615 39614->39627 39615->39627 39727 46a0b5 49 API calls __swprintf 39615->39727 39616 40a000 58 API calls 39616->39627 39623 44424f 39623->39274 39624 46a0b5 49 API calls 39624->39627 39625 40f2f5 39730 46a0b5 49 API calls __swprintf 39625->39730 39626 40ebd8 39626->39274 39627->39613 39627->39616 39627->39624 39627->39625 39627->39626 39725 4080d7 18 API calls _memmove 39627->39725 39728 47c8d7 58 API calls 39627->39728 39729 47b851 62 API calls 39627->39729 39731 4796db 29 API calls 39627->39731 39629 40f7b0 39628->39629 39631 40f61a 39628->39631 39630 407f41 18 API calls 39629->39630 39636 40f6ec 39630->39636 39633 444848 39631->39633 39732 40f3f0 39631->39732 39637 40f743 39633->39637 39757 46a0b5 49 API calls __swprintf 39633->39757 39635 40f65d 39635->39633 39635->39636 39635->39637 39747 463e73 39636->39747 39750 412e02 39636->39750 39637->39274 39766 4082e0 39640->39766 39642 40fe9d 39643 444b57 39642->39643 39678 410856 39642->39678 39770 40f394 39642->39770 39783 46a0b5 49 API calls __swprintf 39643->39783 39647 444b6c 39648 444cb7 39648->39647 39663 40ffac 39648->39663 39788 47a5ee 19 API calls 39648->39788 39649 410677 39655 420ff6 18 API calls 39649->39655 39650 444c01 39650->39647 39785 46a0b5 49 API calls __swprintf 39650->39785 39652 420ff6 18 API calls 39668 40ff33 39652->39668 39661 4106a5 _memmove 39655->39661 39656 40ff9e 39656->39648 39656->39663 39787 456665 18 API calls _memmove 39656->39787 39658 444b7f 39658->39650 39784 40f803 58 API calls 39658->39784 39665 420ff6 18 API calls 39661->39665 39662 444c95 39664 40a000 58 API calls 39662->39664 39687 444f4e 39663->39687 39690 410238 _memmove 39663->39690 39774 4084dc 39663->39774 39664->39648 39665->39690 39667 420ff6 18 API calls 39669 410099 39667->39669 39668->39647 39668->39649 39668->39652 39668->39656 39668->39658 39668->39661 39670 40a000 58 API calls 39668->39670 39680 444c36 39668->39680 39673 410b30 126 API calls 39669->39673 39669->39678 39670->39668 39671 444e77 39672 40a000 58 API calls 39671->39672 39674 444eb1 39672->39674 39676 410112 39673->39676 39674->39647 39679 408620 27 API calls 39674->39679 39675 408b13 27 API calls 39675->39690 39676->39661 39677 410146 39676->39677 39676->39678 39685 4081a7 18 API calls 39677->39685 39688 410167 39677->39688 39782 46a0b5 49 API calls __swprintf 39678->39782 39683 444edc 39679->39683 39786 46a0b5 49 API calls __swprintf 39680->39786 39681 4088a0 27 API calls 39681->39690 39789 46a0b5 49 API calls __swprintf 39683->39789 39685->39688 39686 420ff6 18 API calls 39686->39690 39687->39647 39790 46a0b5 49 API calls __swprintf 39687->39790 39688->39678 39688->39687 39688->39690 39689 444e46 39691 420ff6 18 API calls 39689->39691 39690->39671 39690->39675 39690->39678 39690->39681 39690->39683 39690->39686 39690->39689 39693 4102c2 39690->39693 39781 4087c0 27 API calls 39690->39781 39691->39671 39693->39274 39793 42012c 39694->39793 39696 4111dd 39697 411044 39696->39697 39698 446156 39696->39698 39697->39216 39701 4111f3 39697->39701 39797 4674d2 6 API calls 39698->39797 39798 4674d2 6 API calls 39698->39798 39702 407f41 18 API calls 39701->39702 39703 41121d 39702->39703 39704 408b13 27 API calls 39703->39704 39705 411232 39704->39705 39706 407f41 18 API calls 39705->39706 39707 41125f 39706->39707 39708 408b13 27 API calls 39707->39708 39709 411270 39708->39709 39710 411294 39709->39710 39800 4568bf 126 API calls 39709->39800 39710->39221 39712->39274 39713->39274 39714->39226 39715->39226 39716->39274 39717->39274 39718->39274 39719->39263 39720->39263 39721->39263 39722->39263 39723->39598 39724->39599 39725->39627 39726->39627 39727->39627 39728->39627 39729->39627 39730->39623 39731->39627 39733 40f59a 39732->39733 39735 40f41c 39732->39735 39759 46a0b5 49 API calls __swprintf 39733->39759 39735->39733 39740 40f459 _memmove 39735->39740 39736 4447d3 39736->39635 39737 40f543 39737->39635 39739 420ff6 18 API calls 39739->39740 39740->39736 39740->39739 39741 444823 39740->39741 39742 40a000 58 API calls 39740->39742 39744 4447d5 39740->39744 39746 40f533 39740->39746 39761 40f803 58 API calls 39741->39761 39742->39740 39760 46a0b5 49 API calls __swprintf 39744->39760 39746->39737 39758 47a5ee 19 API calls 39746->39758 39762 464696 GetFileAttributesW 39747->39762 39751 412e16 39750->39751 39752 412e51 Sleep 39751->39752 39753 412e1a timeGetTime 39751->39753 39755 412e49 39752->39755 39754 412e30 39753->39754 39756 410b30 124 API calls 39754->39756 39755->39637 39756->39755 39757->39637 39758->39737 39759->39736 39760->39736 39761->39736 39763 463e7a 39762->39763 39764 4646b1 FindFirstFileW 39762->39764 39763->39637 39764->39763 39765 4646c6 FindClose 39764->39765 39765->39763 39767 4082ef 39766->39767 39769 40830a 39766->39769 39768 4082f7 CharUpperBuffW 39767->39768 39768->39769 39769->39642 39771 40f3b1 39770->39771 39773 40f3d2 39771->39773 39791 46a0b5 49 API calls __swprintf 39771->39791 39773->39668 39775 43f1e6 39774->39775 39776 4084ed 39774->39776 39777 420ff6 18 API calls 39776->39777 39778 4084f4 39777->39778 39779 408515 39778->39779 39792 408794 18 API calls 39778->39792 39779->39667 39779->39677 39779->39690 39781->39690 39782->39643 39783->39647 39784->39650 39785->39647 39786->39647 39787->39662 39788->39663 39789->39647 39790->39647 39791->39773 39792->39779 39794 420137 39793->39794 39795 42013f 39794->39795 39799 4729da InternetCloseHandle InternetCloseHandle 39794->39799 39795->39696 39797->39696 39798->39696 39799->39794 39800->39709 39802 407be5 _memmove 39801->39802 39803 407bbf 39801->39803 39802->39293 39802->39802 39803->39802 39804 420ff6 18 API calls 39803->39804 39805 407c34 39804->39805 39806 420ff6 18 API calls 39805->39806 39806->39802 39808 428b40 39807->39808 39809 423475 __lock 39808->39809 39810 42348e 39809->39810 39813 423535 __cinit _raise 39809->39813 39811 4234aa RtlDecodePointer 39810->39811 39810->39813 39812 4234c1 RtlDecodePointer 39811->39812 39811->39813 39818 4234d1 39812->39818 39814 423592 39813->39814 39815 423569 39813->39815 39814->39071 39822 4232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 39815->39822 39816 4234de RtlEncodePointer 39816->39818 39818->39813 39818->39816 39819 4234ee RtlDecodePointer RtlEncodePointer 39818->39819 39821 423500 RtlDecodePointer RtlDecodePointer 39819->39821 39821->39818 39823 401055 39828 402649 39823->39828 39826 422f80 __cinit 9 API calls 39827 401064 39826->39827 39829 4077c7 18 API calls 39828->39829 39830 4026b7 39829->39830 39835 403582 39830->39835 39832 402754 39834 40105a 39832->39834 39838 403416 39832->39838 39834->39826 39844 4035b0 39835->39844 39839 40344e 39838->39839 39843 403428 _memmove 39838->39843 39841 420ff6 18 API calls 39839->39841 39840 420ff6 18 API calls 39842 40342e 39840->39842 39841->39843 39842->39832 39843->39840 39845 4035bd 39844->39845 39846 4035a1 39844->39846 39845->39846 39847 4035c4 RegOpenKeyExW 39845->39847 39846->39832 39847->39846 39848 4035de RegQueryValueExW 39847->39848 39849 403614 RegCloseKey 39848->39849 39850 4035ff 39848->39850 39849->39846 39850->39849 39851 440251 39852 440267 39851->39852 39853 4402e8 39852->39853 39855 44027d 39852->39855 39854 40fe40 126 API calls 39853->39854 39856 4402dc 39854->39856 39855->39856 39860 4685d9 18 API calls 39855->39860 39858 440ce1 39856->39858 39861 46a0b5 49 API calls __swprintf 39856->39861 39860->39856 39861->39858 39862 401016 39867 404ad2 39862->39867 39865 422f80 __cinit 9 API calls 39866 401025 39865->39866 39868 420ff6 18 API calls 39867->39868 39869 404ada 39868->39869 39871 40101b 39869->39871 39874 404a94 39869->39874 39871->39865 39875 404aaf 39874->39875 39876 404a9d 39874->39876 39878 404afe 39875->39878 39877 422f80 __cinit 9 API calls 39876->39877 39877->39875 39879 4077c7 18 API calls 39878->39879 39880 404b16 GetVersionExW 39879->39880 39887 404b59 39880->39887 39881 404bf1 GetCurrentProcess IsWow64Process 39882 404c0a 39881->39882 39884 404c20 39882->39884 39885 404c89 GetSystemInfo 39882->39885 39883 43dc8d 39888 404c7d GetSystemInfo 39884->39888 39889 404c32 39884->39889 39886 404c56 39885->39886 39886->39871 39887->39881 39887->39883 39888->39889 39889->39886 39890 404c4d FreeLibrary 39889->39890 39890->39886 39891 422e55 __calloc_crt RtlEncodePointer 39892 422e78 39891->39892 39893 401098 39898 404233 39893->39898 39896 422f80 __cinit 9 API calls 39897 4010a7 39896->39897 39899 407f41 18 API calls 39898->39899 39900 40427f 39899->39900 39901 407f41 18 API calls 39900->39901 39902 40428e 39901->39902 39903 4077c7 18 API calls 39902->39903 39904 404298 39903->39904 39905 4077c7 18 API calls 39904->39905 39906 4042a2 39905->39906 39907 4077c7 18 API calls 39906->39907 39908 4042ac 39907->39908 39909 4077c7 18 API calls 39908->39909 39910 40109d 39908->39910 39909->39908 39910->39896 39911 445d9d 39940 410b7f 39911->39940 39912 410e5a 39913 4111d0 8 API calls 39914 411044 39913->39914 39914->39912 39916 4111f3 126 API calls 39914->39916 39915 410bab PeekMessageW 39915->39940 39917 411058 LockWindowUpdate DestroyWindow GetMessageW 39916->39917 39917->39912 39921 41108a 39917->39921 39918 4452ab Sleep 39918->39940 39919 410e44 39919->39912 39919->39913 39922 446082 TranslateMessage DispatchMessageW GetMessageW 39921->39922 39922->39912 39922->39922 39923 410fa3 PeekMessageW 39923->39940 39924 410fbf TranslateMessage DispatchMessageW 39924->39923 39925 44517a TranslateAcceleratorW 39925->39923 39925->39940 39926 420ff6 18 API calls 39926->39940 39927 410e73 timeGetTime 39927->39940 39928 445c49 WaitForSingleObject 39929 445c66 GetExitCodeProcess CloseHandle 39928->39929 39928->39940 39933 4110f5 39929->39933 39930 410fdd Sleep 39930->39940 39931 4081a7 18 API calls 39931->39940 39932 4077c7 18 API calls 39950 44548d 39932->39950 39934 445f22 Sleep 39934->39950 39937 40b89c 126 API calls 39937->39940 39939 4110ae timeGetTime 39939->39940 39940->39915 39940->39918 39940->39919 39940->39923 39940->39924 39940->39925 39940->39926 39940->39927 39940->39928 39940->39930 39940->39931 39940->39933 39940->39934 39940->39937 39940->39939 39946 40b93d 19 API calls 39940->39946 39940->39950 39951 40e580 126 API calls 39940->39951 39955 40e800 73 API calls 39940->39955 39957 40f5c0 126 API calls 39940->39957 39958 40fe40 126 API calls 39940->39958 39960 46a0b5 49 API calls 39940->39960 39962 408620 27 API calls 39940->39962 39963 40a000 58 API calls 39940->39963 39964 4459ff #9 39940->39964 39965 445a95 #9 39940->39965 39966 445843 #9 39940->39966 39967 407f41 18 API calls 39940->39967 39968 408b13 27 API calls 39940->39968 39969 4031ce IsDialogMessageW GetClassLongW 39940->39969 39970 420719 timeGetTime 39940->39970 39971 48629f 18 API calls 39940->39971 39972 456665 18 API calls _memmove 39940->39972 39973 408561 18 API calls 39940->39973 39941 445fb9 GetExitCodeProcess 39942 445fe5 CloseHandle 39941->39942 39943 445fcf WaitForSingleObject 39941->39943 39942->39950 39943->39940 39943->39942 39945 4861ac 20 API calls 39945->39950 39946->39940 39947 445c9e 39947->39933 39948 446041 Sleep 39948->39940 39949 4454a2 Sleep 39949->39940 39950->39932 39950->39940 39950->39941 39950->39945 39950->39947 39950->39948 39950->39949 39952 407f41 18 API calls 39950->39952 39956 408b13 27 API calls 39950->39956 39974 4628f7 19 API calls 39950->39974 39975 40b89c 126 API calls 39950->39975 39976 4654e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 39950->39976 39977 420719 timeGetTime 39950->39977 39951->39940 39952->39950 39955->39940 39956->39950 39957->39940 39958->39940 39960->39940 39962->39940 39963->39940 39964->39940 39965->39940 39966->39940 39967->39940 39968->39940 39969->39940 39970->39940 39971->39940 39972->39940 39973->39940 39974->39950 39975->39950 39976->39950 39977->39950 39978 444599 39982 45655c 39978->39982 39980 4445a4 39981 45655c 20 API calls 39980->39981 39981->39980 39986 456596 39982->39986 39988 456569 39982->39988 39983 456598 39992 409488 18 API calls 39983->39992 39985 45659d 39987 407c8e 18 API calls 39985->39987 39986->39980 39987->39986 39988->39983 39988->39985 39988->39986 39989 456590 39988->39989 39991 409700 _wcsstr _wcsstr 39989->39991 39991->39986 39992->39985 39993 434d1c 39994 434d51 39993->39994 39995 434d2c 39993->39995 39995->39994 40000 42a730 39995->40000 39997 434d5c 39998 42a364 SetUnhandledExceptionFilter 39997->39998 39999 434d67 39998->39999 40002 42a73c 40000->40002 40004 428683 18 API calls 2 library calls 40002->40004 40005 440226 40009 40ade2 40005->40009 40006 40b6c1 40016 46a0b5 49 API calls __swprintf 40006->40016 40008 440c86 40009->40006 40009->40008 40010 4400e0 #9 40009->40010 40012 46899f 40009->40012 40010->40009 40013 4689ad 40012->40013 40014 4689a8 40012->40014 40013->40009 40017 467a3d 40014->40017 40016->40008 40018 467a54 40017->40018 40033 467b74 40017->40033 40019 467a94 40018->40019 40020 467a6c 40018->40020 40022 467aab 40018->40022 40021 420ff6 18 API calls 40019->40021 40020->40019 40023 467a7c 40020->40023 40035 467a8a _memmove 40021->40035 40024 420ff6 18 API calls 40022->40024 40034 467ac8 40022->40034 40031 420ff6 18 API calls 40023->40031 40024->40034 40025 467af3 40028 420ff6 18 API calls 40025->40028 40026 467b01 40027 420ff6 18 API calls 40026->40027 40029 467b07 40027->40029 40028->40035 40036 46770d 18 API calls 40029->40036 40030 420ff6 18 API calls 40030->40033 40031->40035 40033->40013 40034->40025 40034->40026 40034->40035 40035->40030 40036->40035 40037 40ab23 40038 40ab36 40037->40038 40040 40b37c 40037->40040 40039 420ff6 18 API calls 40038->40039 40038->40040 40048 40ab48 _memmove 40039->40048 40072 40f803 58 API calls 40040->40072 40042 407f41 18 API calls 40042->40048 40043 40b685 40076 46a0b5 49 API calls __swprintf 40043->40076 40045 420ff6 18 API calls 40045->40048 40046 40a000 58 API calls 40046->40048 40047 440ca2 40077 46a0b5 49 API calls __swprintf 40047->40077 40048->40040 40048->40042 40048->40043 40048->40045 40048->40046 40048->40047 40055 40a1b7 40048->40055 40056 40ade2 40048->40056 40061 40a097 40048->40061 40073 47c4a7 19 API calls 40048->40073 40074 47c5f4 20 API calls 40048->40074 40052 420ff6 18 API calls 40052->40061 40054 40b5da 40080 46a0b5 49 API calls __swprintf 40054->40080 40056->40043 40056->40055 40062 4400e0 #9 40056->40062 40071 46899f 18 API calls 40056->40071 40057 40b5d5 40059 4081a7 18 API calls 40057->40059 40059->40055 40060 44047f 40075 46a0b5 49 API calls __swprintf 40060->40075 40061->40052 40061->40054 40061->40055 40061->40057 40061->40060 40064 4081a7 18 API calls 40061->40064 40066 4077c7 18 API calls 40061->40066 40067 422f80 9 API calls __cinit 40061->40067 40068 440e00 40061->40068 40070 40a6ba 40061->40070 40062->40056 40064->40061 40065 44048e 40066->40061 40067->40061 40079 46a0b5 49 API calls __swprintf 40068->40079 40078 46a0b5 49 API calls __swprintf 40070->40078 40071->40056 40072->40043 40073->40048 40074->40048 40075->40065 40076->40055 40077->40055 40078->40055 40079->40054 40080->40055 40081 4664e3 40084 4664ff 40081->40084 40083 4664fa 40098 46641c 40084->40098 40086 46651e 40087 466580 40086->40087 40089 466598 40086->40089 40092 466524 _memmove 40086->40092 40111 46675a 21 API calls _memmove 40087->40111 40090 46899f 18 API calls 40089->40090 40089->40092 40097 4665e5 40089->40097 40093 4665b9 40090->40093 40092->40083 40094 46899f 18 API calls 40093->40094 40095 4665d0 _memmove 40094->40095 40096 46899f 18 API calls 40095->40096 40096->40097 40097->40092 40102 46794e 40097->40102 40099 46646a 40098->40099 40101 46642d 40098->40101 40099->40086 40100 42313d _W_store_winword 27 API calls 40100->40101 40101->40099 40101->40100 40103 467959 40102->40103 40104 420ff6 18 API calls 40103->40104 40105 467960 40104->40105 40106 46796c 40105->40106 40107 46798d 40105->40107 40108 420ff6 18 API calls 40106->40108 40109 420ff6 18 API calls 40107->40109 40110 467975 _memset 40108->40110 40109->40110 40110->40092 40111->40092 40112 401066 40117 40f8cf 40112->40117 40114 40106c 40115 422f80 __cinit 9 API calls 40114->40115 40116 401076 40115->40116 40118 40f8f0 40117->40118 40146 420143 40118->40146 40120 40f8f6 40153 4203a2 6 API calls 40120->40153 40122 40f937 40123 4077c7 18 API calls 40122->40123 40124 40f941 40123->40124 40125 4077c7 18 API calls 40124->40125 40126 40f94b 40125->40126 40127 4077c7 18 API calls 40126->40127 40128 40f955 40127->40128 40129 4077c7 18 API calls 40128->40129 40130 40f993 40129->40130 40131 4077c7 18 API calls 40130->40131 40132 40fa5e 40131->40132 40154 4160e7 40132->40154 40136 40fa90 40137 4077c7 18 API calls 40136->40137 40138 40fa9a 40137->40138 40139 40faf1 GetStdHandle 40138->40139 40140 4449d5 40139->40140 40141 40fb3d 40139->40141 40140->40141 40142 4449de 40140->40142 40143 40fb45 OleInitialize 40141->40143 40176 4674a9 CreateThread 40142->40176 40143->40114 40145 4449f1 CloseHandle 40145->40143 40177 42021c 40146->40177 40149 42021c 18 API calls 40150 420185 40149->40150 40151 4077c7 18 API calls 40150->40151 40152 420191 40151->40152 40152->40120 40153->40122 40155 4077c7 18 API calls 40154->40155 40156 4160f7 40155->40156 40157 4077c7 18 API calls 40156->40157 40158 4160ff 40157->40158 40159 4077c7 18 API calls 40158->40159 40160 41611a 40159->40160 40161 420ff6 18 API calls 40160->40161 40162 40fa68 40161->40162 40163 416259 40162->40163 40164 416267 40163->40164 40165 4077c7 18 API calls 40164->40165 40166 416272 40165->40166 40167 4077c7 18 API calls 40166->40167 40168 41627d 40167->40168 40169 4077c7 18 API calls 40168->40169 40170 416288 40169->40170 40171 4077c7 18 API calls 40170->40171 40172 416293 40171->40172 40173 420ff6 18 API calls 40172->40173 40174 4162a5 RegisterWindowMessageW 40173->40174 40174->40136 40176->40145 40178 4077c7 18 API calls 40177->40178 40179 420227 40178->40179 40180 4077c7 18 API calls 40179->40180 40181 42022f 40180->40181 40182 4077c7 18 API calls 40181->40182 40183 42017b 40182->40183 40183->40149 40184 401027 40185 40102c 40184->40185 40186 422f80 __cinit 9 API calls 40185->40186 40187 401036 40186->40187 40192 40b56e 40193 40b584 40192->40193 40198 40c707 40193->40198 40195 40b5ac 40196 40a4e8 40195->40196 40205 46a0b5 49 API calls __swprintf 40195->40205 40199 40c72c _wcscmp 40198->40199 40200 407f41 18 API calls 40199->40200 40202 40c760 40199->40202 40201 441abb 40200->40201 40203 407c8e 18 API calls 40201->40203 40202->40195 40204 441ac6 40203->40204 40204->40195 40205->40196 40206 403633 40207 40366a 40206->40207 40208 4036e7 40207->40208 40209 403688 40207->40209 40242 4036e5 40207->40242 40211 4036ed 40208->40211 40212 43d31c 40208->40212 40213 403695 40209->40213 40214 40375d PostQuitMessage 40209->40214 40210 4036ca DefWindowProcW 40231 4036d8 40210->40231 40215 4036f2 40211->40215 40216 403715 SetTimer RegisterWindowMessageW 40211->40216 40217 4111d0 8 API calls 40212->40217 40221 403767 40213->40221 40222 4036a8 40213->40222 40213->40242 40214->40231 40218 4036f9 KillTimer 40215->40218 40219 43d2bf 40215->40219 40220 40373e CreatePopupMenu 40216->40220 40216->40231 40223 43d343 40217->40223 40247 4044cb Shell_NotifyIconW _memset 40218->40247 40225 43d2c4 40219->40225 40226 43d2f8 MoveWindow 40219->40226 40220->40231 40250 404531 24 API calls _memset 40221->40250 40228 4036b3 40222->40228 40229 43d374 40222->40229 40230 4111f3 126 API calls 40223->40230 40232 43d2e7 SetFocus 40225->40232 40233 43d2c8 40225->40233 40226->40231 40235 40374b 40228->40235 40236 4036be 40228->40236 40229->40210 40253 45817e 18 API calls 40229->40253 40230->40236 40232->40231 40233->40236 40237 43d2d1 40233->40237 40234 40370c 40248 403114 DeleteObject DestroyWindow 40234->40248 40249 4045df 38 API calls _memset 40235->40249 40236->40210 40251 4044cb Shell_NotifyIconW _memset 40236->40251 40241 4111d0 8 API calls 40237->40241 40241->40231 40242->40210 40242->40231 40243 40375b 40243->40231 40245 43d368 40252 4043db 38 API calls _memset 40245->40252 40247->40234 40248->40231 40249->40243 40250->40231 40251->40245 40252->40242 40253->40242 40254 468c33 40255 42594c std::exception::_Copy_str 15 API calls 40254->40255 40256 468c42 40255->40256 40257 42594c std::exception::_Copy_str 15 API calls 40256->40257 40258 468c56 40257->40258 40259 42594c std::exception::_Copy_str 15 API calls 40258->40259 40260 468c6a 40259->40260 40261 401078 40266 4071eb 40261->40266 40263 40108c 40264 422f80 __cinit 9 API calls 40263->40264 40265 401096 40264->40265 40267 4071fb 40266->40267 40268 4077c7 18 API calls 40267->40268 40269 4072b1 40268->40269 40270 404864 20 API calls 40269->40270 40271 4072ba 40270->40271 40290 42074f 40271->40290 40273 4072c5 40274 4077c7 18 API calls 40273->40274 40275 4072eb 40274->40275 40276 4072f4 RegOpenKeyExW 40275->40276 40277 43ecda RegQueryValueExW 40276->40277 40281 407316 40276->40281 40278 43ecf7 40277->40278 40279 43ed6c RegCloseKey 40277->40279 40280 420ff6 18 API calls 40278->40280 40279->40281 40289 43ed7e 40279->40289 40282 43ed10 40280->40282 40281->40263 40283 40538e 18 API calls 40282->40283 40284 43ed1b RegQueryValueExW 40283->40284 40285 43ed38 40284->40285 40285->40279 40286 43edbf _wcscat 40286->40289 40287 407f41 18 API calls 40287->40289 40288 43edf4 _wcscat 40288->40289 40289->40281 40289->40286 40289->40287 40289->40288 40291 431b90 40290->40291 40292 42075c GetFullPathNameW 40291->40292 40293 42077e 40292->40293 40293->40273 40294 401038 40295 422f80 __cinit 9 API calls 40294->40295 40296 401042 40295->40296 40301 40c83b 40302 441d08 40301->40302 40305 4649ff SHGetFolderPathW 40302->40305 40304 441d11 40306 464a2c 40305->40306 40306->40304

                                                                                      Executed Functions

                                                                                      Function 00403B4C, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowUNIQUE

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B7A
                                                                                        • Part of subcall function 00403778: _free.LIBCMT ref: 0043D3D5
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00403B8C
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C81
                                                                                        • Part of subcall function 004073E5: _memset.LIBCMT ref: 0043EE62
                                                                                        • Part of subcall function 004073E5: GetOpenFileNameW.COMDLG32(?), ref: 0043EEAC
                                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C62F8,004C62E0,?,?), ref: 00403BFD
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00410A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C26,004C62F8,?,?,?), ref: 00410ACE
                                                                                        • Part of subcall function 00410A8D: _wcscat.LIBCMT ref: 004450E1
                                                                                        • Part of subcall function 00403A58: GetSysColorBrush.USER32(0000000F), ref: 00403A62
                                                                                        • Part of subcall function 00403A58: LoadCursorW.USER32(00000000,00007F00), ref: 00403A71
                                                                                        • Part of subcall function 00403A58: LoadIconW.USER32(00000063), ref: 00403A88
                                                                                        • Part of subcall function 00403A58: LoadIconW.USER32(000000A4), ref: 00403A9A
                                                                                        • Part of subcall function 00403A58: LoadIconW.USER32(000000A2), ref: 00403AAC
                                                                                        • Part of subcall function 00403A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AD2
                                                                                        • Part of subcall function 00403A58: RegisterClassExW.USER32(?), ref: 00403B28
                                                                                        • Part of subcall function 004039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00403A15
                                                                                        • Part of subcall function 004039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A36
                                                                                        • Part of subcall function 004039E7: ShowWindow.USER32(00000000), ref: 00403A4A
                                                                                        • Part of subcall function 004039E7: ShowWindow.USER32(00000000), ref: 00403A53
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 00410FC7
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00410FDF
                                                                                        • Part of subcall function 00410B30: LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                        • Part of subcall function 00410B30: DestroyWindow.USER32 ref: 00411066
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 00410B30: TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004452AD
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,00000000,?,?,?,?), ref: 00445844
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000), ref: 00445A00
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(?,00000000,00000001,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,00000000,?,?,?,?), ref: 00445A96
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                        • Part of subcall function 004044CB: _memset.LIBCMT ref: 004044F7
                                                                                        • Part of subcall function 004044CB: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00404527
                                                                                        • Part of subcall function 004043DB: _memset.LIBCMT ref: 00404401
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004044A6
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004044C3
                                                                                        • Part of subcall function 00404864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004072BA,?,?,?,?,0040108C,-004C5E84), ref: 00404882
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B93F0,00000010), ref: 0043D4BC
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,004C62F8,?,?,?), ref: 0043D4F4
                                                                                        • Part of subcall function 00464C03: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00464C2C
                                                                                        • Part of subcall function 00464C03: CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00464C43
                                                                                        • Part of subcall function 00464C03: FreeSid.ADVAPI32(?), ref: 00464C53
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • GetForegroundWindow.USER32 ref: 0043D57A
                                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D581
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Window$Icon$LoadSleep$Name$CurrentDirectoryNotifyShell_Translate_memmove_memset$CloseCodeCreateDispatchExitFileFullHandleObjectPathPeekProcessShowSingleTimeWaittime$AcceleratorAllocateBrushCheckClassColorCursorDebuggerDestroyExecuteForegroundFreeImageInitializeLockMembershipModuleOpenPresentRegisterShellTokenUpdate_free_wcscat
                                                                                      • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                                                                      • API String ID: 2176838863-2806069697
                                                                                      • Opcode ID: 91b92454bf91a44166975481b8e2b8271c529dcaa901a66378d9e8ae173649a1
                                                                                      • Instruction ID: 0f2c37a458a75ddd4165d4490fb1e043a1c32b8e6bc4467291d23e22a2595f58
                                                                                      • Opcode Fuzzy Hash: 91b92454bf91a44166975481b8e2b8271c529dcaa901a66378d9e8ae173649a1
                                                                                      • Instruction Fuzzy Hash: F351B575D08248AADB11AFB5DC05EEE7B78AB45304B1081BFF811B21E1DA7C5645CB2E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00404FE9, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62UNIQUE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 841 404fe9-405001 CreateStreamOnHGlobal 842 405021-405026 841->842 843 405003-40501a FindResourceExW 841->843 844 405020 843->844 845 43dd5c-43dd6b LoadResource 843->845 844->842 845->844 846 43dd71-43dd7f SizeofResource 845->846 846->844 847 43dd85-43dd90 LockResource 846->847 847->844 848 43dd96-43dd9e 847->848 849 43dda2-43ddb4 848->849 849->844
                                                                                      APIs
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00404FF9
                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404EEE,?,?,00000000,00000000), ref: 00405010
                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD60
                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD75
                                                                                      • LockResource.KERNEL32(N@,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F,00000000), ref: 0043DD88
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                      • String ID: SCRIPT$N@
                                                                                      • API String ID: 3051347437-2499734412
                                                                                      • Opcode ID: 5ec92892c76f8d1a0b25561ef3fd13e1900f32b078569a65020aaf11a3c9a4ea
                                                                                      • Instruction ID: 67856c902de3f53bc3f8eb18af461e19ea0094fb9f07ee8290f0089f1c16aac3
                                                                                      • Opcode Fuzzy Hash: 5ec92892c76f8d1a0b25561ef3fd13e1900f32b078569a65020aaf11a3c9a4ea
                                                                                      • Instruction Fuzzy Hash: 33115A75200700AFD7218B65EC58F6B7BB9EBC9B11F20457DF406D62A0DB72E8048A69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00404AFE, Relevance: 9.2, APIs: 6, Instructions: 223COMMON

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 921 404afe-404b5e call 4077c7 GetVersionExW call 407d2c 926 404b64 921->926 927 404c69-404c6b 921->927 929 404b67-404b6c 926->929 928 43db90-43db9c 927->928 930 43db9d-43dba1 928->930 931 404c70-404c71 929->931 932 404b72 929->932 934 43dba3 930->934 935 43dba4-43dbb0 930->935 933 404b73-404baa call 407e8c call 407886 931->933 932->933 944 404bb0-404bb1 933->944 945 43dc8d-43dc90 933->945 934->935 935->930 937 43dbb2-43dbb7 935->937 937->929 939 43dbbd-43dbc4 937->939 939->928 941 43dbc6 939->941 943 43dbcb-43dbce 941->943 947 404bf1-404c08 GetCurrentProcess IsWow64Process 943->947 948 43dbd4-43dbf2 943->948 944->943 946 404bb7-404bc2 944->946 949 43dc92 945->949 950 43dca9-43dcad 945->950 951 43dc13-43dc19 946->951 952 404bc8-404bca 946->952 955 404c0a 947->955 956 404c0d-404c1e 947->956 948->947 953 43dbf8-43dbfe 948->953 954 43dc95 949->954 957 43dc98-43dca1 950->957 958 43dcaf-43dcb8 950->958 963 43dc23-43dc29 951->963 964 43dc1b-43dc1e 951->964 959 404bd0-404bd3 952->959 960 43dc2e-43dc3a 952->960 961 43dc00-43dc03 953->961 962 43dc08-43dc0e 953->962 954->957 955->956 966 404c20-404c30 call 404c95 956->966 967 404c89-404c93 GetSystemInfo 956->967 957->950 958->954 965 43dcba-43dcbd 958->965 968 43dc5a-43dc5d 959->968 969 404bd9-404be8 959->969 971 43dc44-43dc4a 960->971 972 43dc3c-43dc3f 960->972 961->947 962->947 963->947 964->947 965->957 978 404c32-404c3f call 404c95 966->978 979 404c7d-404c87 GetSystemInfo 966->979 970 404c56-404c66 967->970 968->947 977 43dc63-43dc78 968->977 974 43dc4f-43dc55 969->974 975 404bee 969->975 971->947 972->947 974->947 975->947 980 43dc82-43dc88 977->980 981 43dc7a-43dc7d 977->981 986 404c41-404c44 978->986 987 404c76-404c7b 978->987 982 404c47-404c4b 979->982 980->947 981->947 982->970 984 404c4d-404c50 FreeLibrary 982->984 984->970 986->982 987->986
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?,?,00000000), ref: 00404B2B
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                      • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?,?,00000000), ref: 00404BF8
                                                                                      • IsWow64Process.KERNEL32(00000000,?,00000000), ref: 00404BFF
                                                                                      • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00404C8D
                                                                                        • Part of subcall function 00404C95: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00404CA3
                                                                                        • Part of subcall function 00404C95: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00000000), ref: 00404CB5
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00404C50
                                                                                      • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00404C81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLibraryProcessSystem_memmove$AddressCurrentFreeLoadProcVersionWow64
                                                                                      • String ID:
                                                                                      • API String ID: 4273104156-0
                                                                                      • Opcode ID: 3ed813c13ab6b729a72130ac9ebb5d7e38d938aafd0c7b4dc5ce7f0b8531fff9
                                                                                      • Instruction ID: a2a37668ba8dc9db7c0339275d8cd71390b5c234514a477f546c7b3e3bed8d02
                                                                                      • Opcode Fuzzy Hash: 3ed813c13ab6b729a72130ac9ebb5d7e38d938aafd0c7b4dc5ce7f0b8531fff9
                                                                                      • Instruction Fuzzy Hash: D591C17194A7C0DAC731CB6894511ABBFE4AF6A300F44496FD1CAA3B41D238F908D72E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.39%

                                                                                      Function 0040FE40, Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 004082E0: CharUpperBuffW.USER32(?,?), ref: 004082FD
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 0041047A
                                                                                      • _memmove.LIBCMT ref: 004107DF
                                                                                      • _memmove.LIBCMT ref: 0041080E
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A177
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A190
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                        • Part of subcall function 00409E9C: #9.OLEAUT32(?,?,?,?,?,00469D81,?,00000001,-004C5E88,?,00455CCE,?,?,?,0040FAE1,00000000), ref: 0043FE11
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 00410FC7
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00410FDF
                                                                                        • Part of subcall function 00410B30: LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                        • Part of subcall function 00410B30: DestroyWindow.USER32 ref: 00411066
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 00410B30: TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004452AD
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,00000000,?,?,?,?), ref: 00445844
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000), ref: 00445A00
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(?,00000000,00000001,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,00000000,?,?,?,?), ref: 00445A96
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                        • Part of subcall function 0047A5EE: CharUpperBuffW.USER32(?,00000016), ref: 0047A67E
                                                                                        • Part of subcall function 00456C62: _memmove.LIBCMT ref: 00456CAC
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Sleep_memmove$Translate$BuffCharCloseCodeDispatchExitHandleLoadObjectPeekProcessSingleStringTimeUpperWaitWindow__swprintf_wprintftime$AcceleratorDestroyException@8LockThrowUpdatestd::exception::exception
                                                                                      • String ID: %I
                                                                                      • API String ID: 2015352795-63094095
                                                                                      • Opcode ID: 41636cd87b8ba94a046f8664d026baf789fabddac616076681d4b52a6bc51e89
                                                                                      • Instruction ID: a3b9221dc64c310c941b5016b295edb8af427260a8d4055f717b05a0858251c0
                                                                                      • Opcode Fuzzy Hash: 41636cd87b8ba94a046f8664d026baf789fabddac616076681d4b52a6bc51e89
                                                                                      • Instruction Fuzzy Hash: B7926C706083419FD720DF15C580B6BB7E1BF84304F14896EE8969B392D7B9EC85CB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00464696, Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNEL32(?,0043E7C1), ref: 004646A6
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 004646B7
                                                                                      • FindClose.KERNEL32(00000000), ref: 004646C7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                                      • String ID:
                                                                                      • API String ID: 48322524-0
                                                                                      • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                      • Instruction ID: d948841d4539c93f635718a430456d5b2beea82774a4ad5489b04229db4e1113
                                                                                      • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                      • Instruction Fuzzy Hash: 81E0D8318104005B46106738EC4D4EF7B5C9E86335F100B6BFC35C15E0F7B85964869F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.13%

                                                                                      Function 0040E800, Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                      Strings
                                                                                      • Variable must be of type 'Object'., xrefs: 0044428C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString__swprintf_wprintf$ErrorLastMessage_memmove
                                                                                      • String ID: Variable must be of type 'Object'.
                                                                                      • API String ID: 1087585129-109567571
                                                                                      • Opcode ID: c0c83da57fe9adcf50571b204bb922bbfc317d87f1c580f86c1fca810dd725e9
                                                                                      • Instruction ID: 646285330f24ea673303868bc9691634490c9c151704f09186753778590e683b
                                                                                      • Opcode Fuzzy Hash: c0c83da57fe9adcf50571b204bb922bbfc317d87f1c580f86c1fca810dd725e9
                                                                                      • Instruction Fuzzy Hash: 88A28C74A04205CFDB24CF59C480AAAB7B1FF48304F24847AE916BB391D739EC56CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.85%

                                                                                      Function 0042A364, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A36A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                      • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                                                                      • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                      • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.01%

                                                                                      Function 00410B30, Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1304windowsleepsynchronizationCOMMON
                                                                                      APIs
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                      • Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 0040FE40: _memmove.LIBCMT ref: 0041047A
                                                                                        • Part of subcall function 0040FE40: _memmove.LIBCMT ref: 004107DF
                                                                                        • Part of subcall function 0040FE40: _memmove.LIBCMT ref: 0041080E
                                                                                        • Part of subcall function 004031CE: IsDialogMessageW.USER32(?,?), ref: 00403208
                                                                                        • Part of subcall function 004031CE: GetClassLongW.USER32(?,000000E0), ref: 0043D186
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                      • TranslateMessage.USER32(?), ref: 00410FC7
                                                                                      • DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                      • Sleep.KERNEL32(0000000A), ref: 00410FDF
                                                                                      • LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                      • DestroyWindow.USER32 ref: 00411066
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                      • timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A177
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A190
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 004452AD
                                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                      • TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 0043F9F7
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                      • #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,00000000,?,?,?,?), ref: 00445844
                                                                                      • #9.OLEAUT32(00000000), ref: 00445A00
                                                                                      • #9.OLEAUT32(?,00000000,00000001,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,00000000,?,?,?,?), ref: 00445A96
                                                                                      • DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 004628F7: Sleep.KERNEL32(0000000A,?,?,00445B57,?), ref: 00462965
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                      • CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 004861AC: GetForegroundWindow.USER32 ref: 004861D7
                                                                                        • Part of subcall function 0040B93D: IsWindow.USER32(00000000), ref: 00441054
                                                                                        • Part of subcall function 004654E6: QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465502
                                                                                        • Part of subcall function 004654E6: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465510
                                                                                        • Part of subcall function 004654E6: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465518
                                                                                        • Part of subcall function 004654E6: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465522
                                                                                        • Part of subcall function 004654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E
                                                                                      • Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                        • Part of subcall function 00463E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00463EB6
                                                                                        • Part of subcall function 00463E91: Process32FirstW.KERNEL32(00000000,?), ref: 00463EC4
                                                                                        • Part of subcall function 00463E91: Process32NextW.KERNEL32(00000000,?), ref: 00463EE4
                                                                                        • Part of subcall function 00463E91: CloseHandle.KERNEL32(00000000), ref: 00463F8E
                                                                                        • Part of subcall function 00420719: timeGetTime.WINMM ref: 0042071D
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                      • CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Sleep$_memmove$Window__swprintf$CloseHandlePerformanceQueryTimeTranslatetime$CodeCounterDispatchExitLoadObjectPeekProcessProcess32SingleStringWait_wcscpy_wprintf$AcceleratorClassCreateDestroyDialogException@8FirstForegroundFrequencyLockLongNextSnapshotThrowToolhelp32Update__i64tow__itowstd::exception::exception
                                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                      • API String ID: 948137667-3242690629
                                                                                      • Opcode ID: 441288072c25d4d31a744c6d311dd2bb703106e1bc0a8afa2d69edcac75fa916
                                                                                      • Instruction ID: abb91fbfb1f178075637fae0d8e48f5fa84006329822cc06d63061e15e90d741
                                                                                      • Opcode Fuzzy Hash: 441288072c25d4d31a744c6d311dd2bb703106e1bc0a8afa2d69edcac75fa916
                                                                                      • Instruction Fuzzy Hash: ABB2A570608741DFEB24DF25C844BAAB7E5BF84308F14492FE44997392DB79E885CB4A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 5.06%

                                                                                      Function 00403015, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 75windowregistryUNIQUE

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                      • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                      • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$F;@$TaskbarCreated
                                                                                      • API String ID: 2914291525-2219658845
                                                                                      • Opcode ID: b32fe6db03ccba481f670429e5c7b523f4edffb20c87d4c464e52b45bc5e04fc
                                                                                      • Instruction ID: 979edb967f183c55e8c669bfc31fc45122444ef7f147c2a4b30f384e98b85c10
                                                                                      • Opcode Fuzzy Hash: b32fe6db03ccba481f670429e5c7b523f4edffb20c87d4c464e52b45bc5e04fc
                                                                                      • Instruction Fuzzy Hash: 043149B1941304EFEB40DFA4D884ADDBBF4FB09310F14856EE941EA2A1D3B54545CFA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00403041, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 54windowregistryUNIQUE

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                      • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                      • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$F;@$TaskbarCreated
                                                                                      • API String ID: 2914291525-2219658845
                                                                                      • Opcode ID: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
                                                                                      • Instruction ID: 0e09ac2d9919322b342d86481b19008a338d121ad3b6117744e7067feae746c8
                                                                                      • Opcode Fuzzy Hash: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
                                                                                      • Instruction Fuzzy Hash: 4021C9B1911218AFEB40EF94EC49B9DBBF4FB08710F10853AF511A62A0D7B545448FA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004071EB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 202registryCOMMON

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00404864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004072BA,?,?,?,?,0040108C,-004C5E84), ref: 00404882
                                                                                        • Part of subcall function 0042074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004072C5,?,?,?,?,0040108C,-004C5E84), ref: 00420771
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                        • Part of subcall function 00403F84: _memmove.LIBCMT ref: 0040400E
                                                                                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0040108C,-004C5E84), ref: 00407308
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0040108C,-004C5E84), ref: 0043ECF1
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0040108C,-004C5E84), ref: 0043ED32
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,0040108C,-004C5E84), ref: 0043ED70
                                                                                      • _wcscat.LIBCMT ref: 0043EDC9
                                                                                      • _wcscat.LIBCMT ref: 0043EDFE
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$NameQueryValue_wcscat$CloseException@8FileFullModuleOpenPathThrowstd::exception::exception
                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                      • API String ID: 2320919795-2727554177
                                                                                      • Opcode ID: 9c39690667f90d85bbd298fc2fddaba166705738d63cb1fa57642d5dfdc0dc14
                                                                                      • Instruction ID: 261d5c66dfbaa65f37115b6835693a56036b98bc8c14fb280ac0ce69df8225bb
                                                                                      • Opcode Fuzzy Hash: 9c39690667f90d85bbd298fc2fddaba166705738d63cb1fa57642d5dfdc0dc14
                                                                                      • Instruction Fuzzy Hash: 2D7159715093019BC354EF26E88195BBBE8FF98354F80487FF445932A1EB749948CF5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.47%

                                                                                      Function 00403633, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryUNIQUE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 659 403633-403681 661 4036e1-4036e3 659->661 662 403683-403686 659->662 661->662 663 4036e5 661->663 664 4036e7 662->664 665 403688-40368f 662->665 666 4036ca-4036d2 DefWindowProcW 663->666 667 4036ed-4036f0 664->667 668 43d31c-43d34a call 4111d0 call 4111f3 664->668 669 403695-40369a 665->669 670 40375d-403765 PostQuitMessage 665->670 677 4036d8-4036de 666->677 672 4036f2-4036f3 667->672 673 403715-40373c SetTimer RegisterWindowMessageW 667->673 706 43d34f-43d356 668->706 674 4036a0-4036a2 669->674 675 43d38f-43d3a3 call 462a16 669->675 671 403711-403713 670->671 671->677 678 4036f9-40370c KillTimer call 4044cb call 403114 672->678 679 43d2bf-43d2c2 672->679 673->671 680 40373e-403749 CreatePopupMenu 673->680 681 403767-403776 call 404531 674->681 682 4036a8-4036ad 674->682 675->671 700 43d3a9 675->700 678->671 686 43d2c4-43d2c6 679->686 687 43d2f8-43d317 MoveWindow 679->687 680->671 681->671 689 4036b3-4036b8 682->689 690 43d374-43d37b 682->690 694 43d2e7-43d2f3 SetFocus 686->694 695 43d2c8-43d2cb 686->695 687->671 698 40374b-40375b call 4045df 689->698 699 4036be-4036c4 689->699 690->666 697 43d381-43d38a call 45817e 690->697 694->671 695->699 702 43d2d1-43d2e2 call 4111d0 695->702 697->666 698->671 699->666 699->706 700->666 702->671 706->666 707 43d35c-43d36f call 4044cb call 4043db 706->707 707->666
                                                                                      APIs
                                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                                                                      • CreatePopupMenu.USER32 ref: 0040373E
                                                                                        • Part of subcall function 004045DF: _memset.LIBCMT ref: 004045F9
                                                                                        • Part of subcall function 004045DF: GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 0043D750
                                                                                        • Part of subcall function 004045DF: GetMenuItemCount.USER32(004C6890), ref: 0043D7CD
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000005,00000000), ref: 0043D85D
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000004,00000000), ref: 0043D865
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000006,00000000), ref: 0043D86D
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000003,00000000), ref: 0043D875
                                                                                        • Part of subcall function 004045DF: GetMenuItemCount.USER32(004C6890), ref: 0043D87D
                                                                                        • Part of subcall function 004045DF: SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 0043D8B7
                                                                                        • Part of subcall function 004045DF: GetCursorPos.USER32(?), ref: 0043D8C1
                                                                                        • Part of subcall function 004045DF: SetForegroundWindow.USER32(00000000), ref: 0043D8CA
                                                                                        • Part of subcall function 004045DF: TrackPopupMenuEx.USER32(004C6890,00000000,?,00000000,00000000,00000000), ref: 0043D8DD
                                                                                        • Part of subcall function 004045DF: PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0043D8E9
                                                                                      • PostQuitMessage.USER32(00000000), ref: 0040375F
                                                                                        • Part of subcall function 00404531: _memset.LIBCMT ref: 00404560
                                                                                        • Part of subcall function 00404531: KillTimer.USER32(?,00000001), ref: 004045B5
                                                                                        • Part of subcall function 00404531: SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004045C4
                                                                                        • Part of subcall function 00404531: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D6CE
                                                                                      • SetFocus.USER32 ref: 0043D2ED
                                                                                      • MoveWindow.USER32(00000000,00000000,?,?,00000001), ref: 0043D311
                                                                                      • KillTimer.USER32(?,00000001), ref: 004036FC
                                                                                        • Part of subcall function 004044CB: _memset.LIBCMT ref: 004044F7
                                                                                        • Part of subcall function 004044CB: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00404527
                                                                                        • Part of subcall function 00403114: DeleteObject.GDI32(?), ref: 0040314D
                                                                                        • Part of subcall function 00403114: DestroyWindow.USER32(?), ref: 004031A6
                                                                                        • Part of subcall function 004043DB: _memset.LIBCMT ref: 00404401
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004044A6
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004044C3
                                                                                        • Part of subcall function 00462A16: _memset.LIBCMT ref: 00462A31
                                                                                        • Part of subcall function 00462A16: GetMenuItemInfoW.USER32(004C6890,000000FF,00000000,00000030), ref: 00462A92
                                                                                        • Part of subcall function 00462A16: SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 00462AC8
                                                                                        • Part of subcall function 00462A16: Sleep.KERNEL32(000001F4), ref: 00462ADA
                                                                                        • Part of subcall function 00462A16: GetMenuItemCount.USER32(?), ref: 00462B1E
                                                                                        • Part of subcall function 00462A16: GetMenuItemID.USER32(?,00000000), ref: 00462B3A
                                                                                        • Part of subcall function 00462A16: GetMenuItemID.USER32(?,-00000001), ref: 00462B64
                                                                                        • Part of subcall function 00462A16: GetMenuItemID.USER32(?,?), ref: 00462BA9
                                                                                        • Part of subcall function 00462A16: CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462BEF
                                                                                        • Part of subcall function 00462A16: GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C03
                                                                                        • Part of subcall function 00462A16: SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C24
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$Info$DeleteWindow_memset$IconNotifyShell_Timer$CountMessage$KillPopupPost$CheckCreateCursorDestroyFocusForegroundMoveObjectProcQuitRadioRegisterSleepTrack
                                                                                      • String ID: TaskbarCreated$%I
                                                                                      • API String ID: 2219433024-1195164674
                                                                                      • Opcode ID: 4df9dbd9ea3853832d1d5ee4e4086456b2fc19e8db48de3a239b7734e64a6d00
                                                                                      • Instruction ID: 10ee0b11622f1361c7ec63440bed57d6dff5d427fb300c744ab7812cb175661f
                                                                                      • Opcode Fuzzy Hash: 4df9dbd9ea3853832d1d5ee4e4086456b2fc19e8db48de3a239b7734e64a6d00
                                                                                      • Instruction Fuzzy Hash: 6A4117B11101057BDB646F68EC09F7A3A58E744302F10853FFA02A23E1CA7D9D45976E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00403A58, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72windowregistryCOMMON

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00403A62
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00403A71
                                                                                      • LoadIconW.USER32(00000063), ref: 00403A88
                                                                                      • LoadIconW.USER32(000000A4), ref: 00403A9A
                                                                                      • LoadIconW.USER32(000000A2), ref: 00403AAC
                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AD2
                                                                                      • RegisterClassExW.USER32(?), ref: 00403B28
                                                                                        • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                        • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                        • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                        • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                        • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                        • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                        • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                        • Part of subcall function 004048FE: LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404922
                                                                                        • Part of subcall function 004048FE: EnumResourceNamesW.KERNEL32(00000000,0000000E,00464189,00000063), ref: 0043DA68
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Icon$Image$Register$BrushClassColorList_$CommonControlsCreateCursorEnumInitMessageNamesReplaceResourceWindow
                                                                                      • String ID: #$0$AutoIt v3
                                                                                      • API String ID: 2567192541-4155596026
                                                                                      • Opcode ID: 42269966c74440c862dba0538370040d40d20385bd46122014e27266a7ce1093
                                                                                      • Instruction ID: 8e7cc5216a3b211786643bcbc5a53bf5eabc0ef71c34cfd7d652ed0fcc69659d
                                                                                      • Opcode Fuzzy Hash: 42269966c74440c862dba0538370040d40d20385bd46122014e27266a7ce1093
                                                                                      • Instruction Fuzzy Hash: 7F214B74E00304BFEB50AFA4EC09F9D7FB4EB08711F11857AF504A62A0D3BA56548F98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.20%

                                                                                      Function 00403778, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00404864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004072BA,?,?,?,?,0040108C,-004C5E84), ref: 00404882
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00404F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 0046992C
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 00469933
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 0046999E
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 004699A6
                                                                                      • _free.LIBCMT ref: 0043D3D5
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                        • Part of subcall function 00404FAA: FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$FreeLibrary$ErrorFileHeapLastLoadModuleName__wcsicmp_l_memmove
                                                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                      • API String ID: 2910224213-3513169116
                                                                                      • Opcode ID: 1832962895e309bab0d1ebf9e801e983e9b911081e6931282dd45cbcf15e7b99
                                                                                      • Instruction ID: 19e95f69b08b63b79e3d7ab90ba78c5cdf699b16ea651e38bdcbe293d35e51ee
                                                                                      • Opcode Fuzzy Hash: 1832962895e309bab0d1ebf9e801e983e9b911081e6931282dd45cbcf15e7b99
                                                                                      • Instruction Fuzzy Hash: BFA129729102299ACB04EFA1DC91AEEBB78BF14305F50453FE412B61D1DB786A09CB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 6.12%

                                                                                      Function 00423469, Relevance: 12.1, APIs: 8, Instructions: 91UNIQUELIBRARYCODE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 851 423469-423488 call 428b40 __lock 854 423557-423567 call 423583 851->854 855 42348e-4234a4 851->855 866 423592-423597 call 428b85 854->866 867 423569-423587 call 429fb5 call 4232df 854->867 856 423546-423556 call 4233ff 855->856 857 4234aa-4234bf RtlDecodePointer 855->857 856->854 860 4234c1-4234ce RtlDecodePointer 857->860 861 423535-423545 call 4233ff 857->861 865 4234d1 860->865 861->856 870 4234d4-4234dc 865->870 879 423591 867->879 880 423589-423590 call 429fb5 867->880 870->861 874 4234de-4234e8 RtlEncodePointer 870->874 874->870 876 4234ea-4234ec 874->876 876->861 877 4234ee-42351f RtlDecodePointer RtlEncodePointer RtlDecodePointer * 2 876->877 883 423521-423524 877->883 884 423526-423533 877->884 880->879 883->870 883->884 884->865
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 00423477
                                                                                        • Part of subcall function 00429E4B: __mtinitlocknum.LIBCMT ref: 00429E5D
                                                                                        • Part of subcall function 00429E4B: EnterCriticalSection.KERNEL32(?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00429E76
                                                                                      • RtlDecodePointer.NTDLL(004BBB70), ref: 004234B6
                                                                                      • RtlDecodePointer.NTDLL ref: 004234C7
                                                                                      • RtlEncodePointer.NTDLL(00000000,?,00423310,000000FF,?,00429E6E,00000011,?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?), ref: 004234E0
                                                                                      • RtlDecodePointer.NTDLL(-00000004), ref: 004234F0
                                                                                      • RtlEncodePointer.NTDLL(00000000,?,00423310,000000FF,?,00429E6E,00000011,?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?), ref: 004234F6
                                                                                      • RtlDecodePointer.NTDLL ref: 0042350C
                                                                                      • RtlDecodePointer.NTDLL ref: 00423517
                                                                                        • Part of subcall function 00429FB5: LeaveCriticalSection.KERNEL32(?,00429D1B,0000000D,00429CD6), ref: 00429FC2
                                                                                        • Part of subcall function 004232DF: ___crtCorExitProcess.LIBCMT ref: 004232E5
                                                                                        • Part of subcall function 004232DF: ExitProcess.KERNEL32 ref: 004232EE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$Decode$CriticalEncodeExitProcessSection$EnterLeave___crt__lock__mtinitlocknum
                                                                                      • String ID:
                                                                                      • API String ID: 3532926286-0
                                                                                      • Opcode ID: 3eb54479496a14f96af1a539c1c71f4a2dd7fdd1fba2ad2f8c082ffa494553fc
                                                                                      • Instruction ID: 8c72c2951835608107e4db8e866895b11fbebaeedbe16d100f1f63f8c378f011
                                                                                      • Opcode Fuzzy Hash: 3eb54479496a14f96af1a539c1c71f4a2dd7fdd1fba2ad2f8c082ffa494553fc
                                                                                      • Instruction Fuzzy Hash: 20317231A04329AEDF50AF65E84579D7AB1BB48315F94447FE408A6291DFBD0A84CB1C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00422EC8, Relevance: 10.6, APIs: 7, Instructions: 75UNIQUELIBRARYCODE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 886 422ec8-422eef RtlDecodePointer * 2 887 422f77 886->887 888 422ef5-422eff 886->888 889 422f79-422f7f 887->889 888->887 890 422f01-422f0f call 4289e4 888->890 893 422f11-422f18 890->893 894 422f58-422f75 RtlEncodePointer * 2 890->894 895 422f1a 893->895 896 422f1c-422f23 893->896 894->889 895->896 897 422f32-422f37 896->897 898 422f25-422f30 __realloc_crt 896->898 897->887 899 422f39-422f44 __realloc_crt 897->899 898->897 900 422f46-422f53 EncodePointer 898->900 899->887 899->900 900->894
                                                                                      APIs
                                                                                      • RtlDecodePointer.NTDLL ref: 00422EDB
                                                                                      • RtlDecodePointer.NTDLL ref: 00422EE6
                                                                                        • Part of subcall function 004289E4: HeapSize.KERNEL32(00000000,00000000,?,00422F07,00000000,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?), ref: 00428A0D
                                                                                      • __realloc_crt.LIBCMT ref: 00422F27
                                                                                      • __realloc_crt.LIBCMT ref: 00422F3B
                                                                                      • EncodePointer.KERNEL32(00000000,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00422F4D
                                                                                      • RtlEncodePointer.NTDLL(?,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00422F5B
                                                                                      • RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00422F67
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$Encode$Decode__realloc_crt$HeapSize
                                                                                      • String ID:
                                                                                      • API String ID: 177749828-0
                                                                                      • Opcode ID: 84a00aaf028b4249c7e1c5d66ab9dc667d834f1d9d23803f899ef7f94023533b
                                                                                      • Instruction ID: ea3efdf8e2bad2a4f7d05d94394ea50cef9674f9c70b6f81548ced0ca2bbb24c
                                                                                      • Opcode Fuzzy Hash: 84a00aaf028b4249c7e1c5d66ab9dc667d834f1d9d23803f899ef7f94023533b
                                                                                      • Instruction Fuzzy Hash: BF118172714225BF9B149B34EF848AABBF9EB05390791457BF805D3210EB75EC009B98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004073E5, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65UNIQUE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 901 4073e5-407405 call 431b90 904 43ee4b-43eeb4 call 423020 GetOpenFileNameW 901->904 905 40740b-407438 call 4048ae call 4209d5 call 40716b call 4069ca 901->905 910 43eeb6 904->910 911 43eebd-43eec6 call 407d2c 904->911 910->911 915 43eecb 911->915 915->915
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0043EE62
                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 0043EEAC
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,?,004072BA,?,?,?,?,0040108C), ref: 004048CE
                                                                                        • Part of subcall function 004209D5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004209F4
                                                                                        • Part of subcall function 004069CA: _free.LIBCMT ref: 0043E68C
                                                                                        • Part of subcall function 004069CA: _free.LIBCMT ref: 0043E6D3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$Path_free$FileFullLongOpen_memmove_memset
                                                                                      • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                                                                      • API String ID: 1116811270-1954568251
                                                                                      • Opcode ID: b4d37d12c6d2a76a87de7929d6b0db4a55e5567a859db527ed9755684b5293fe
                                                                                      • Instruction ID: 5559bcc2e5b0ce129e075af18a443fb14fc0140c0908acbd47f5bc3bdc75694c
                                                                                      • Opcode Fuzzy Hash: b4d37d12c6d2a76a87de7929d6b0db4a55e5567a859db527ed9755684b5293fe
                                                                                      • Instruction Fuzzy Hash: CF21F671A142589BCB01DF95C845BEE7BF89F49314F00802BE508F7281DBBC598A8FA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004039E7, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 920 4039e7-403a57 CreateWindowExW * 2 ShowWindow * 2
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00403A15
                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A36
                                                                                      • ShowWindow.USER32(00000000), ref: 00403A4A
                                                                                      • ShowWindow.USER32(00000000), ref: 00403A53
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateShow
                                                                                      • String ID: AutoIt v3$edit
                                                                                      • API String ID: 1584632944-3779509399
                                                                                      • Opcode ID: 0bc3cb8581d30033406bf709693028d192d2a29ffe70b3422ed3ac2c8c0a6a91
                                                                                      • Instruction ID: cb3e65218c39cbcb5fba8b0d7b0502fae8825f6b165f745e847789765139e861
                                                                                      • Opcode Fuzzy Hash: 0bc3cb8581d30033406bf709693028d192d2a29ffe70b3422ed3ac2c8c0a6a91
                                                                                      • Instruction Fuzzy Hash: 54F05E706412907EEA7027236C09F372E7DD7C3F50F21817EB900A2171C6A90800CAB8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.13%

                                                                                      Function 004069CA, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1340 4069ca-4069f1 call 404f3d 1343 4069f7-406a05 call 404f3d 1340->1343 1344 43e45a-43e46a call 4697e5 1340->1344 1343->1344 1349 406a0b-406a11 1343->1349 1348 43e46f-43e471 1344->1348 1350 43e473-43e476 call 404faa 1348->1350 1351 43e490-43e4d8 call 420ff6 1348->1351 1353 406a17-406a39 call 406bec 1349->1353 1354 43e47b-43e48a call 464534 1349->1354 1350->1354 1360 43e4da-43e4e4 1351->1360 1361 43e4fd 1351->1361 1354->1351 1363 43e4f8-43e4f9 1360->1363 1364 43e4ff-43e512 1361->1364 1365 43e4e6-43e4f5 1363->1365 1366 43e4fb 1363->1366 1367 43e689-43e68c call 422f95 1364->1367 1368 43e518 1364->1368 1365->1363 1366->1364 1371 43e691-43e69a call 404faa 1367->1371 1370 43e51f-43e522 call 4075e0 1368->1370 1374 43e527-43e549 call 405f12 call 46768b 1370->1374 1378 43e69c-43e6ac call 407776 call 405efb 1371->1378 1383 43e54b-43e558 1374->1383 1384 43e55d-43e567 call 467675 1374->1384 1391 43e6b1-43e6e1 call 45fcb1 call 42106c call 422f95 call 404faa 1378->1391 1386 43e650-43e660 call 40766f 1383->1386 1393 43e581-43e58b call 46765f 1384->1393 1394 43e569-43e57c 1384->1394 1386->1374 1396 43e666-43e670 call 4074bd 1386->1396 1391->1378 1403 43e59f-43e5a9 call 405f8a 1393->1403 1404 43e58d-43e59a 1393->1404 1394->1386 1402 43e675-43e683 1396->1402 1402->1367 1402->1370 1403->1386 1410 43e5af-43e5c7 call 45fc4d 1403->1410 1404->1386 1415 43e5ea-43e5ed 1410->1415 1416 43e5c9-43e5cc call 407f41 1410->1416 1418 43e61b-43e61e 1415->1418 1419 43e5ef-43e60a call 407f41 call 406999 call 405a64 1415->1419 1420 43e5d1-43e5e8 call 405a64 1416->1420 1421 43e620-43e629 call 45fb6e 1418->1421 1422 43e63e-43e641 call 467621 1418->1422 1440 43e60b-43e619 call 405f12 1419->1440 1420->1440 1421->1391 1432 43e62f-43e630 call 42106c 1421->1432 1429 43e646-43e64f call 42106c 1422->1429 1429->1386 1441 43e635-43e639 1432->1441 1440->1429 1441->1374
                                                                                      APIs
                                                                                        • Part of subcall function 00404F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 0046992C
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 00469933
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 0046999E
                                                                                        • Part of subcall function 004697E5: _free.LIBCMT ref: 004699A6
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _free.LIBCMT ref: 0043E6D3
                                                                                        • Part of subcall function 0045FC4D: _memmove.LIBCMT ref: 0045FC88
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FB81
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FBA2
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FBBC
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00406999: _wcscmp.LIBCMT ref: 004069AC
                                                                                        • Part of subcall function 0040766F: _memmove.LIBCMT ref: 0040774A
                                                                                      • _free.LIBCMT ref: 0043E68C
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                        • Part of subcall function 00404FAA: FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 0045FCB1: GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E6C9,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045FCD2
                                                                                        • Part of subcall function 0045FCB1: LoadStringW.USER32(00000000,?,0043E6C9,00000010), ref: 0045FCD9
                                                                                        • Part of subcall function 0045FCB1: _wprintf.LIBCMT ref: 0045FD0C
                                                                                        • Part of subcall function 0045FCB1: __swprintf.LIBCMT ref: 0045FD2E
                                                                                        • Part of subcall function 0045FCB1: __swprintf.LIBCMT ref: 0045FD49
                                                                                        • Part of subcall function 0045FCB1: MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045FD9D
                                                                                        • Part of subcall function 00464534: GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046454E
                                                                                        • Part of subcall function 00464534: LoadStringW.USER32(00000000), ref: 00464555
                                                                                        • Part of subcall function 00464534: GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046456B
                                                                                        • Part of subcall function 00464534: LoadStringW.USER32(00000000), ref: 00464572
                                                                                        • Part of subcall function 00464534: _wprintf.LIBCMT ref: 00464598
                                                                                        • Part of subcall function 00464534: MessageBoxW.USER32(00000000,?,?,00011010), ref: 004645B6
                                                                                        • Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406D0D
                                                                                        • Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?), ref: 00406E5A
                                                                                        • Part of subcall function 00406BEC: _free.LIBCMT ref: 0043EB9C
                                                                                        • Part of subcall function 00406BEC: _free.LIBCMT ref: 0043EBE2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$Load$HandleModuleString__wcsnicmp_memmove$CurrentDirectoryFreeLibraryMessage__swprintf_wprintf$ErrorException@8HeapLastThrow_wcscmpstd::exception::exception
                                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                      • API String ID: 3067711777-1757145024
                                                                                      • Opcode ID: 48af337fa32d7ac79d44a3b26ecc76939e36bdbc999b5eac5f2b589d327e3590
                                                                                      • Instruction ID: 2258a68d981662f44974eb8b497df540c6efdf5e7203b7320ea2560545df3755
                                                                                      • Opcode Fuzzy Hash: 48af337fa32d7ac79d44a3b26ecc76939e36bdbc999b5eac5f2b589d327e3590
                                                                                      • Instruction Fuzzy Hash: 92915E71910219AFCF04EFA6C8819EEB7B4BF18318F54446FE815AB2D1DB38A905CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 0040F8CF, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comUNIQUE

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004203D3
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 004203DB
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004203E6
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004203F1
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 004203F9
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00420401
                                                                                        • Part of subcall function 00416259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040FA90), ref: 004162B4
                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040FB2D
                                                                                      • OleInitialize.OLE32(00000000), ref: 0040FBAA
                                                                                        • Part of subcall function 004674A9: CreateThread.KERNEL32(00000000,00000000,0046748F,00000000,00000000,?), ref: 004674C4
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004449F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Handle$CloseCreateInitializeMessageRegisterThreadWindow
                                                                                      • String ID: %I
                                                                                      • API String ID: 2562920190-63094095
                                                                                      • Opcode ID: 02239ccd336f757ca34483d5bbfe3c2a34f3ebbc87da09f49494e0eb5c8a791c
                                                                                      • Instruction ID: 1cfffd179986f18d43a6ac5aa0dacd7918427e6922d3cb84a31c4b765cbc4a66
                                                                                      • Opcode Fuzzy Hash: 02239ccd336f757ca34483d5bbfe3c2a34f3ebbc87da09f49494e0eb5c8a791c
                                                                                      • Instruction Fuzzy Hash: 5B8198B49012909EC7C8EF2AE954E557BE5EB88308312C93FD819C7272EB399409CF5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004035B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValue
                                                                                      • String ID: Control Panel\Mouse
                                                                                      • API String ID: 3677997916-824357125
                                                                                      • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                      • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                                                                      • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                      • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.19%

                                                                                      Function 004697E5, Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00405045: _fseek.LIBCMT ref: 0040505D
                                                                                        • Part of subcall function 004699BE: _wcscmp.LIBCMT ref: 00469AAE
                                                                                        • Part of subcall function 004699BE: _wcscmp.LIBCMT ref: 00469AC1
                                                                                        • Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      • _free.LIBCMT ref: 0046992C
                                                                                      • _free.LIBCMT ref: 00469933
                                                                                      • _free.LIBCMT ref: 0046999E
                                                                                      • _free.LIBCMT ref: 004699A6
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$Heap_wcscmp$AllocateErrorFreeLast__fread_nolock_fseek
                                                                                      • String ID:
                                                                                      • API String ID: 1875458934-0
                                                                                      • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                                                      • Instruction ID: aea911c9e8d6c7baa485eb259c959778deb43e5282718a6a3eaa8d141b9c537f
                                                                                      • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                                                      • Instruction Fuzzy Hash: 2B512DB1A04218AFDF249F65DC41A9EBB79EF48314F1004AEB609A7281DB755E80CF5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.50%

                                                                                      Function 00404DD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00404E1A
                                                                                        • Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089
                                                                                        • Part of subcall function 00405045: _fseek.LIBCMT ref: 0040505D
                                                                                        • Part of subcall function 00404FE9: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00404FF9
                                                                                        • Part of subcall function 00404FE9: FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404EEE,?,?,00000000,00000000), ref: 00405010
                                                                                        • Part of subcall function 00404FE9: LoadResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD60
                                                                                        • Part of subcall function 00404FE9: SizeofResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD75
                                                                                        • Part of subcall function 00404FE9: LockResource.KERNEL32(N@,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F,00000000), ref: 0043DD88
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateException@8FindGlobalLoadLockSizeofStreamThrow__fread_nolock_fseek_memmovestd::exception::exception
                                                                                      • String ID: AU3!P/I$EA06
                                                                                      • API String ID: 2347112480-1914660620
                                                                                      • Opcode ID: 8c6765611c1c92073ea3f7557a5ebebc0379cfc8ee5411a9a0fbe9599ab3c038
                                                                                      • Instruction ID: e4f2d0695f8a23f075e311890a29d80e38cea7919c4102c3fad58ec67193dbe6
                                                                                      • Opcode Fuzzy Hash: 8c6765611c1c92073ea3f7557a5ebebc0379cfc8ee5411a9a0fbe9599ab3c038
                                                                                      • Instruction Fuzzy Hash: 11417BB1A041546BCF214B64C8517BF7FA6EB85304F28407BEE42BA2C2C57C8D41C7EA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00420FF6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                        • Part of subcall function 004235E1: DecodePointer.KERNEL32(?,004259CD,?,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 004235EA
                                                                                      • std::exception::exception.LIBCMT ref: 0042102C
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 004287DB: RaiseException.KERNEL32(?,?,?,004BBAF8,?,?,?,?,?,00421046,?,004BBAF8,?,00000001), ref: 00428830
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateDecodeExceptionException@8HeapPointerRaiseThrowstd::exception::exception
                                                                                      • String ID: bad allocation
                                                                                      • API String ID: 2525242304-2104205924
                                                                                      • Opcode ID: 5ea83d7ebaadb3ed3b241e21904507e4a97e31a177577d9182c5025c173bb06c
                                                                                      • Instruction ID: 7ef10c6c1173b09cd5bea89a6eb30a235393a82e45e25364796afe6b045364de
                                                                                      • Opcode Fuzzy Hash: 5ea83d7ebaadb3ed3b241e21904507e4a97e31a177577d9182c5025c173bb06c
                                                                                      • Instruction Fuzzy Hash: BAF0F93470127DB6CB20AA55FD059DF7BA89F00354F90402FF804A2691EFF88A8082EC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042594C, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042A3AB: __NMSG_WRITE.LIBCMT ref: 0042A3D2
                                                                                        • Part of subcall function 0042A3AB: __NMSG_WRITE.LIBCMT ref: 0042A3DC
                                                                                      • __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042A408: GetModuleFileNameW.KERNEL32(00000000,004C43BA,00000104,00000000,00000000,?), ref: 0042A49A
                                                                                        • Part of subcall function 0042A408: GetStdHandle.KERNEL32(000000F4,00000000,00000000,?), ref: 0042A554
                                                                                        • Part of subcall function 0042A408: _strlen.LIBCMT ref: 0042A594
                                                                                        • Part of subcall function 0042A408: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042A5A3
                                                                                        • Part of subcall function 0042A408: __invoke_watson.LIBCMT ref: 0042A5BF
                                                                                        • Part of subcall function 004232DF: ___crtCorExitProcess.LIBCMT ref: 004232E5
                                                                                        • Part of subcall function 004232DF: ExitProcess.KERNEL32 ref: 004232EE
                                                                                      • RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                        • Part of subcall function 004235E1: DecodePointer.KERNEL32(?,004259CD,?,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 004235EA
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExitFileProcess$AllocateDecodeHandleHeapModuleNamePointerWrite___crt__getptd_noexit__invoke_watson_strlen
                                                                                      • String ID:
                                                                                      • API String ID: 15092741-0
                                                                                      • Opcode ID: c00ab26dc2cd3f1d57d41560e0b46e4202be8d45b80d44de397e9cae70c6823a
                                                                                      • Instruction ID: 51681375befe7b4efc193715c803360cbf5942a41623950cdb13c0d60d2addc5
                                                                                      • Opcode Fuzzy Hash: c00ab26dc2cd3f1d57d41560e0b46e4202be8d45b80d44de397e9cae70c6823a
                                                                                      • Instruction Fuzzy Hash: 0D01D2B1341B35EEE6157B26F852B6E72588F81775FD0003FF8049A2C1DA7C9D828A6D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 004235AC, Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 004235B2
                                                                                        • Part of subcall function 00429E4B: __mtinitlocknum.LIBCMT ref: 00429E5D
                                                                                        • Part of subcall function 00429E4B: EnterCriticalSection.KERNEL32(?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00429E76
                                                                                      • RtlDecodePointer.NTDLL(00000001,?,004049A7,004581BC), ref: 004235BE
                                                                                      • RtlEncodePointer.NTDLL(?,?,004049A7,004581BC), ref: 004235C9
                                                                                        • Part of subcall function 00429FB5: LeaveCriticalSection.KERNEL32(?,00429D1B,0000000D,00429CD6), ref: 00429FC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalPointerSection$DecodeEncodeEnterLeave__lock__mtinitlocknum
                                                                                      • String ID:
                                                                                      • API String ID: 2625109469-0
                                                                                      • Opcode ID: f0f687c99d72e35ff3597eea0d1eb39ddd87317301f877e45278460e588003d2
                                                                                      • Instruction ID: 43b77fceb529d27b8fed4b1eaa527640059df970b8b7b5fac95191ab6a691f5a
                                                                                      • Opcode Fuzzy Hash: f0f687c99d72e35ff3597eea0d1eb39ddd87317301f877e45278460e588003d2
                                                                                      • Instruction Fuzzy Hash: 69D05B726003146BCA017BF6FD0EA497F54D7447A1F04043EFF08C61A0DE754850878C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 4.01%

                                                                                      Function 0040AB23, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00409E9C: #9.OLEAUT32(?,?,?,?,?,00469D81,?,00000001,-004C5E88,?,00455CCE,?,?,?,0040FAE1,00000000), ref: 0043FE11
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 0047C4A7: GetEnvironmentVariableW.KERNEL32(0048F910,?,00000FFF,0048F910,?,00000016,?,00000000,?,004427F7,00000000,?,?,?,?), ref: 0047C555
                                                                                        • Part of subcall function 0047C5F4: CharUpperBuffW.USER32(?,?), ref: 0047C6C3
                                                                                        • Part of subcall function 0047C5F4: CharUpperBuffW.USER32(?,?), ref: 0047C783
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 0047BF80: CharUpperBuffW.USER32(?,?), ref: 0047C155
                                                                                      • _memmove.LIBCMT ref: 00440098
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A177
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A190
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharUpper$LoadString__swprintf_memmove_wprintf$EnvironmentException@8MessageThrowVariablestd::exception::exception
                                                                                      • String ID: CALL
                                                                                      • API String ID: 1666878114-4196123274
                                                                                      • Opcode ID: d33a1c3a313184cb2a326f1474268913fa13dbbd75ec40b2be7a1fa9dc9df4f4
                                                                                      • Instruction ID: fba746951a7a9659ed0fe9afb12c0d71ea54e1dd252402ff516c8313d7e4acc0
                                                                                      • Opcode Fuzzy Hash: d33a1c3a313184cb2a326f1474268913fa13dbbd75ec40b2be7a1fa9dc9df4f4
                                                                                      • Instruction Fuzzy Hash: 01223770608341CFD724DF14C494A6AB7E1FF44304F15896EE986AB3A2D739EC95CB8A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 7.75%

                                                                                      Function 004664FF, Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 004665F1
                                                                                        • Part of subcall function 0046675A: _memmove.LIBCMT ref: 004667E8
                                                                                        • Part of subcall function 0046675A: _memmove.LIBCMT ref: 0046685B
                                                                                        • Part of subcall function 0046675A: _memmove.LIBCMT ref: 004668AD
                                                                                        • Part of subcall function 0046675A: _memmove.LIBCMT ref: 00466942
                                                                                        • Part of subcall function 0046675A: _memmove.LIBCMT ref: 0046695B
                                                                                        • Part of subcall function 0046675A: _memmove.LIBCMT ref: 00466977
                                                                                      • _memmove.LIBCMT ref: 004665D3
                                                                                        • Part of subcall function 0046794E: _memset.LIBCMT ref: 00467983
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$_memset
                                                                                      • String ID:
                                                                                      • API String ID: 1357608183-0
                                                                                      • Opcode ID: cf3fb0e40b1d011c78764e110bbb2e1bc444e29685298106b4dc6793493084e7
                                                                                      • Instruction ID: 22bf93401d6e6b5374a973d4e381dc42914bbd876f3749e824b38a5223a58d4c
                                                                                      • Opcode Fuzzy Hash: cf3fb0e40b1d011c78764e110bbb2e1bc444e29685298106b4dc6793493084e7
                                                                                      • Instruction Fuzzy Hash: 1E71D3702002049FCB249F19E555BBB77A5EF84318F26851FEC965B392EB3DAC01CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00467A3D, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467B20,?,?,00000000), ref: 00405B8C
                                                                                        • Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467B20,?,?,00000000,?,?), ref: 00405BB0
                                                                                      • _memmove.LIBCMT ref: 00467B25
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00467B65
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide_memmove$Exception@8Throwstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 2283534703-0
                                                                                      • Opcode ID: 659788df5ee825d314f128c454ac6842413733a606c133a68d911781ac0965d4
                                                                                      • Instruction ID: 6e9a610943f2cecc4461ac01b6952c89a43ac209689eaaf6a07620313d43154f
                                                                                      • Opcode Fuzzy Hash: 659788df5ee825d314f128c454ac6842413733a606c133a68d911781ac0965d4
                                                                                      • Instruction Fuzzy Hash: 8E41DA716082099BCB20DFA99981D6FB7E4EF0870CB24455FE54597382FE79AC018B5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00407BB1, Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00407CB3: _memmove.LIBCMT ref: 00407D13
                                                                                      • _memmove.LIBCMT ref: 00407C0B
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00407C76
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1300846289-0
                                                                                      • Opcode ID: 084ba1ea0d58f984c6c398e1cf81d34d042e1bc15ce4a8371bb48d5930dc2317
                                                                                      • Instruction ID: dca2659d15994c90c6c09ac9109f1b02cf59a28755a4f5d1953427ae19ac93cb
                                                                                      • Opcode Fuzzy Hash: 084ba1ea0d58f984c6c398e1cf81d34d042e1bc15ce4a8371bb48d5930dc2317
                                                                                      • Instruction Fuzzy Hash: 2F31D3B1A08506AFD714CF28D881E6AB3A8FF48314715823EE915CB391EB74F851CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0040492E, Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                      APIs
                                                                                      • IsThemeActive.UXTHEME ref: 00404992
                                                                                        • Part of subcall function 004235AC: __lock.LIBCMT ref: 004235B2
                                                                                        • Part of subcall function 004235AC: RtlDecodePointer.NTDLL(00000001,?,004049A7,004581BC), ref: 004235BE
                                                                                        • Part of subcall function 004235AC: RtlEncodePointer.NTDLL(?,?,004049A7,004581BC), ref: 004235C9
                                                                                        • Part of subcall function 00404A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404A73
                                                                                        • Part of subcall function 00404A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404A88
                                                                                        • Part of subcall function 00403B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B7A
                                                                                        • Part of subcall function 00403B4C: IsDebuggerPresent.KERNEL32 ref: 00403B8C
                                                                                        • Part of subcall function 00403B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C62F8,004C62E0,?,?), ref: 00403BFD
                                                                                        • Part of subcall function 00403B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C81
                                                                                        • Part of subcall function 00403B4C: MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B93F0,00000010), ref: 0043D4BC
                                                                                        • Part of subcall function 00403B4C: SetCurrentDirectoryW.KERNEL32(?,004C62F8,?,?,?), ref: 0043D4F4
                                                                                        • Part of subcall function 00403B4C: GetForegroundWindow.USER32 ref: 0043D57A
                                                                                        • Part of subcall function 00403B4C: ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D581
                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,004C0044,00000002), ref: 004049D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryInfoParametersSystem$Pointer$ActiveDebuggerDecodeEncodeExecuteForegroundFullMessageNamePathPresentShellThemeWindow__lock
                                                                                      • String ID:
                                                                                      • API String ID: 266129024-0
                                                                                      • Opcode ID: 5410f46a1a81539200a2eeef6a8c5e81a175194c6352785b6e035db14a7f21cc
                                                                                      • Instruction ID: 4f3c985aaa7260ea6862a91c50e24ca429db6960d63ed6b712eae347e098ba5b
                                                                                      • Opcode Fuzzy Hash: 5410f46a1a81539200a2eeef6a8c5e81a175194c6352785b6e035db14a7f21cc
                                                                                      • Instruction Fuzzy Hash: FA116D716043119BC300EF29E80591AFBF8EB94714F00853FF545932A2DB749945CB9E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 00412E02, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                      APIs
                                                                                      • timeGetTime.WINMM ref: 00412E1A
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 00410FC7
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00410FDF
                                                                                        • Part of subcall function 00410B30: LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                        • Part of subcall function 00410B30: DestroyWindow.USER32 ref: 00411066
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 00410B30: TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004452AD
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,00000000,?,?,?,?), ref: 00445844
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000), ref: 00445A00
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(?,00000000,00000001,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,00000000,?,?,?,?), ref: 00445A96
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                      • Sleep.KERNEL32(00000000), ref: 00412E53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Sleep$TimeTranslatetime$CloseCodeDispatchExitHandleObjectPeekProcessSingleWaitWindow$AcceleratorDestroyLockUpdate
                                                                                      • String ID:
                                                                                      • API String ID: 2075848024-0
                                                                                      • Opcode ID: 83a2f4d3d9c0b871a168cd341809343d7d87ce9343cc09a6a1a57f3729182f89
                                                                                      • Instruction ID: d1c300ea91655eb9307443d86ffdf73ab59f85eace83877eb630077676957e6f
                                                                                      • Opcode Fuzzy Hash: 83a2f4d3d9c0b871a168cd341809343d7d87ce9343cc09a6a1a57f3729182f89
                                                                                      • Instruction Fuzzy Hash: 54F05E312446019BD350AF69D559BA6B7E4AF45350F00003EE86DD7352CB70AC44C795
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.31%

                                                                                      Function 00422E55, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                      APIs
                                                                                      • __calloc_crt.LIBCMT ref: 00422E5A
                                                                                        • Part of subcall function 00428A15: __calloc_impl.LIBCMT ref: 00428A24
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00422E64
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer__calloc_crt__calloc_impl
                                                                                      • String ID:
                                                                                      • API String ID: 1313826993-0
                                                                                      • Opcode ID: c8676dd660c7eefd106528180395904a2849ec008534d2bae86df56401002fe1
                                                                                      • Instruction ID: da289241f13c79bf68db0239506904f1207daf2422722450c71c90c663fb0b43
                                                                                      • Opcode Fuzzy Hash: c8676dd660c7eefd106528180395904a2849ec008534d2bae86df56401002fe1
                                                                                      • Instruction Fuzzy Hash: FDD05B33A497305EE3B16B257C05B9A37D0D744730F12446FF900D61C0DF644841478C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.23%

                                                                                      Function 0040F3F0, Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 0047A5EE: CharUpperBuffW.USER32(?,00000016), ref: 0047A67E
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A177
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A190
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                      • _memmove.LIBCMT ref: 0044480B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString__swprintf_wprintf$BuffCharException@8MessageThrowUpper_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 4241744515-0
                                                                                      • Opcode ID: 8f3866c0187e9be9b0b6918ee5366a116c36442ee776b1c69902b4b63c7cd53f
                                                                                      • Instruction ID: 5b17a682669dec69849c2be44c7345d10b719873665e3f46a0f7cbcbf9803b25
                                                                                      • Opcode Fuzzy Hash: 8f3866c0187e9be9b0b6918ee5366a116c36442ee776b1c69902b4b63c7cd53f
                                                                                      • Instruction Fuzzy Hash: A261BF70600206AFDB20DF54C981B6BB7F4EF44304F14843EE906A7682E779ED56CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0040766F, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 0040774A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1602317333-0
                                                                                      • Opcode ID: a26c1e7aebf50c19b21ebef1910ce97343ddf2bfcb55e2ec6901b73463e418f5
                                                                                      • Instruction ID: 148bf7845b9bfd5bb1bd6289e710206c27fb0d1581dedbb952c856e9d84f120b
                                                                                      • Opcode Fuzzy Hash: a26c1e7aebf50c19b21ebef1910ce97343ddf2bfcb55e2ec6901b73463e418f5
                                                                                      • Instruction Fuzzy Hash: 5131D475A08A12DFC7249F19D190922F7A0FF08360714C53FE84A9B7A1E774F881CB8A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00420E48, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallProcWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2714655100-0
                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction ID: 03574d3886af59dfc71a17caf98661ac75ab857829cb0cdf1d100c25a781418f
                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction Fuzzy Hash: 3331F270B001159BC728DE48E48496AF7E6FF59300BA58AA6E409CB752DB74EDC1CB89
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.26%

                                                                                      Function 004400D6, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 84850e68c493b6c19b86a264d09a4b44461aea8d8fb280f1e3391a6e4d68de54
                                                                                      • Instruction ID: 87dafe0ecff1fea17fbb48996c13aa971f41060bf7b0868cc00f40b9988b33df
                                                                                      • Opcode Fuzzy Hash: 84850e68c493b6c19b86a264d09a4b44461aea8d8fb280f1e3391a6e4d68de54
                                                                                      • Instruction Fuzzy Hash: 85413B74504351CFDB24DF14C484B1ABBE1BF45318F0988AEE9895B7A2C33AEC55CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.60%

                                                                                      Function 00407CB3, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID:
                                                                                      • API String ID: 4104443479-0
                                                                                      • Opcode ID: 691215b5fde71f84ba4157909e6c6bd8e9f2b14ba3ae5d5d846b05b691d97e04
                                                                                      • Instruction ID: 4f35de3bd7cb32edc3c82026cddc1214cbdb1bf771d77ce34197b3f11daa4a73
                                                                                      • Opcode Fuzzy Hash: 691215b5fde71f84ba4157909e6c6bd8e9f2b14ba3ae5d5d846b05b691d97e04
                                                                                      • Instruction Fuzzy Hash: 3E21FE71A08609EBEB144F25FC4277A7BB4FF18350F21857FE486D5191EB3894A4874E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00404F3D, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00404D13: FreeLibrary.KERNEL32(00000000,?), ref: 00404D4D
                                                                                        • Part of subcall function 0042548B: __wfsopen.LIBCMT ref: 00425496
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F
                                                                                        • Part of subcall function 00404DD0: _memmove.LIBCMT ref: 00404E1A
                                                                                        • Part of subcall function 00404FAA: FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 00404CC8: FreeLibrary.KERNEL32(00000000), ref: 00404D02
                                                                                        • Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$Free$Load__fread_nolock__wfsopen_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 1609775715-0
                                                                                      • Opcode ID: fbbe6342810aae6eb3a13c8902bab970ddb5b1228b8784956d1a4a8ed967591a
                                                                                      • Instruction ID: 5856fbc04598f8720763e5afc42e8c3a4794c7060b7466c2264c1c7e33684289
                                                                                      • Opcode Fuzzy Hash: fbbe6342810aae6eb3a13c8902bab970ddb5b1228b8784956d1a4a8ed967591a
                                                                                      • Instruction Fuzzy Hash: 8211E771600606AADB10BF71DC02B6E77A89F84714F10843FFA41B72C1DA7D9A159B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.09%

                                                                                      Function 004401AF, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 15ffa793b017d14a4b842d36eacf11a14188f93c48812aa2600b93bfe6488fba
                                                                                      • Instruction ID: db6107d04a31b45d08df73f25b53866167db689c77b3171f384f4cae3bd8a944
                                                                                      • Opcode Fuzzy Hash: 15ffa793b017d14a4b842d36eacf11a14188f93c48812aa2600b93bfe6488fba
                                                                                      • Instruction Fuzzy Hash: 44210474508351CFDB14DF14C444A1BBBE0BF88304F04896EE989677A1D739E859CB9B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.60%

                                                                                      Function 0045FC4D, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 0045FC88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1602317333-0
                                                                                      • Opcode ID: 0bb2cb7006cc2b14eb98a38aa9793863864dc499257ab514178d5728a0167e41
                                                                                      • Instruction ID: 2728c7377d2fb3091888e666e74eab3efefd279969e8fcd463a9dd8d880a9b88
                                                                                      • Opcode Fuzzy Hash: 0bb2cb7006cc2b14eb98a38aa9793863864dc499257ab514178d5728a0167e41
                                                                                      • Instruction Fuzzy Hash: B401D6322002256BCB24DF2DD88196BB7A9EFC5358714443EFC0ACB246E631E905C791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00407F41, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1602317333-0
                                                                                      • Opcode ID: 8c74e11fdaf048ddb84aacee375f4bb83789225aa0332bb2a9f065a8d2c5ba99
                                                                                      • Instruction ID: a481b228ba030df6875f9a6dd2da52b06f57c7a09d876ea22ea353c417f4835c
                                                                                      • Opcode Fuzzy Hash: 8c74e11fdaf048ddb84aacee375f4bb83789225aa0332bb2a9f065a8d2c5ba99
                                                                                      • Instruction Fuzzy Hash: EB0126B26043027ED3205B39DC02F63BB94AB44760F10863FF51ACB2D1EA79E4008758
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0046794E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memset.LIBCMT ref: 00467983
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 525207782-0
                                                                                      • Opcode ID: 890dab0563331d8cbcd444ed53136a13334e344e9fac417596b84d6acd97f5a7
                                                                                      • Instruction ID: 10ff6be5ea8d3f30a203d17d41b502bc39334fe05faf781cb8e6dd50d084f980
                                                                                      • Opcode Fuzzy Hash: 890dab0563331d8cbcd444ed53136a13334e344e9fac417596b84d6acd97f5a7
                                                                                      • Instruction Fuzzy Hash: 3201E4742442109FD324EF5DD541B06BBE1AF59314F25845EF5888B392DABAA8008F99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.44%

                                                                                      Function 00404FAA, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 004255D6: __lock_file.LIBCMT ref: 0042561B
                                                                                        • Part of subcall function 004255D6: __fclose_nolock.LIBCMT ref: 00425626
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary__fclose_nolock__lock_file
                                                                                      • String ID:
                                                                                      • API String ID: 1424536762-0
                                                                                      • Opcode ID: 33e20a952f2e8d0d1fe5c77e63e757c0056158892867987900cbbd52313694f7
                                                                                      • Instruction ID: 9f4c00c3caf65de6ea716a0b429dd2d7583c2b82718a0f3f6db7eedc70ddef11
                                                                                      • Opcode Fuzzy Hash: 33e20a952f2e8d0d1fe5c77e63e757c0056158892867987900cbbd52313694f7
                                                                                      • Instruction Fuzzy Hash: B3F039B1105712DFCB349F64E494816BBE2BF443293208A3FE2D692A50C739A884DF49
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.03%

                                                                                      Function 004209D5, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004209F4
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 2514874351-0
                                                                                      • Opcode ID: 782b4155a6be5666b9d6f7013c8adbab57ca25bad31f58bf0dd3291e7fbeca14
                                                                                      • Instruction ID: 7974ecc8d6474924d437b965a90c8222220e8c30f7c7811ba04b272f454b6667
                                                                                      • Opcode Fuzzy Hash: 782b4155a6be5666b9d6f7013c8adbab57ca25bad31f58bf0dd3291e7fbeca14
                                                                                      • Instruction Fuzzy Hash: 23E0263290022857C720E2589C05FFAB3ACDF88290F0001BAFC0CD3204D964AC818694
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.21%

                                                                                      Function 004649FF, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                      APIs
                                                                                      • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00464A18
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FolderPath_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 3334745507-0
                                                                                      • Opcode ID: 443c34642b66725297b26bbf2a860fa00fcfd1b38a8c131b00deb3de20626ca9
                                                                                      • Instruction ID: ad6fb64e700ddca96e5e99026dc6e0ea93483b30ed98fcf50192cb5c14734740
                                                                                      • Opcode Fuzzy Hash: 443c34642b66725297b26bbf2a860fa00fcfd1b38a8c131b00deb3de20626ca9
                                                                                      • Instruction Fuzzy Hash: 0DD05EB291032C2BEB60E6B99C0DDBB7BACDB44224F0006B67C5CD3152E934AD4586F1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.01%

                                                                                      Function 0042548B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      APIs
                                                                                      • __wfsopen.LIBCMT ref: 00425496
                                                                                        • Part of subcall function 004254A0: __getstream.LIBCMT ref: 004254F0
                                                                                        • Part of subcall function 004254A0: @_EH4_CallFilterFunc@8.LIBCMT ref: 0042552B
                                                                                        • Part of subcall function 004254A0: __wopenfile.LIBCMT ref: 0042553B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallFilterFunc@8__getstream__wfsopen__wopenfile
                                                                                      • String ID:
                                                                                      • API String ID: 4064380324-0
                                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                      • Instruction ID: 46a80e34e794c1a8cabf707ff87d233abccaec3d4d3113a971d4033361891bdf
                                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                      • Instruction Fuzzy Hash: CBB0927694020C77DE012E82FC02B697B199B44678F808021FB0C18162A677A6A09689
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 0042A764, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(0042A730,004233F0,00000000,00000000,00000000,00000000,00000000), ref: 0042A769
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: b099f3d81180c5901ffbe3b9a6e79c65983757674502b88ca7a2d2bad456539b
                                                                                      • Instruction ID: eebce8f2417fcbd939ec70b27f3c6012329136301deee71cbb14e520e27e25f6
                                                                                      • Opcode Fuzzy Hash: b099f3d81180c5901ffbe3b9a6e79c65983757674502b88ca7a2d2bad456539b
                                                                                      • Instruction Fuzzy Hash: 69A002F4E563608B87505F70FE1990A7AF0B7C5702B51057EEC5181264DB784025AB1E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.05%

                                                                                      Non-executed Functions

                                                                                      Function 0048804A, Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 575windowCOMMON
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004880E0
                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004880FF
                                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00488123
                                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00488134
                                                                                      • SendMessageW.USER32(?,00000149,00000000,00000000), ref: 00488153
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00488186
                                                                                      • SendMessageW.USER32(?,0000133C,00000000,?), ref: 004881AC
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004881E7
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 0048822E
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 00488256
                                                                                      • IsMenu.USER32(?), ref: 0048826F
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882CA
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882F8
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0048836C
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004883BB
                                                                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 00488456
                                                                                      • wsprintfW.USER32 ref: 0048847E
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004884A0
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 004884C8
                                                                                      • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004884EA
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048850A
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00488531
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 0043F9F7
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 0040463E: _wcsncpy.LIBCMT ref: 00404652
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 004885AB
                                                                                      • _memset.LIBCMT ref: 004885BD
                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 004885EC
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00488625
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00488676
                                                                                      • CharNextW.USER32(00000000), ref: 004886B1
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 004886E1
                                                                                      • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 004886FC
                                                                                      • _memset.LIBCMT ref: 00488709
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 0048872A
                                                                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0048873F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$Menu$InfoItemLongText__swprintf_memset_wcscpy$CharException@8NextThrow__i64tow__itow_wcsncpystd::exception::exceptionwsprintf
                                                                                      • String ID: %d/%02d/%02d
                                                                                      • API String ID: 3265376569-328681919
                                                                                      • Opcode ID: cc5b804fd33376c731cbd160f8e0d164f9a7cb4823b0334d976b04350f666d51
                                                                                      • Instruction ID: 1694620be85d9f4a29f3fb548ce2e2fcd9673ad025b7a1e90bc8429aa5b278b6
                                                                                      • Opcode Fuzzy Hash: cc5b804fd33376c731cbd160f8e0d164f9a7cb4823b0334d976b04350f666d51
                                                                                      • Instruction Fuzzy Hash: DA12F471500214ABEB24AF24CC49FAF7BB4EF45710F60492EF915EA2E1EF788941CB18
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.59%

                                                                                      Function 0041710E, Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$_memset
                                                                                      • String ID: DEFINE$OaA$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$athan
                                                                                      • API String ID: 1357608183-1312225879
                                                                                      • Opcode ID: 7d82e88c8c583c3cf55e43ee8ba79f162b63989cccceeed3ce797de6903fdd66
                                                                                      • Instruction ID: 0f2016292ce7af36af0f0c3c89fa088be26185f2ba7aa12bc90a9d7b287e4a4c
                                                                                      • Opcode Fuzzy Hash: 7d82e88c8c583c3cf55e43ee8ba79f162b63989cccceeed3ce797de6903fdd66
                                                                                      • Instruction Fuzzy Hash: 2C93A371A002199BDB24CF58C8817EEB7B1FF48715F24816BED45AB381E7789D86CB48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00416843, Relevance: 19.6, Strings: 15, Instructions: 883UNIQUE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$__isdigit_l_memcmp
                                                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$OaA$UCP)$UTF)$UTF16)
                                                                                      • API String ID: 354189410-3302439341
                                                                                      • Opcode ID: b575eb5cd43adaea0de128a74aa3f58823f576806eefacb0f2dd0bce3e4b62d6
                                                                                      • Instruction ID: 3784516a1003e1c275ce3f2ff5430e7d36dc90e0b9f0d34c2957a4bb797dab3e
                                                                                      • Opcode Fuzzy Hash: b575eb5cd43adaea0de128a74aa3f58823f576806eefacb0f2dd0bce3e4b62d6
                                                                                      • Instruction Fuzzy Hash: 8B72AE71E002199BDB24CF59C8807EEB7B5EF48310F15806BE849EB391E7789D85CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00413190, Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 0043F9F7
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      • _memmove.LIBCMT ref: 004133D7
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00413470
                                                                                      • _free.LIBCMT ref: 00413496
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      • _memmove.LIBCMT ref: 00413549
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Heap__swprintf_wcscpy$AllocateErrorException@8FreeLastThrow__i64tow__itow_freestd::exception::exception
                                                                                      • String ID: OaA
                                                                                      • API String ID: 3659533023-4189730831
                                                                                      • Opcode ID: 607a8180dcbab94c6c0f37ba5f91fef4877d254ea19b33e77c5803b3d50347d5
                                                                                      • Instruction ID: 2ffd56a64c60677c5789fbd16bfbcfb13b798939f1cd0f2cf633511a31807f6c
                                                                                      • Opcode Fuzzy Hash: 607a8180dcbab94c6c0f37ba5f91fef4877d254ea19b33e77c5803b3d50347d5
                                                                                      • Instruction Fuzzy Hash: 70229D716083019FD724DF14C881BABB7E5AF84704F10492EF89697392DB78EE45CB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00401287, Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • DefDlgProcW.USER32(?,?,?,?), ref: 004019FA
                                                                                      • GetSysColor.USER32(0000000F), ref: 00401A4E
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                        • Part of subcall function 0040189B: DefDlgProcW.USER32(?,00000006,00000000,?), ref: 004018E2
                                                                                        • Part of subcall function 0048CC88: GetWindowRect.USER32(?,?), ref: 0048CCAD
                                                                                        • Part of subcall function 0048CC88: GetWindowRect.USER32(?,?), ref: 0048CD0C
                                                                                        • Part of subcall function 0048CC88: MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0048CD46
                                                                                        • Part of subcall function 004016B5: DefDlgProcW.USER32(?,00000002,00000000,00000000), ref: 004016D4
                                                                                        • Part of subcall function 0040167D: DefDlgProcW.USER32(?,00000007,?,00000000), ref: 004016AB
                                                                                        • Part of subcall function 0048D74C: GetSystemMetrics.USER32(0000000F), ref: 0048D78A
                                                                                        • Part of subcall function 0048D74C: GetSystemMetrics.USER32(0000000F), ref: 0048D7AA
                                                                                        • Part of subcall function 0048D74C: MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0048D9E5
                                                                                        • Part of subcall function 0048D74C: SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048DA03
                                                                                        • Part of subcall function 0048D74C: SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048DA24
                                                                                        • Part of subcall function 0048D74C: ShowWindow.USER32(00000003,00000000), ref: 0048DA43
                                                                                        • Part of subcall function 0048D74C: InvalidateRect.USER32(?,00000000,00000001), ref: 0048DA68
                                                                                        • Part of subcall function 0048D74C: DefDlgProcW.USER32(?,00000005,?,?), ref: 0048DA8B
                                                                                        • Part of subcall function 0048C86D: SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0048C8C7
                                                                                        • Part of subcall function 0048C86D: DefDlgProcW.USER32(?,0000002B,?,?), ref: 0048C8E1
                                                                                        • Part of subcall function 0048C27C: ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0048C2E4
                                                                                        • Part of subcall function 0048C27C: ImageList_EndDrag.COMCTL32 ref: 0048C2EA
                                                                                        • Part of subcall function 0048C27C: ReleaseCapture.USER32 ref: 0048C2F0
                                                                                        • Part of subcall function 0048C27C: SetWindowTextW.USER32(?,00000000), ref: 0048C39A
                                                                                        • Part of subcall function 0048C27C: SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0048C3AD
                                                                                        • Part of subcall function 0048C27C: DefDlgProcW.USER32(?,00000202,?), ref: 0048C48F
                                                                                        • Part of subcall function 0048C220: DefDlgProcW.USER32(?,00000204,?), ref: 0048C272
                                                                                        • Part of subcall function 0048D6C6: DefDlgProcW.USER32(?,00000115,?,?), ref: 0048D740
                                                                                        • Part of subcall function 0048DA9A: DefDlgProcW.USER32(?,00000112,?,00000000), ref: 0048DB46
                                                                                        • Part of subcall function 0048C49C: PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C4EC
                                                                                        • Part of subcall function 0048C49C: GetFocus.USER32 ref: 0048C4FC
                                                                                        • Part of subcall function 0048C49C: GetDlgCtrlID.USER32(00000000), ref: 0048C507
                                                                                        • Part of subcall function 0048C49C: _memset.LIBCMT ref: 0048C632
                                                                                        • Part of subcall function 0048C49C: GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C65D
                                                                                        • Part of subcall function 0048C49C: GetMenuItemCount.USER32(?), ref: 0048C67D
                                                                                        • Part of subcall function 0048C49C: GetMenuItemID.USER32(?,00000000), ref: 0048C690
                                                                                        • Part of subcall function 0048C49C: GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C6C4
                                                                                        • Part of subcall function 0048C49C: GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C70C
                                                                                        • Part of subcall function 0048C49C: CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C744
                                                                                        • Part of subcall function 0048C49C: DefDlgProcW.USER32(?,00000111,?,?), ref: 0048C779
                                                                                        • Part of subcall function 0048CD6C: GetWindowLongW.USER32(?,000000EC), ref: 0048CD74
                                                                                        • Part of subcall function 0048CD6C: DefDlgProcW.USER32(?,00000084,00000000), ref: 0048CDA2
                                                                                        • Part of subcall function 0048C788: GetCursorPos.USER32(?), ref: 0048C7C2
                                                                                        • Part of subcall function 0048C788: TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048C7D7
                                                                                        • Part of subcall function 0048C788: GetCursorPos.USER32(?), ref: 0048C824
                                                                                        • Part of subcall function 0048C788: DefDlgProcW.USER32(?,0000007B,?), ref: 0048C85E
                                                                                        • Part of subcall function 0048CBF9: DefDlgProcW.USER32(?,00000053,?,?), ref: 0048CC24
                                                                                        • Part of subcall function 0048CDAC: DefDlgProcW.USER32(?,0000004E,?,?), ref: 0048CE50
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CE91
                                                                                        • Part of subcall function 0048CDAC: GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048CED6
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CF00
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048CF29
                                                                                        • Part of subcall function 0048CDAC: _wcsncpy.LIBCMT ref: 0048CFA1
                                                                                        • Part of subcall function 0048CDAC: GetKeyState.USER32(00000011), ref: 0048CFC2
                                                                                        • Part of subcall function 0048CDAC: GetKeyState.USER32(00000009), ref: 0048CFCF
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CFE5
                                                                                        • Part of subcall function 0048CDAC: GetKeyState.USER32(00000010), ref: 0048CFEF
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048D018
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D03F
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001030,?,0048B602), ref: 0048D145
                                                                                        • Part of subcall function 0048CDAC: ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048D15B
                                                                                        • Part of subcall function 0048CDAC: ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048D16E
                                                                                        • Part of subcall function 0048CDAC: SetCapture.USER32(?), ref: 0048D177
                                                                                        • Part of subcall function 0048CDAC: ClientToScreen.USER32(?,?), ref: 0048D1DC
                                                                                        • Part of subcall function 0048CDAC: ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048D1E9
                                                                                        • Part of subcall function 0048CDAC: InvalidateRect.USER32(?,00000000,00000001), ref: 0048D203
                                                                                        • Part of subcall function 0048CDAC: ReleaseCapture.USER32 ref: 0048D20E
                                                                                        • Part of subcall function 0048CDAC: GetCursorPos.USER32(?), ref: 0048D248
                                                                                        • Part of subcall function 0048CDAC: ScreenToClient.USER32(?,?), ref: 0048D255
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D2B1
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D2DF
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D31C
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D34B
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D36C
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D37B
                                                                                        • Part of subcall function 0048CDAC: GetCursorPos.USER32(?), ref: 0048D39B
                                                                                        • Part of subcall function 0048CDAC: ScreenToClient.USER32(?,?), ref: 0048D3A8
                                                                                        • Part of subcall function 0048CDAC: GetParent.USER32(?), ref: 0048D3C8
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D431
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D462
                                                                                        • Part of subcall function 0048CDAC: ClientToScreen.USER32(?,?), ref: 0048D4C0
                                                                                        • Part of subcall function 0048CDAC: TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D4F0
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D51A
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D53D
                                                                                        • Part of subcall function 0048CDAC: ClientToScreen.USER32(?,?), ref: 0048D58F
                                                                                        • Part of subcall function 0048CDAC: TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D5C3
                                                                                        • Part of subcall function 0048CDAC: GetWindowLongW.USER32(?,000000F0), ref: 0048D65F
                                                                                        • Part of subcall function 00456BAE: GetSysColor.USER32(0000000F), ref: 00456BCD
                                                                                        • Part of subcall function 00456BAE: SetBkColor.GDI32(?,00000000), ref: 00456BE2
                                                                                        • Part of subcall function 00401765: BeginPaint.USER32(?,?), ref: 0040179A
                                                                                        • Part of subcall function 00401765: GetWindowRect.USER32(?,?), ref: 004017FE
                                                                                        • Part of subcall function 00401765: ScreenToClient.USER32(?,?), ref: 0040181B
                                                                                        • Part of subcall function 00401765: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
                                                                                        • Part of subcall function 00401765: EndPaint.USER32(?,?), ref: 00401876
                                                                                        • Part of subcall function 00401765: Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0043BACB
                                                                                        • Part of subcall function 0048CC2E: ClientToScreen.USER32(?,?), ref: 0048CC51
                                                                                        • Part of subcall function 0048CC2E: ImageList_DragMove.COMCTL32(?,?,?,0043BC66,?,?,?,?,?), ref: 0048CC5D
                                                                                        • Part of subcall function 0048CC2E: DefDlgProcW.USER32(?,00000200,?,?), ref: 0048CC7A
                                                                                      • IsThemeActive.UXTHEME(?), ref: 0043BC84
                                                                                      • DefDlgProcW.USER32(?,0000031A,?,?), ref: 0043BC97
                                                                                        • Part of subcall function 0048C8EE: DragQueryPoint.SHELL32(?,?), ref: 0048C917
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B0,?,?), ref: 0048C980
                                                                                        • Part of subcall function 0048C8EE: DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C98B
                                                                                        • Part of subcall function 0048C8EE: DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C9AE
                                                                                        • Part of subcall function 0048C8EE: _wcscat.LIBCMT ref: 0048C9DE
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C9F5
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B0,?,?), ref: 0048CA0E
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA25
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA47
                                                                                        • Part of subcall function 0048C8EE: DragFinish.SHELL32(?), ref: 0048CA4E
                                                                                        • Part of subcall function 0048C8EE: DefDlgProcW.USER32(?,00000233,?,00000000), ref: 0048CB41
                                                                                        • Part of subcall function 0048CBAE: DefDlgProcW.USER32(?,00000232,?,?), ref: 0048CBEE
                                                                                        • Part of subcall function 0048CB7F: DefDlgProcW.USER32 ref: 0048CBA4
                                                                                        • Part of subcall function 0048CB50: DefDlgProcW.USER32 ref: 0048CB75
                                                                                        • Part of subcall function 004016DE: GetParent.USER32(?), ref: 0043BA0A
                                                                                        • Part of subcall function 004016DE: DefDlgProcW.USER32(?,00000133,?,?), ref: 0043BA84
                                                                                        • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                        • Part of subcall function 00401290: GetClientRect.USER32(?,?), ref: 0043B84B
                                                                                        • Part of subcall function 00401290: GetCursorPos.USER32(?), ref: 0043B855
                                                                                        • Part of subcall function 00401290: ScreenToClient.USER32(?,?), ref: 0043B860
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$Proc$Window$Drag$ClientMenu$Screen$Image$CursorItemList_Rect$ColorLong$CaptureInfoMovePopupQueryStateTrack$BeginFileInvalidateMetricsPaintParentReleaseSystem$ActiveBrushCheckCountCreateCtrlEnterFinishFocusLeavePointPostRadioRectangleShowSolidTextThemeViewport_memset_wcscat_wcsncpy
                                                                                      • String ID:
                                                                                      • API String ID: 961471779-0
                                                                                      • Opcode ID: 2a656a987a8ecee9a80962453214f84cc4032866b7d759c9bddff322316605fc
                                                                                      • Instruction ID: 7331066d687c79144e479fa77cb5b53127ed0084e9ebbd02b0941197b1da37a7
                                                                                      • Opcode Fuzzy Hash: 2a656a987a8ecee9a80962453214f84cc4032866b7d759c9bddff322316605fc
                                                                                      • Instruction Fuzzy Hash: D9A13670202444BAE639AA6A4C88E7F355CDB85345F14453FF502F62F2CA3C9D0296BE
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.46%

                                                                                      Function 00402344, Relevance: 7.6, APIs: 5, Instructions: 112keyboardCOMMON
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 00402357
                                                                                      • ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3539004672-0
                                                                                      • Opcode ID: 669a1d0f0a37f564f98ec4bcb4af65858afb5dfd9ac0662bba3cfdd4afaff2d9
                                                                                      • Instruction ID: 29238042452bc89b72d7561f0c30562a95ff63530a210d1cf57cdef7deabd6e5
                                                                                      • Opcode Fuzzy Hash: 669a1d0f0a37f564f98ec4bcb4af65858afb5dfd9ac0662bba3cfdd4afaff2d9
                                                                                      • Instruction Fuzzy Hash: 44418E31904119FBDF159F69C888AEEBB74FB09324F20436BF828A22D0C7785954DF99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0047C304, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0047C312
                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,00441D88,?), ref: 0047C324
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                      • API String ID: 2574300362-1816364905
                                                                                      • Opcode ID: 8f6b8fbc5ae0276c8692dd60ba773bbd6744e56ae64103a06af9cbd1890bf6c2
                                                                                      • Instruction ID: 448837d343b809a7a747f76761528a7c57238ea74050f81ad14c4a4b07cc8ac9
                                                                                      • Opcode Fuzzy Hash: 8f6b8fbc5ae0276c8692dd60ba773bbd6744e56ae64103a06af9cbd1890bf6c2
                                                                                      • Instruction Fuzzy Hash: FFE08C70200303CFCB205F25C848B8B76D4EB08714B90C83FE899C2310E778D880CBA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0040E060, Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 0040E234
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00443BAC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A177
                                                                                        • Part of subcall function 0046A0B5: __swprintf.LIBCMT ref: 0046A190
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString__swprintf_memmove_wprintf$Exception@8MessageThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 937456103-0
                                                                                      • Opcode ID: 42639e607639d7894ca0c0b9b3292b90ae5e8a868e0793fe283a43a61668367b
                                                                                      • Instruction ID: 717d1ab0d90b391ed1eaae52652e6e1fa3a898975f929f0a44a13a0e96a5ed75
                                                                                      • Opcode Fuzzy Hash: 42639e607639d7894ca0c0b9b3292b90ae5e8a868e0793fe283a43a61668367b
                                                                                      • Instruction Fuzzy Hash: 0822A170A00215DFDB24DF55C480AAEBBF0FF04304F14887BE956AB391D778A995CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0046A2D5, Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0047977D,?,0048FB84,?), ref: 0046A302
                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0047977D,?,0048FB84,?), ref: 0046A314
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFormatLastMessage_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 2549646519-0
                                                                                      • Opcode ID: fdc253593644b675b03e04101d794375ebb0b1d2eb4720d6b1b64855b0efc77e
                                                                                      • Instruction ID: ec260152526798b71ceb7e6cab33189719a1cd8c4d24e489ae92bbfcc79f14b4
                                                                                      • Opcode Fuzzy Hash: fdc253593644b675b03e04101d794375ebb0b1d2eb4720d6b1b64855b0efc77e
                                                                                      • Instruction Fuzzy Hash: 1AF0E23154422DABDB109FA4CC48FEA736CBF08361F00416AFC08E6281D6309944CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.02%

                                                                                      Function 0042A395, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042A39A
                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0042A3A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                      • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                                                                      • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                      • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.02%

                                                                                      Function 0042F419, Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                      APIs
                                                                                      • ___libm_error_support.LIBCMT ref: 0042FC43
                                                                                        • Part of subcall function 00433718: DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00432653), ref: 00433734
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: DecodePointer___libm_error_support
                                                                                      • String ID:
                                                                                      • API String ID: 3413902329-0
                                                                                      • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                      • Instruction ID: bce05383f65911ef53e75d5f2b7ae8bd864113105c6f5f1cb0bb4096b20a0191
                                                                                      • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                      • Instruction Fuzzy Hash: 9A325921E29F114DD7235634D832336A258AFB73C8F95D737F819B5EA6DB28D4834208
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.05%

                                                                                      Function 00442230, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00442242
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameUser
                                                                                      • String ID:
                                                                                      • API String ID: 2645101109-0
                                                                                      • Opcode ID: 8a249febe551d676a54362e58b36ee3cbdd6c7cccf50f5c22d62ededf723ae2e
                                                                                      • Instruction ID: 9fab3e4f47dffe1bb4406c65b0cef95ea93db68453fc608ef19f458391309213
                                                                                      • Opcode Fuzzy Hash: 8a249febe551d676a54362e58b36ee3cbdd6c7cccf50f5c22d62ededf723ae2e
                                                                                      • Instruction Fuzzy Hash: 55C04CF1800109DBDB05DB90D988DEE77BCAB04304F104466A101F2110D7749B448B76
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.06%

                                                                                      Function 00422405, Relevance: .3, Instructions: 345COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction ID: 3a63805bb8c2c01de1b6144fc2d7500bdbb157a027ed3d5f9b560445ff49f309
                                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction Fuzzy Hash: C2C1C6323050B309DB2D8639A63013FBAE15EA27B139A076FE4B3CB6D4EF58D564D614
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 0042283A, Relevance: .3, Instructions: 341COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction ID: aaf8636ec1f05b4987ac2accbf93641bd6487308852fa21464a5fdbc51815f71
                                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction Fuzzy Hash: 18C1B7323050B309DB2D8639A63413FBBE15EA27B139A076FE4B2DB6D4EF18D524D614
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 0048A849, Relevance: 49.8, APIs: 33, Instructions: 274windowCOMMON
                                                                                      APIs
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0048A89F
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0048A8BE
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0048A8D0
                                                                                      • GetSysColor.USER32(0000000F), ref: 0048A8DC
                                                                                      • CreateSolidBrush.GDI32(000000FF), ref: 0048A8E7
                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 0048A8F6
                                                                                      • SelectObject.GDI32(?,?), ref: 0048A905
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A930
                                                                                      • GetSysColor.USER32(00000010), ref: 0048A938
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0048A93F
                                                                                      • FrameRect.USER32(?,?,00000000), ref: 0048A94E
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048A955
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A96D
                                                                                      • DrawFrameControl.USER32(?,?,00000004,00000010), ref: 0048A97D
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A9A0
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A9BA
                                                                                      • FillRect.USER32(?,?,?), ref: 0048A9D2
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0048A9FD
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048AA4E
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 0048AA79
                                                                                      • DrawTextW.USER32(?,?,000000FF,?,00000104), ref: 0048AA8C
                                                                                      • GetSysColor.USER32(00000011), ref: 0048AAAF
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0048AAB7
                                                                                      • DrawTextW.USER32(?,?,000000FF,?,00000000), ref: 0048AACD
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0048AAE8
                                                                                      • FrameRect.USER32(?,00000000,00000000), ref: 0048AAF7
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048AAFE
                                                                                      • InflateRect.USER32(?,000000FC,000000FC), ref: 0048AB0D
                                                                                      • DrawFocusRect.USER32(?,00000000), ref: 0048AB19
                                                                                      • SelectObject.GDI32(?,?), ref: 0048AB2E
                                                                                      • DeleteObject.GDI32(?), ref: 0048AB38
                                                                                      • SetTextColor.GDI32(?,?), ref: 0048AB43
                                                                                      • SetBkColor.GDI32(?,?), ref: 0048AB4E
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(00000012), ref: 0048AB99
                                                                                        • Part of subcall function 0048AB60: SetTextColor.GDI32(?,?), ref: 0048AB9D
                                                                                        • Part of subcall function 0048AB60: GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(0000000F), ref: 0048ABBE
                                                                                        • Part of subcall function 0048AB60: CreateSolidBrush.GDI32(?), ref: 0048ABC3
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(00000011), ref: 0048ABDB
                                                                                        • Part of subcall function 0048AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,00000000), ref: 0048ABFA
                                                                                        • Part of subcall function 0048AB60: SetBkColor.GDI32(?,00000000), ref: 0048AC03
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,?), ref: 0048AC10
                                                                                        • Part of subcall function 0048AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
                                                                                        • Part of subcall function 0048AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
                                                                                        • Part of subcall function 0048AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B
                                                                                        • Part of subcall function 0048AB60: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048ACA7
                                                                                        • Part of subcall function 0048AB60: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048ACCE
                                                                                        • Part of subcall function 0048AB60: InflateRect.USER32(?,000000FD,000000FD), ref: 0048ACEC
                                                                                        • Part of subcall function 0048AB60: DrawFocusRect.USER32(?,?), ref: 0048ACF7
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(00000011), ref: 0048AD05
                                                                                        • Part of subcall function 0048AB60: SetTextColor.GDI32(?,00000000), ref: 0048AD0D
                                                                                        • Part of subcall function 0048AB60: DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AD21
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,0048A869), ref: 0048AD38
                                                                                        • Part of subcall function 0048AB60: DeleteObject.GDI32(?), ref: 0048AD43
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,?), ref: 0048AD49
                                                                                        • Part of subcall function 0048AB60: DeleteObject.GDI32(?), ref: 0048AD4E
                                                                                        • Part of subcall function 0048AB60: SetTextColor.GDI32(?,?), ref: 0048AD54
                                                                                        • Part of subcall function 0048AB60: SetBkColor.GDI32(?,?), ref: 0048AD5E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Rect$Text$Object$Inflate$BrushDrawSelect$CreateDelete$SolidWindow$Frame$FocusLongMessageSend$ControlException@8FillRoundThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 2948665181-0
                                                                                      • Opcode ID: ca26ed1d54bb8123bf66e1cf3c232692827ca5efe3465f62183b732a343c8a10
                                                                                      • Instruction ID: 452232081cd78e43451fe9d0edc745e4d0d3487f89d4aa1c860563aee330a7d3
                                                                                      • Opcode Fuzzy Hash: ca26ed1d54bb8123bf66e1cf3c232692827ca5efe3465f62183b732a343c8a10
                                                                                      • Instruction Fuzzy Hash: ACA17D72408301BFD710AF64DC08A6F7BA9FB89321F104E3EF962961A1D774D859CB56
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 004027D9, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 286windowtimeUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                                                                      • GetStockObject.GDI32(00000011), ref: 004029CA
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                                                                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                        • Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                        • Part of subcall function 00402344: GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      • SetTimer.USER32(00000000,00000000,00000028,Function_00001256), ref: 004029FC
                                                                                        • Part of subcall function 0048B00F: DestroyWindow.USER32(?), ref: 0048B04A
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetWindowRect.USER32(?,?), ref: 0043C39C
                                                                                      • GetClientRect.USER32(?,?), ref: 0043C3A9
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 0043C3B1
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 0043C3C4
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 0043C3E9
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,?), ref: 00402ACF
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,00000000), ref: 00402B17
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,00000006), ref: 0043C46A
                                                                                        • Part of subcall function 00402A5B: LockWindowUpdate.USER32(00000000), ref: 0043C492
                                                                                        • Part of subcall function 00402A5B: InvalidateRect.USER32(00000000,00000000,00000001), ref: 0043C49E
                                                                                        • Part of subcall function 00402A5B: LockWindowUpdate.USER32(FFFFFFFF), ref: 0043C4AE
                                                                                        • Part of subcall function 00402A5B: EnableWindow.USER32(FFFFFFFF,00000001), ref: 0043C4BF
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,?), ref: 0043C4D6
                                                                                        • Part of subcall function 004034C2: _memmove.LIBCMT ref: 0043D28C
                                                                                      Strings
                                                                                      • AutoIt v3 GUI, xrefs: 00402974
                                                                                      • 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, xrefs: 0043C3D9
                                                                                      • athan, xrefs: 00402855
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$System$MetricsRect$Show$ClientLong$AsyncInfoLockParametersStateUpdate$AdjustCreateCursorDestroyEnableException@8InvalidateMessageObjectScreenSendStockThrowTimer_memmovestd::exception::exception
                                                                                      • String ID: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000$AutoIt v3 GUI$athan
                                                                                      • API String ID: 3027708390-1992051106
                                                                                      • Opcode ID: 518d5aec92cc7ef936ed3da500e60c79228adc8694f127a3c6f5b8083d95c1aa
                                                                                      • Instruction ID: 34a51bb5a318ae1a344add4034b802b2dd09297663e35ec0c622bb09f95dc302
                                                                                      • Opcode Fuzzy Hash: 518d5aec92cc7ef936ed3da500e60c79228adc8694f127a3c6f5b8083d95c1aa
                                                                                      • Instruction Fuzzy Hash: 21B18275600205AFDB14DF68DD89BAE7BB4FB08314F10863AFA15A72D0DB78A851CF58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0045B1E0, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                      APIs
                                                                                      • __wcsnicmp.LIBCMT ref: 0045B23F
                                                                                        • Part of subcall function 00423A0B: __wcsnicmp_l.LIBCMT ref: 00423AB4
                                                                                      • __wcsnicmp.LIBCMT ref: 0045B25B
                                                                                      • __wcsnicmp.LIBCMT ref: 0045B283
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wcsnicmp$_memmove$__wcsicmp_l__wcsnicmp_l
                                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                      • API String ID: 4253603199-1810252412
                                                                                      • Opcode ID: 94626885eb53c281deaadfce57b48c135f2990b62eb1e481d15a8ab7da1ab867
                                                                                      • Instruction ID: 0a4734ff45ec4583e3e81acf795fc21f567cbd392f16838e952200b8ee8254f0
                                                                                      • Opcode Fuzzy Hash: 94626885eb53c281deaadfce57b48c135f2990b62eb1e481d15a8ab7da1ab867
                                                                                      • Instruction Fuzzy Hash: B5318B30A04205A6DB14EA62CD43BEE77A4DF24756F60006FB941720D2EF6D6E09C9AE
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 0048C8EE, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 0048C917
                                                                                        • Part of subcall function 0048ADF1: ClientToScreen.USER32(?,?), ref: 0048AE1A
                                                                                        • Part of subcall function 0048ADF1: GetWindowRect.USER32(?,?), ref: 0048AE90
                                                                                        • Part of subcall function 0048ADF1: PtInRect.USER32(?,?,0048C304), ref: 0048AEA0
                                                                                        • Part of subcall function 0048ADF1: MessageBeep.USER32(00000000), ref: 0048AF11
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C980
                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C98B
                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C9AE
                                                                                      • _wcscat.LIBCMT ref: 0048C9DE
                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C9F5
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0048CA0E
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA25
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA47
                                                                                      • DragFinish.SHELL32(?), ref: 0048CA4E
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 0048CB41
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$Drag$Query$FileRectWindow$BeepClientFinishLongPointProcScreen_memmove_wcscat
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                      • API String ID: 2215142556-3440237614
                                                                                      • Opcode ID: b0ecac695bacdf03f9556780f83c2e5c7a6877697b6481f50bb03aae47d9f563
                                                                                      • Instruction ID: 9d54b60ae23129ec17e3264f3c4c669362dbaaf1ee08fbcc713ae4d442fb7e93
                                                                                      • Opcode Fuzzy Hash: b0ecac695bacdf03f9556780f83c2e5c7a6877697b6481f50bb03aae47d9f563
                                                                                      • Instruction Fuzzy Hash: B6617F71108301AFC701EF65DC85D9FBBF8EF88714F500A2EF591A21A1DB749A49CB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0046A0B5, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 157windowUNIQUE
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                      • __swprintf.LIBCMT ref: 0046A177
                                                                                      • __swprintf.LIBCMT ref: 0046A190
                                                                                        • Part of subcall function 004238D8: __woutput_l.LIBCMT ref: 00423931
                                                                                        • Part of subcall function 004238D8: __flsbuf.LIBCMT ref: 00423953
                                                                                        • Part of subcall function 004238D8: __flsbuf.LIBCMT ref: 0042396B
                                                                                      • MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • _wprintf.LIBCMT ref: 0046A246
                                                                                      • _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 00423ECA: __stbuf.LIBCMT ref: 00423F1A
                                                                                        • Part of subcall function 00423ECA: __woutput_l.LIBCMT ref: 00423F33
                                                                                        • Part of subcall function 00423ECA: __ftbuf.LIBCMT ref: 00423F47
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$LoadString__flsbuf__swprintf__woutput_l_wprintf$Message__ftbuf__stbuf
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%I
                                                                                      • API String ID: 1709840473-1791166345
                                                                                      • Opcode ID: 661f649b8b59d081535385d181687ac83481af4682fac3b186d71f510afb67f7
                                                                                      • Instruction ID: 5eca713841166c9be329d5f9fa950bc6c7814f67f077d1cebb18d641bd9ae8df
                                                                                      • Opcode Fuzzy Hash: 661f649b8b59d081535385d181687ac83481af4682fac3b186d71f510afb67f7
                                                                                      • Instruction Fuzzy Hash: 70516171940509AACF15EBA1CD42EEEB779AF04304F1041AAF50572191EB396F58CFAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048C49C, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C4EC
                                                                                      • GetFocus.USER32 ref: 0048C4FC
                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 0048C507
                                                                                        • Part of subcall function 00487F4C: GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00487FBA
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • _memset.LIBCMT ref: 0048C632
                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C65D
                                                                                      • GetMenuItemCount.USER32(?), ref: 0048C67D
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0048C690
                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C6C4
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C70C
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C744
                                                                                        • Part of subcall function 0048B60B: IsWindow.USER32(00A74CB8), ref: 0048B6A5
                                                                                        • Part of subcall function 0048B60B: IsWindowEnabled.USER32(00A74CB8), ref: 0048B6B1
                                                                                        • Part of subcall function 0048B60B: SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0048B795
                                                                                        • Part of subcall function 0048B60B: SendMessageW.USER32(00A74CB8,000000B0,?,?), ref: 0048B7CC
                                                                                        • Part of subcall function 0048B60B: IsDlgButtonChecked.USER32(?,?), ref: 0048B809
                                                                                        • Part of subcall function 0048B60B: GetWindowLongW.USER32(00A74CB8,000000EC), ref: 0048B82B
                                                                                        • Part of subcall function 0048B60B: SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B843
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • DefDlgProcW.USER32(?,00000111,?,?), ref: 0048C779
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Window$InfoMessage$LongSend$ButtonCheckCheckedCountCtrlEnabledException@8FocusPostProcRadioThrow_memsetstd::exception::exception
                                                                                      • String ID: 0
                                                                                      • API String ID: 1009432489-4108050209
                                                                                      • Opcode ID: f1c2b2b362b8fb24544f0532e031d5921b607a9cef57e9f66c8c291609998193
                                                                                      • Instruction ID: 044de7e4dd35a86088de80346c1f5ac2e8e2e031d82544e17b68ab28cbecaa44
                                                                                      • Opcode Fuzzy Hash: f1c2b2b362b8fb24544f0532e031d5921b607a9cef57e9f66c8c291609998193
                                                                                      • Instruction Fuzzy Hash: A1818E70608311AFDB10EF15C984A6FBBE8FB88314F104D2EF995A3291D774D905CBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 004045DF, Relevance: 19.7, APIs: 13, Instructions: 217windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 004045F9
                                                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 0043D750
                                                                                      • GetMenuItemCount.USER32(004C6890), ref: 0043D7CD
                                                                                        • Part of subcall function 004626F9: _memset.LIBCMT ref: 00462747
                                                                                        • Part of subcall function 004626F9: GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462792
                                                                                        • Part of subcall function 004626F9: IsMenu.USER32(00000000), ref: 004627B2
                                                                                        • Part of subcall function 004626F9: CreatePopupMenu.USER32 ref: 004627E6
                                                                                        • Part of subcall function 004626F9: GetMenuItemCount.USER32(000000FF), ref: 00462844
                                                                                        • Part of subcall function 004626F9: InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462875
                                                                                      • DeleteMenu.USER32(004C6890,00000005,00000000), ref: 0043D85D
                                                                                      • DeleteMenu.USER32(004C6890,00000004,00000000), ref: 0043D865
                                                                                      • DeleteMenu.USER32(004C6890,00000006,00000000), ref: 0043D86D
                                                                                      • DeleteMenu.USER32(004C6890,00000003,00000000), ref: 0043D875
                                                                                      • GetMenuItemCount.USER32(004C6890), ref: 0043D87D
                                                                                      • SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 0043D8B7
                                                                                      • GetCursorPos.USER32(?), ref: 0043D8C1
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0043D8CA
                                                                                      • TrackPopupMenuEx.USER32(004C6890,00000000,?,00000000,00000000,00000000), ref: 0043D8DD
                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0043D8E9
                                                                                        • Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
                                                                                        • Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 0040410D: LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$Delete$CountInfo_memset$Popup$CreateCursorForegroundIconInsertLoadMessageNotifyPostShell_StringTrackWindow_wcscpy
                                                                                      • String ID:
                                                                                      • API String ID: 3665929494-0
                                                                                      • Opcode ID: e597ca9b44f071e22430df5e07161a6b1da801a0e098349f580a2e7d56667eca
                                                                                      • Instruction ID: 2639a210842817a24e8eb206f5a4e9758f878a2c8cdeb628821b1e41afb81110
                                                                                      • Opcode Fuzzy Hash: e597ca9b44f071e22430df5e07161a6b1da801a0e098349f580a2e7d56667eca
                                                                                      • Instruction Fuzzy Hash: 14713970A40205BEEB209F15EC45FABBF65FF49368F200227F625662D1C7B96C10DB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.48%

                                                                                      Function 0045E558, Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 404COMMON
                                                                                      APIs
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E9D0
                                                                                        • Part of subcall function 0045F2CC: #10.OLEAUT32(?,?,?,?,?,0045E5CC,?,?,?,?,?,?,?,?,?,?), ref: 0045F2D9
                                                                                        • Part of subcall function 0045F2CC: #12.OLEAUT32(?,?,00000000,?,?,?,0045E5CC,?,?,?,?,?,?,?,?), ref: 0045F322
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E643
                                                                                        • Part of subcall function 0045F583: #9.OLEAUT32(?,?,?,?,?,?,0045E5F6,?,?,?,?,?,?,?,?,?), ref: 0045F595
                                                                                        • Part of subcall function 0045F279: #7.OLEAUT32(?,?,?,?,?,0045E61E,?,?,?,?,?,?,?,?,?), ref: 0045F286
                                                                                        • Part of subcall function 0045F279: lstrcpyW.KERNEL32(00000000,?), ref: 0045F2B7
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E621
                                                                                        • Part of subcall function 0045F3DD: #8.OLEAUT32(?,?,?), ref: 0045F3F7
                                                                                        • Part of subcall function 0045F3DD: #9.OLEAUT32(00000013,?,?), ref: 0045F469
                                                                                        • Part of subcall function 0045F3DD: #9.OLEAUT32(00000000,?,?), ref: 0045F4C4
                                                                                        • Part of subcall function 0045F3DD: _memmove.LIBCMT ref: 0045F4EE
                                                                                        • Part of subcall function 0045F3DD: #9.OLEAUT32(?,?,?), ref: 0045F53B
                                                                                        • Part of subcall function 0045F3DD: #12.OLEAUT32(?,?,00000000,00000013,?,?), ref: 0045F569
                                                                                        • Part of subcall function 0045E187: #9.OLEAUT32(?,?,?,?,?,0045E6A4,?,?,?,?,?,?,?,?), ref: 0045E198
                                                                                        • Part of subcall function 0045F0F4: CLSIDFromString.OLE32(?,00000000), ref: 0045F116
                                                                                        • Part of subcall function 0045F0F4: #8.OLEAUT32(00000008,00000000,?,?), ref: 0045F127
                                                                                        • Part of subcall function 0045F0F4: #9.OLEAUT32(00000008), ref: 0045F176
                                                                                        • Part of subcall function 0045F20E: _memmove.LIBCMT ref: 0045F233
                                                                                        • Part of subcall function 0045F1C7: #7.OLEAUT32(?,00000000,?,?,?,0045E71C,?,?,?,?,?,?,?,?,?,?), ref: 0045F1D4
                                                                                        • Part of subcall function 0045F1C7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000,?,0045E71C,?,?,?,?,?,?), ref: 0045F1FF
                                                                                        • Part of subcall function 0045F244: #8.OLEAUT32(00000000,00000000,?,?,0045E72B,?,?,?,?,?,?,?,?,?,?), ref: 0045F254
                                                                                        • Part of subcall function 0045F244: #10.OLEAUT32(00000000,?,?,0045E72B,?,?,?,?,?,?,?,?,?,?), ref: 0045F25F
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E75F
                                                                                      • #8.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E7C2
                                                                                      • #146.OLEAUT32(00000008,?,?,00000015,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E828
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E83A
                                                                                      • #10.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?), ref: 0045E8A6
                                                                                        • Part of subcall function 0045F34A: #11.OLEAUT32(?,?,00000000,?,00000000,?,0045E915,?,?,?,?,?,?,?,?), ref: 0045F374
                                                                                        • Part of subcall function 0045F34A: #9.OLEAUT32(?,?,0045E915,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045F38B
                                                                                        • Part of subcall function 0045F34A: #9.OLEAUT32(?,00000000,?,00000000,?,0045E915,?,?,?,?,?,?,?,?,?,?), ref: 0045F3C1
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E931
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E94A
                                                                                        • Part of subcall function 0045DFDC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 0045E01F
                                                                                        • Part of subcall function 0045DFDC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E045
                                                                                        • Part of subcall function 0045DFDC: #2.OLEAUT32(00000000), ref: 0045E048
                                                                                        • Part of subcall function 0045DFDC: #2.OLEAUT32(?,00000000,?,00000000), ref: 0045E066
                                                                                        • Part of subcall function 0045DFDC: #6.OLEAUT32(?), ref: 0045E06F
                                                                                        • Part of subcall function 0045DFDC: StringFromGUID2.OLE32(?,?,00000028), ref: 0045E094
                                                                                        • Part of subcall function 0045DFDC: #2.OLEAUT32(?), ref: 0045E0A2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$FromString_memmove$#146Exception@8Throwlstrcpystd::exception::exception
                                                                                      • String ID: $@
                                                                                      • API String ID: 1954046481-3337466569
                                                                                      • Opcode ID: fdc21c2c2310439b97150ff59be9d507ef7602ed35f6f1ccccfbbbda465b40aa
                                                                                      • Instruction ID: 2367215a764623180a7b7ccf3c946de02fa337b23223ba35a6fad57feaa93611
                                                                                      • Opcode Fuzzy Hash: fdc21c2c2310439b97150ff59be9d507ef7602ed35f6f1ccccfbbbda465b40aa
                                                                                      • Instruction Fuzzy Hash: E5E1EFB5504311ABD724DF1AC884A2BBBE4FF88755F40482EF985D7362C238E949CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 7.75%

                                                                                      Function 0048772A, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                        • Part of subcall function 0048BCED: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0048BD10
                                                                                        • Part of subcall function 0048BCED: GetFileSize.KERNEL32(00000000,00000000), ref: 0048BD27
                                                                                        • Part of subcall function 0048BCED: GlobalAlloc.KERNEL32(00000002,00000000), ref: 0048BD32
                                                                                        • Part of subcall function 0048BCED: CloseHandle.KERNEL32(00000000), ref: 0048BD3F
                                                                                        • Part of subcall function 0048BCED: GlobalLock.KERNEL32(00000000), ref: 0048BD48
                                                                                        • Part of subcall function 0048BCED: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0048BD57
                                                                                        • Part of subcall function 0048BCED: GlobalUnlock.KERNEL32(00000000), ref: 0048BD60
                                                                                        • Part of subcall function 0048BCED: CloseHandle.KERNEL32(00000000), ref: 0048BD67
                                                                                        • Part of subcall function 0048BCED: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0048BD78
                                                                                        • Part of subcall function 0048BCED: #418.OLEAUT32(?,00000000,00000000,00492CAC,?), ref: 0048BD91
                                                                                        • Part of subcall function 0048BCED: GlobalFree.KERNEL32(00000000), ref: 0048BDA1
                                                                                        • Part of subcall function 0048BCED: GetObjectW.GDI32(?,00000018,000000FF), ref: 0048BDC5
                                                                                        • Part of subcall function 0048BCED: CopyImage.USER32(?,00000000,?,?,00002000), ref: 0048BDF0
                                                                                        • Part of subcall function 0048BCED: DeleteObject.GDI32(00000000), ref: 0048BE18
                                                                                        • Part of subcall function 0048BCED: SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0048BE2E
                                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000), ref: 004877CD
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004877D4
                                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004877E7
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004877EF
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 004877FA
                                                                                      • DeleteDC.GDI32(00000000), ref: 00487803
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0048780D
                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00487821
                                                                                      • DestroyWindow.USER32(?), ref: 0048782D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Global$CreateObject$FileMessageSend$CloseDeleteHandle$#418AllocAttributesCompatibleCopyDestroyFreeImageLayeredLockLongMovePixelReadSelectShowSizeStockStreamUnlock
                                                                                      • String ID: athan$static
                                                                                      • API String ID: 406645659-3227529370
                                                                                      • Opcode ID: 80c3bdd7a0d63ebeaa4556a6b8c79307fca78e479194d2b0b8ea9a7529ca2377
                                                                                      • Instruction ID: 789ec3a4cb580d3187b1e0f25c444e25d791e636f2d83489152635d906d596f6
                                                                                      • Opcode Fuzzy Hash: 80c3bdd7a0d63ebeaa4556a6b8c79307fca78e479194d2b0b8ea9a7529ca2377
                                                                                      • Instruction Fuzzy Hash: DD316E31105115AFDF11AF64DC08FDF3B69EF49324F210A29FA15A61A0D739E815DBA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.12%

                                                                                      Function 004648F3, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73UNIQUE
                                                                                      APIs
                                                                                      • #115.WSOCK32(00000101,?), ref: 0046490E
                                                                                      • #57.WSOCK32(?,00000100), ref: 00464928
                                                                                      • #52.WSOCK32(?), ref: 00464935
                                                                                      • _wcscpy.LIBCMT ref: 0046495D
                                                                                      • _memmove.LIBCMT ref: 00464970
                                                                                      • #11.WSOCK32(?), ref: 0046497B
                                                                                      • _strcat.LIBCMT ref: 00464989
                                                                                        • Part of subcall function 0046573E: _strlen.LIBCMT ref: 00465756
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00466870), ref: 00465769
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00466870), ref: 0046579D
                                                                                      • _wcscpy.LIBCMT ref: 004649A0
                                                                                      • #116.WSOCK32 ref: 004649AE
                                                                                      • _wcscpy.LIBCMT ref: 004649BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcscpy$ByteCharMultiWide$#115#116_memmove_strcat_strlen
                                                                                      • String ID: 0.0.0.0
                                                                                      • API String ID: 860691916-3771769585
                                                                                      • Opcode ID: b04b605564964ba513ed41840f888054d6b25d01aa9a0fd6bf6a64456257caa4
                                                                                      • Instruction ID: a415c47feca9f18ccc9aca6889e14e15c95de93dcf3fd0710918b8717f4bba87
                                                                                      • Opcode Fuzzy Hash: b04b605564964ba513ed41840f888054d6b25d01aa9a0fd6bf6a64456257caa4
                                                                                      • Instruction Fuzzy Hash: FE110571A04124ABDB20AB34AD06EDF77ACDF40714F1001BBF40492191FFB89AC9976A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0040201B, Relevance: 18.2, APIs: 12, Instructions: 170windowtimeCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00401B9A
                                                                                      • DestroyWindow.USER32(?), ref: 004020D3
                                                                                      • KillTimer.USER32(-00000001,?), ref: 0040216E
                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0043BEF6
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BF27
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BF3E
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BF5A
                                                                                      • DeleteObject.GDI32(00000000), ref: 0043BF6C
                                                                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0043BF7E
                                                                                      • DeleteObject.GDI32(00000000), ref: 0043BF90
                                                                                      • DestroyWindow.USER32(00000000), ref: 0043BFA2
                                                                                      • DestroyIcon.USER32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BFB4
                                                                                      • DestroyIcon.USER32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BFC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Destroy$IconImageList_$DeleteObjectWindow$AcceleratorInvalidateKillRectTableTimer
                                                                                      • String ID:
                                                                                      • API String ID: 2960459417-0
                                                                                      • Opcode ID: 78cac20c66e0e6767138dba4ab7aa47be9ee332057a729cfcb45c06255a83930
                                                                                      • Instruction ID: 62d4407ef01395a22b5ebf1233624f5b0999fc02156c59d6ff76a6043205edb2
                                                                                      • Opcode Fuzzy Hash: 78cac20c66e0e6767138dba4ab7aa47be9ee332057a729cfcb45c06255a83930
                                                                                      • Instruction Fuzzy Hash: 55616B34101610DFD725AF14CE48B2A77F1FF44315F11993EE642A6AE0C7B9A881DF99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.27%

                                                                                      Function 004021A5, Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • GetSysColor.USER32(0000000F), ref: 004021D3
                                                                                      • GetSysColor.USER32(00000008), ref: 00402231
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                      • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                      • GetWindowDC.USER32(?), ref: 0043C0D3
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043C0E0
                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0043C0F9
                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0043C112
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0043C132
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043C13D
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0043C159
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ColorPixel$Window$BrushCreateLongModeObjectReleaseSolidStockText
                                                                                      • String ID:
                                                                                      • API String ID: 2304791953-0
                                                                                      • Opcode ID: 9bab39a7b058799e73335b840fbde69c808da43099dfa5b55a8570615694d643
                                                                                      • Instruction ID: 47503e6e8c25a14c6d04473920290e3c3a9e3a2f6008e0ea463bb1cae73e411f
                                                                                      • Opcode Fuzzy Hash: 9bab39a7b058799e73335b840fbde69c808da43099dfa5b55a8570615694d643
                                                                                      • Instruction Fuzzy Hash: FD41D731000140AFDF215FA8DC8CBBA3765EB46331F1446BAFD65AA2E2C7758C86DB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 004873C1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 004873D9
                                                                                      • CreateMenu.USER32 ref: 004873F4
                                                                                      • SetMenu.USER32(?,00000000), ref: 00487403
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487490
                                                                                      • IsMenu.USER32(?), ref: 004874A6
                                                                                      • CreatePopupMenu.USER32 ref: 004874B0
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004874DD
                                                                                      • DrawMenuBar.USER32 ref: 004874E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                      • String ID: 0$F
                                                                                      • API String ID: 176399719-3044882817
                                                                                      • Opcode ID: c25b011170b029855e58234153c04d5ad6438b2c3f951a4d7e3730a877261e10
                                                                                      • Instruction ID: 469fb1be4590f9541f2c80e88f17ef0f5a107e94f682755a56fb5537772b2935
                                                                                      • Opcode Fuzzy Hash: c25b011170b029855e58234153c04d5ad6438b2c3f951a4d7e3730a877261e10
                                                                                      • Instruction Fuzzy Hash: 08415874A01205EFDB10EF64D898E9EBBB9FF49300F24482AED55A7361D734A914CF68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 4.65%

                                                                                      Function 00427040, Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      • _memset.LIBCMT ref: 0042707B
                                                                                        • Part of subcall function 00433F0C: __lock.LIBCMT ref: 00433F23
                                                                                        • Part of subcall function 00433F0C: __tzset_nolock.LIBCMT ref: 00433F36
                                                                                      • __gmtime64_s.LIBCMT ref: 00427114
                                                                                      • __gmtime64_s.LIBCMT ref: 0042714A
                                                                                      • __gmtime64_s.LIBCMT ref: 00427167
                                                                                        • Part of subcall function 00433CE1: _memset.LIBCMT ref: 00433D11
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433D64
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433E60
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433EB5
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433ECF
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433EF0
                                                                                        • Part of subcall function 00433F5C: __lock.LIBCMT ref: 00433F6E
                                                                                        • Part of subcall function 00433F5C: __isindst_nolock.LIBCMT ref: 00433F7B
                                                                                      • __allrem.LIBCMT ref: 004271BD
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004271D9
                                                                                      • __allrem.LIBCMT ref: 004271F0
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042720E
                                                                                      • __allrem.LIBCMT ref: 00427225
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427243
                                                                                      • __invoke_watson.LIBCMT ref: 004272B4
                                                                                        • Part of subcall function 00429006: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00429008
                                                                                        • Part of subcall function 00429006: __call_reportfault.LIBCMT ref: 00429021
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__gmtime64_s$__lock_memset$FeaturePresentProcessor__call_reportfault__getptd_noexit__invoke_watson__isindst_nolock__tzset_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 3881391381-0
                                                                                      • Opcode ID: f449d8c0ffc7a299f8ac5c355c84109bbbb1ac945fd94324ebc384d93c6e9658
                                                                                      • Instruction ID: 3a5766166ad995f9d080cadeea3a970d97efeda9365c881e9167125cd7ba6949
                                                                                      • Opcode Fuzzy Hash: f449d8c0ffc7a299f8ac5c355c84109bbbb1ac945fd94324ebc384d93c6e9658
                                                                                      • Instruction Fuzzy Hash: F3711972B04726EBD7149E79DC82B6BB3A4AF14324F54426FF514E6381E778E9008B98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 00487192, Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00487214
                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00487217
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0048723B
                                                                                      • _memset.LIBCMT ref: 0048724C
                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0048725E
                                                                                        • Part of subcall function 0048AF23: _wcspbrk.LIBCMT ref: 0048AF30
                                                                                        • Part of subcall function 0048AF23: _wcsncpy.LIBCMT ref: 0048AF64
                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004872D6
                                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00487320
                                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 0048733F
                                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0048735A
                                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 0048736E
                                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 0048738B
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ClientRectScreenWindow$InvalidateLong_memset_wcsncpy_wcspbrk
                                                                                      • String ID:
                                                                                      • API String ID: 3849892166-0
                                                                                      • Opcode ID: 1f254a2dd634fbf8d682cb823299d5faa4870696f922a999c8bea393425f8b4a
                                                                                      • Instruction ID: 98a04bc020cc1dfb4f2f33dd24e3f33540f585986abfb0e63cd4152109fcc849
                                                                                      • Opcode Fuzzy Hash: 1f254a2dd634fbf8d682cb823299d5faa4870696f922a999c8bea393425f8b4a
                                                                                      • Instruction Fuzzy Hash: 57618E75900208AFDB10EFA4CC91EEE77F8AF09704F24456AFA14A73A1C774A945DB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 0045710E, Relevance: 16.6, APIs: 11, Instructions: 123COMMON
                                                                                      APIs
                                                                                      • #41.OLEAUT32(0000000C,?,?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4), ref: 00457135
                                                                                      • #37.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 0045718E
                                                                                      • #8.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 004571A0
                                                                                      • #23.OLEAUT32(?,?,?,?,?,?,?,?,00456EC6), ref: 004571C0
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457264
                                                                                        • Part of subcall function 00409E9C: #9.OLEAUT32(?,?,?,?,?,00469D81,?,00000001,-004C5E88,?,00455CCE,?,?,?,0040FAE1,00000000), ref: 0043FE11
                                                                                        • Part of subcall function 004570DC: #9.OLEAUT32(?,00000000,?,00000016,00479753,?,00000016,?,00000016), ref: 00457101
                                                                                      • #10.OLEAUT32(?,?,00000002,?,?,?,?,?,?,?,00456EC6), ref: 00457213
                                                                                      • #24.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00456EC6), ref: 00457227
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 0045723C
                                                                                      • #39.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457249
                                                                                      • #38.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457252
                                                                                      • #38.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 0045726F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b23c1a385547e4fe92da69b3c9963987276d6a870cfb840cf5260315eec4c18b
                                                                                      • Instruction ID: ee6ff97d49ab8f9c2dd167b55ca35aa0841007d9f21f2d6d7be11d351e1905ac
                                                                                      • Opcode Fuzzy Hash: b23c1a385547e4fe92da69b3c9963987276d6a870cfb840cf5260315eec4c18b
                                                                                      • Instruction Fuzzy Hash: 61416031A00119AFCB00DFA9D8449AEBBB9FF18755F00847EF955E7362CB34A949CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 00479428, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263UNIQUE
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0047947C
                                                                                      • #8.OLEAUT32(?), ref: 0047954D
                                                                                      • #8.OLEAUT32(?,?,?,?), ref: 0047964E
                                                                                      • #9.OLEAUT32(?), ref: 00479658
                                                                                        • Part of subcall function 00467804: #8.OLEAUT32(00000000,?,?,00000016,00000016,?,004799E9,?,?), ref: 00467844
                                                                                        • Part of subcall function 00467804: #10.OLEAUT32(00000000,?,?,004799E9,?,?), ref: 0046784D
                                                                                        • Part of subcall function 00467804: #9.OLEAUT32(00000000,?,004799E9,?,?), ref: 00467859
                                                                                      • #9.OLEAUT32(?,?), ref: 004796B5
                                                                                        • Part of subcall function 004796DB: GetLastError.KERNEL32(?,00000000,?,0048FB84,?,00000016,?,00000016), ref: 004798A5
                                                                                        • Part of subcall function 004796DB: #8.OLEAUT32(?,?,?,?), ref: 00479999
                                                                                        • Part of subcall function 004796DB: #9.OLEAUT32(?,0048FB84,00000000,?,?,?,?,?), ref: 00479A43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast_memset
                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                                                      • API String ID: 533350023-1765764032
                                                                                      • Opcode ID: c876955a294aa8d86eb8db64ea30777345f3c0a1fb8a500add95116d5b305f7c
                                                                                      • Instruction ID: fcebb0c40d61f867c18811628665e3ff882c4d71f35d8502a0dec60dd81a9e36
                                                                                      • Opcode Fuzzy Hash: c876955a294aa8d86eb8db64ea30777345f3c0a1fb8a500add95116d5b305f7c
                                                                                      • Instruction Fuzzy Hash: 2791AD71A00215ABCF24DFA5C844FEFBBB8EF45714F10851AE519AB280D778AD05CFA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004162F2, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      • internal error: missing capturing bracket, xrefs: 00451158
                                                                                      • ERCP, xrefs: 00416313
                                                                                      • failed to get memory, xrefs: 00416488
                                                                                      • argument is not a compiled regular expression, xrefs: 00451160
                                                                                      • internal error: opcode not recognized, xrefs: 0041647D
                                                                                      • argument not compiled in 16 bit mode, xrefs: 00451150
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memset$_memmove
                                                                                      • String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                                                                      • API String ID: 2532777613-264027815
                                                                                      • Opcode ID: 5050f1d5a739bef3a8333c6a539d66c1edae72094ea9907375e2dc5b1e6d177f
                                                                                      • Instruction ID: 5033df5f12e9d93d71518abbe4fce8200a660ff7c3ad8cb2f73575c85904d8e6
                                                                                      • Opcode Fuzzy Hash: 5050f1d5a739bef3a8333c6a539d66c1edae72094ea9907375e2dc5b1e6d177f
                                                                                      • Instruction Fuzzy Hash: 9551C0719007199BCB24CF65C881BEBBBF4EF08314F20856FE94AC6251E778D985CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048C27C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                        • Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                        • Part of subcall function 00402344: GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0048C2E4
                                                                                      • ImageList_EndDrag.COMCTL32 ref: 0048C2EA
                                                                                      • ReleaseCapture.USER32 ref: 0048C2F0
                                                                                        • Part of subcall function 0048ADF1: ClientToScreen.USER32(?,?), ref: 0048AE1A
                                                                                        • Part of subcall function 0048ADF1: GetWindowRect.USER32(?,?), ref: 0048AE90
                                                                                        • Part of subcall function 0048ADF1: PtInRect.USER32(?,?,0048C304), ref: 0048AEA0
                                                                                        • Part of subcall function 0048ADF1: MessageBeep.USER32(00000000), ref: 0048AF11
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004880E0
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004880FF
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00488123
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00488134
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000149,00000000,00000000), ref: 00488153
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00488186
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000133C,00000000,?), ref: 004881AC
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004881E7
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 0048822E
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 00488256
                                                                                        • Part of subcall function 0048804A: IsMenu.USER32(?), ref: 0048826F
                                                                                        • Part of subcall function 0048804A: GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882CA
                                                                                        • Part of subcall function 0048804A: GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882F8
                                                                                        • Part of subcall function 0048804A: GetWindowLongW.USER32(?,000000F0), ref: 0048836C
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004883BB
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00001001,00000000,?), ref: 00488456
                                                                                        • Part of subcall function 0048804A: wsprintfW.USER32 ref: 0048847E
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004884A0
                                                                                        • Part of subcall function 0048804A: GetWindowTextW.USER32(?,00000000,00000001), ref: 004884C8
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004884EA
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048850A
                                                                                        • Part of subcall function 0048804A: GetWindowTextW.USER32(?,00000000,00000001), ref: 00488531
                                                                                        • Part of subcall function 0048804A: GetWindowLongW.USER32(?,000000EC), ref: 004885AB
                                                                                        • Part of subcall function 0048804A: _memset.LIBCMT ref: 004885BD
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00001053,000000FF,?), ref: 004885EC
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,?), ref: 00488625
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00488676
                                                                                        • Part of subcall function 0048804A: CharNextW.USER32(00000000), ref: 004886B1
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 004886E1
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 004886FC
                                                                                        • Part of subcall function 0048804A: _memset.LIBCMT ref: 00488709
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,?), ref: 0048872A
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0048873F
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 0048C39A
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0048C3AD
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • DefDlgProcW.USER32(?,00000202,?), ref: 0048C48F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$Window$Long$MenuText$AsyncClientDragImageInfoItemList_RectScreenState_memset$BeepCaptureCharCursorLeaveNextProcRelease_memmovewsprintf
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                      • API String ID: 3004859125-2107944366
                                                                                      • Opcode ID: b798aa5b2f107ad1458b2c75d2adbba9596b4275280ea14d7fefb00be64307d6
                                                                                      • Instruction ID: dc367e10a39d425f30cb391b84f58576d3d09b44280b1156dac04409bcc5156d
                                                                                      • Opcode Fuzzy Hash: b798aa5b2f107ad1458b2c75d2adbba9596b4275280ea14d7fefb00be64307d6
                                                                                      • Instruction Fuzzy Hash: 7451A170204304AFD700EF24C895F6E77E5FB88314F00892EF555972E1DB78A948DB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004888B4, Relevance: 13.7, APIs: 9, Instructions: 170windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 0048A71E: DeleteObject.GDI32(00000000), ref: 0048A757
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0048896E
                                                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004889A4
                                                                                      • ShowWindow.USER32(?,00000000), ref: 004889ED
                                                                                      • ShowWindow.USER32(?,00000005), ref: 004889F3
                                                                                      • SetFocus.USER32 ref: 004889F7
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00488A35
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00488A42
                                                                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 00488A86
                                                                                      • SendMessageW.USER32(?,00001026,00000000,?), ref: 00488A93
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageRectSend$ClientInvalidateLongScreenShow$BrushCreateDeleteFocusObjectSolid
                                                                                      • String ID:
                                                                                      • API String ID: 3433424984-0
                                                                                      • Opcode ID: d838244f26b6da36ad23e0fd2cd8cd60ee266be12254dd83e7b274d95d6c2824
                                                                                      • Instruction ID: c6b024f5472ab695e497d5b95dd9337e811c75869fcd45f43dd79c229618c00e
                                                                                      • Opcode Fuzzy Hash: d838244f26b6da36ad23e0fd2cd8cd60ee266be12254dd83e7b274d95d6c2824
                                                                                      • Instruction Fuzzy Hash: 9651A430600208BADF34BF25CC89B6E7B65BF05314FA0492FF515E62E1DF79A9809B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.14%

                                                                                      Function 00463226, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 004632C5
                                                                                      • ExtractIconExW.SHELL32(?,004C6A2C,00000000,004C6A30,00000001), ref: 004632DA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icon$ExtractLoad__wcsicmp_l
                                                                                      • String ID: blank$info$question$stop$warning
                                                                                      • API String ID: 3534929142-404129466
                                                                                      • Opcode ID: 77fe609f7d7df2f5dc9ffe3ad1bea5ae7a1829eac4f59a579a3ff1f305724edc
                                                                                      • Instruction ID: bd39f8208ce013f69ee2957a59db9678c91d00ade58264490e67fb22ecbd3877
                                                                                      • Opcode Fuzzy Hash: 77fe609f7d7df2f5dc9ffe3ad1bea5ae7a1829eac4f59a579a3ff1f305724edc
                                                                                      • Instruction Fuzzy Hash: F41138313083967AA7015E55EC62DABB3ACDF19766F2000ABF40056281F67D5B1106BF
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.23%

                                                                                      Function 00464534, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowUNIQUE
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046454E
                                                                                      • LoadStringW.USER32(00000000), ref: 00464555
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046456B
                                                                                      • LoadStringW.USER32(00000000), ref: 00464572
                                                                                      • _wprintf.LIBCMT ref: 00464598
                                                                                        • Part of subcall function 00423ECA: __stbuf.LIBCMT ref: 00423F1A
                                                                                        • Part of subcall function 00423ECA: __woutput_l.LIBCMT ref: 00423F33
                                                                                        • Part of subcall function 00423ECA: __ftbuf.LIBCMT ref: 00423F47
                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004645B6
                                                                                      Strings
                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00464593
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message__ftbuf__stbuf__woutput_l_wprintf
                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                      • API String ID: 3368596580-3128320259
                                                                                      • Opcode ID: cf1f71f02d618412e5e4011ee75cbf7dd1c2efdd86ab7fdc5ff900bbdf96f69c
                                                                                      • Instruction ID: 26d6b9379a34e5b6735d9e290e406bfe10dd0a5cb8e1345d55a1fd9b07754018
                                                                                      • Opcode Fuzzy Hash: cf1f71f02d618412e5e4011ee75cbf7dd1c2efdd86ab7fdc5ff900bbdf96f69c
                                                                                      • Instruction Fuzzy Hash: 2F0167F2500208BFE750A790DD89EEB776CEB08301F5009BABB45E2051E6789E894B79
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004203A2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45keyboardUNIQUE
                                                                                      APIs
                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 004203D3
                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 004203DB
                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004203E6
                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004203F1
                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 004203F9
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00420401
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual
                                                                                      • String ID: Lj w
                                                                                      • API String ID: 4278518827-3995317842
                                                                                      • Opcode ID: 0892b48b5c633f5601cc9ff2b3f9abbce8860175636cc0ddc78c40c876bf933f
                                                                                      • Instruction ID: d0aff5fa41d626ddf17322be72bdae961d38541aa35c503e85926df042f77401
                                                                                      • Opcode Fuzzy Hash: 0892b48b5c633f5601cc9ff2b3f9abbce8860175636cc0ddc78c40c876bf933f
                                                                                      • Instruction Fuzzy Hash: 8701A7B0A42B5A7DE3009F6A8C84B53FEA8FF05394F00411BA15C47A42C7F5AC64CBE9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048D74C, Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0048D78A
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0048D7AA
                                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0048D9E5
                                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048DA03
                                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048DA24
                                                                                      • ShowWindow.USER32(00000003,00000000), ref: 0048DA43
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0048DA68
                                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048DA8B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                      • String ID:
                                                                                      • API String ID: 1211466189-0
                                                                                      • Opcode ID: eb70e67288782093014809172296cca956549343a8f45a5b87efe570699ce815
                                                                                      • Instruction ID: eb940e76658434b7ad8eeabe1703afeb33935e81992f953b53c46158808d9c3e
                                                                                      • Opcode Fuzzy Hash: eb70e67288782093014809172296cca956549343a8f45a5b87efe570699ce815
                                                                                      • Instruction Fuzzy Hash: C9B19B71901215EBDF18EF68C9857BE7BB1FF48700F18847AEC48AB295D738A950CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.43%

                                                                                      Function 00486442, Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048645A
                                                                                      • GetDC.USER32(00000000), ref: 00486462
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0048646D
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00486479
                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004864B5
                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004864C6
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00486500
                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00486520
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientMessageRectScreenSendWindow$CapsCreateDeleteDeviceFontInvalidateMoveObjectRelease
                                                                                      • String ID:
                                                                                      • API String ID: 3380433687-0
                                                                                      • Opcode ID: 8b88619763fd6254d6488ec5cab92517c73cd71dc51d716d7c88cefd0b034ed1
                                                                                      • Instruction ID: 5c1cc6793609d5e6e0acb9b007d1b286434c541ad31a2caf87ecf1e2a9c9b5d4
                                                                                      • Opcode Fuzzy Hash: 8b88619763fd6254d6488ec5cab92517c73cd71dc51d716d7c88cefd0b034ed1
                                                                                      • Instruction Fuzzy Hash: D4319F72201214BFEB109F50DC4AFEB3FA9EF09765F040069FE08AA295D6759C41CB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.16%

                                                                                      Function 00401424, Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                        • Part of subcall function 004013B0: EndPath.GDI32(?), ref: 004013BF
                                                                                        • Part of subcall function 004013B0: StrokeAndFillPath.GDI32(?), ref: 004013DB
                                                                                        • Part of subcall function 004013B0: SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                                        • Part of subcall function 004013B0: DeleteObject.GDI32 ref: 00401401
                                                                                        • Part of subcall function 004013B0: StrokePath.GDI32(?), ref: 0040141C
                                                                                      • MoveToEx.GDI32(?,000000FE,?,00000000), ref: 0043B8CD
                                                                                      • AngleArc.GDI32(?,000000FE,?,?,-00000010,-00000010), ref: 0043B90E
                                                                                      • LineTo.GDI32(?,000000FE,?), ref: 0043B919
                                                                                      • CloseFigure.GDI32(?), ref: 0043B920
                                                                                      • Ellipse.GDI32(?,000000FE,?,?,00000000), ref: 0043B967
                                                                                      • Rectangle.GDI32(?,000000FE,?,?,?), ref: 0043B9C2
                                                                                      • SetPixel.GDI32(?,000000FE,?,?), ref: 0043B9FE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$Path$Select$DeleteStroke$AngleBeginCloseCreateEllipseFigureFillLineMovePixelRectangle
                                                                                      • String ID:
                                                                                      • API String ID: 304495578-0
                                                                                      • Opcode ID: 09c15824ac63a65c0734988e0de1478892bca8845b386477e243a1c01ae4827c
                                                                                      • Instruction ID: 504086b8ac0d12f7a80c9a28070c24604f60f8592932f63d6c8978218f7d0df9
                                                                                      • Opcode Fuzzy Hash: 09c15824ac63a65c0734988e0de1478892bca8845b386477e243a1c01ae4827c
                                                                                      • Instruction Fuzzy Hash: CF718170900109EFCB04DF94CC84EBFBB74FF85314F10816AF915AA2A1C738AA11CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.14%

                                                                                      Function 0048B60B, Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                      APIs
                                                                                      • IsWindow.USER32(00A74CB8), ref: 0048B6A5
                                                                                      • IsWindowEnabled.USER32(00A74CB8), ref: 0048B6B1
                                                                                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                        • Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                        • Part of subcall function 00402344: GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0048B795
                                                                                      • SendMessageW.USER32(00A74CB8,000000B0,?,?), ref: 0048B7CC
                                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0048B809
                                                                                      • GetWindowLongW.USER32(00A74CB8,000000EC), ref: 0048B82B
                                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B843
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048B9CC
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(?,00000000), ref: 0048B9F0
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048BA50
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(?,00000004), ref: 0048BA62
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(?,00000001), ref: 0048BA86
                                                                                        • Part of subcall function 0048B958: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$Show$AsyncEnableLongState$ButtonCheckedClientCursorEnabledScreen
                                                                                      • String ID:
                                                                                      • API String ID: 393453039-0
                                                                                      • Opcode ID: e0255157bc3365efc4214bf48416f85dc247b11bd12e87c94cf825cbac7e990f
                                                                                      • Instruction ID: a7d0881697c90ebb8ac62a69b5506f8dd5c31139f9226510073890e22dad6404
                                                                                      • Opcode Fuzzy Hash: e0255157bc3365efc4214bf48416f85dc247b11bd12e87c94cf825cbac7e990f
                                                                                      • Instruction Fuzzy Hash: 3A719034600304AFDB20AF64C894FAE7BB9FF49300F15486EE945A7361D739A841DB9D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.43%

                                                                                      Function 0046589F, Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcsncpy$LocalTime
                                                                                      • String ID:
                                                                                      • API String ID: 2945705084-0
                                                                                      • Opcode ID: 7a73a9d8b045da8df5336bb66c02e39a5d5c0cabf30c4969930a264d4c6a1f2d
                                                                                      • Instruction ID: 239261fae8d9192360add67fc14eaad88e6f5f5f9fe45dd7678ebb12787c5eaa
                                                                                      • Opcode Fuzzy Hash: 7a73a9d8b045da8df5336bb66c02e39a5d5c0cabf30c4969930a264d4c6a1f2d
                                                                                      • Instruction Fuzzy Hash: 514193A5D2012476CB10EBB598869CFB3A89F45710F90885BE518E3111F638E754C7AE
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.47%

                                                                                      Function 00487500, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00487519
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004875C0
                                                                                      • IsMenu.USER32(?), ref: 004875D8
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00487620
                                                                                      • DrawMenuBar.USER32 ref: 00487633
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 3866635326-4108050209
                                                                                      • Opcode ID: edeaa6d0161f0f44574b9eae0ef1f6fd71eb3f1ff2b29b23cea93bbffdc13975
                                                                                      • Instruction ID: 244ebd32b8f97b81259969125f729c00c6f494ffb7d64cbbbf547a27778ec249
                                                                                      • Opcode Fuzzy Hash: edeaa6d0161f0f44574b9eae0ef1f6fd71eb3f1ff2b29b23cea93bbffdc13975
                                                                                      • Instruction Fuzzy Hash: 29414775A05608EFDB10EF58D894E9EBBB8FB04320F14882AE915A7390D734ED51CFA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 0045E0B5, Relevance: 10.6, APIs: 7, Instructions: 91COMMON
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000008), ref: 0045E0FA
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E120
                                                                                      • #2.OLEAUT32(00000000), ref: 0045E123
                                                                                      • #2.OLEAUT32(?,?,00000008), ref: 0045E144
                                                                                      • #6.OLEAUT32(?), ref: 0045E14D
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0045E167
                                                                                      • #2.OLEAUT32(?), ref: 0045E175
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$Exception@8FromStringThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 3545288400-0
                                                                                      • Opcode ID: 884b170073c76548cf15acec0e6820abadce36ef18cef92617a6400b6a04b6e1
                                                                                      • Instruction ID: 67c9d3dc381654df01c0c22ef12326e1a14a94d41d6a64db7bb41e680024eb02
                                                                                      • Opcode Fuzzy Hash: 884b170073c76548cf15acec0e6820abadce36ef18cef92617a6400b6a04b6e1
                                                                                      • Instruction Fuzzy Hash: E721D671200518BF9B14AFA9DC88CAB73ECEB09761B10813AFD54CB2A1DB74DD458B68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.93%

                                                                                      Function 0048783C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004878A1
                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004878AE
                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004878B9
                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004878C8
                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004878D4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock
                                                                                      • String ID: Msctls_Progress32
                                                                                      • API String ID: 269107984-3636473452
                                                                                      • Opcode ID: f7bc9240e14bc4aef0fe5bbffa24766386ea0ca3a5f7e24fad0349575530a0aa
                                                                                      • Instruction ID: 92253c4dff29aad24290472b4db2c2572747c1f81b0a32cfc704e08449bf8f20
                                                                                      • Opcode Fuzzy Hash: f7bc9240e14bc4aef0fe5bbffa24766386ea0ca3a5f7e24fad0349575530a0aa
                                                                                      • Instruction Fuzzy Hash: 281104B2540219BFEF15AF60CC85EEB7F6DEF08798F114115FA04A2090CB769C21DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 004241CA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004241E3
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004241EA
                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004241F6
                                                                                      • DecodePointer.KERNEL32(00000001), ref: 00424213
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoInitialize$combase.dll
                                                                                      • API String ID: 3489934621-340411864
                                                                                      • Opcode ID: 5bccab6494b523de4f89304bf15fd68300b1f9e2fdfa0f03ecf7e752e13a8ef8
                                                                                      • Instruction ID: 554aba7e706935eef98d5f48fecafe8f14f9d0301701379c1545929dc36dfa4f
                                                                                      • Opcode Fuzzy Hash: 5bccab6494b523de4f89304bf15fd68300b1f9e2fdfa0f03ecf7e752e13a8ef8
                                                                                      • Instruction Fuzzy Hash: 8EE09AB0690300AEEF911F70ED4DF083A95ABA0B02F644839B851D10A0DBF940A89B0C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042429E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderUNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004241B8), ref: 004242B8
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004242BF
                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004242CA
                                                                                      • DecodePointer.KERNEL32(004241B8), ref: 004242E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoUninitialize$combase.dll
                                                                                      • API String ID: 3489934621-2819208100
                                                                                      • Opcode ID: 38a029e66ea7d27f7a9163d1d7d860f5c65e6d37c153c2e42146312fef8db417
                                                                                      • Instruction ID: 15b1a5aa7e18a967cd8893ea7d93c869ab9a07ceb3ae99f86fd7b01cca389b21
                                                                                      • Opcode Fuzzy Hash: 38a029e66ea7d27f7a9163d1d7d860f5c65e6d37c153c2e42146312fef8db417
                                                                                      • Instruction Fuzzy Hash: 71E04F78681300EFDB409B21FE0CF493AA4F750742F140539F041D11A0CFB84644CB1C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0046675A, Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00465B29: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,?,004667E1,00000000,00000000), ref: 00465B55
                                                                                        • Part of subcall function 00465B29: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,004667E1,00000000,00000000,00000000,?), ref: 00465B7C
                                                                                      • _memmove.LIBCMT ref: 004667E8
                                                                                        • Part of subcall function 004079AB: _memmove.LIBCMT ref: 004079F9
                                                                                      • _memmove.LIBCMT ref: 0046685B
                                                                                        • Part of subcall function 0046573E: _strlen.LIBCMT ref: 00465756
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00466870), ref: 00465769
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00466870), ref: 0046579D
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 004668AD
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __swprintf.LIBCMT ref: 0043F9F7
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                      • _memmove.LIBCMT ref: 00466942
                                                                                      • _memmove.LIBCMT ref: 0046695B
                                                                                      • _memmove.LIBCMT ref: 00466977
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$ByteCharMultiWide$__swprintf_wcscpy$Exception@8Throw__i64tow__itow_strlenstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1432503114-0
                                                                                      • Opcode ID: 91a5b9742c17e5bb88d913d28afab178534e55022ba6e840a720fd2715564a6d
                                                                                      • Instruction ID: 6f91ede795408b0bfae053ebd451bddb5c2729c6fb0f0f0f08a4ed72ad27e223
                                                                                      • Opcode Fuzzy Hash: 91a5b9742c17e5bb88d913d28afab178534e55022ba6e840a720fd2715564a6d
                                                                                      • Instruction Fuzzy Hash: C9619F7060025A9BDF11EF66C881EFE37A4AF0430CF45452EF8556B2D2EB38AD05CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0045F3DD, Relevance: 9.2, APIs: 6, Instructions: 159UNIQUE
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID:
                                                                                      • API String ID: 4104443479-0
                                                                                      • Opcode ID: e0e4c2a5e8745864faa56e5889f7aed8dc9d36647b4b934b0d9476528ef57ffe
                                                                                      • Instruction ID: 2e2eaad49763833bbcfc7c68f572f088d5f8d2798b4c1c5c41ffca29e6c5e6c5
                                                                                      • Opcode Fuzzy Hash: e0e4c2a5e8745864faa56e5889f7aed8dc9d36647b4b934b0d9476528ef57ffe
                                                                                      • Instruction Fuzzy Hash: E6517BB5A00209EFCB10CF58D880AAAB7B8FF4C354B15856AED59DB301E734E915CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004626F9, Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00462747
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462792
                                                                                      • IsMenu.USER32(00000000), ref: 004627B2
                                                                                      • CreatePopupMenu.USER32 ref: 004627E6
                                                                                        • Part of subcall function 00462C42: _memset.LIBCMT ref: 00462CAF
                                                                                        • Part of subcall function 00462C42: GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00462CCB
                                                                                        • Part of subcall function 00462C42: DeleteMenu.USER32(?,00000007,00000000), ref: 00462D11
                                                                                        • Part of subcall function 00462C42: DeleteMenu.USER32(?,00000000,00000000), ref: 00462D5A
                                                                                      • GetMenuItemCount.USER32(000000FF), ref: 00462844
                                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462875
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DeleteInfo_memset$CountCreateInsertPopup
                                                                                      • String ID:
                                                                                      • API String ID: 1721661707-0
                                                                                      • Opcode ID: 26be2bb6517104d0e06652614555473398c1a5c4668b3e74760e83b0a7226d5a
                                                                                      • Instruction ID: ae907cd3f2aa1f5fb6f168798142b7ed047680f4cd9d897be70698fd7a4ddbb7
                                                                                      • Opcode Fuzzy Hash: 26be2bb6517104d0e06652614555473398c1a5c4668b3e74760e83b0a7226d5a
                                                                                      • Instruction Fuzzy Hash: FD51B270A00705FFDF14DF68CE88AAEBBF4AF44314F10462EE4119B291E7B88904CB56
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 00401765, Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • BeginPaint.USER32(?,?), ref: 0040179A
                                                                                      • GetWindowRect.USER32(?,?), ref: 004017FE
                                                                                      • ScreenToClient.USER32(?,?), ref: 0040181B
                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
                                                                                      • EndPaint.USER32(?,?), ref: 00401876
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0043BACB
                                                                                        • Part of subcall function 004013B0: EndPath.GDI32(?), ref: 004013BF
                                                                                        • Part of subcall function 004013B0: StrokeAndFillPath.GDI32(?), ref: 004013DB
                                                                                        • Part of subcall function 004013B0: SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                                        • Part of subcall function 004013B0: DeleteObject.GDI32 ref: 00401401
                                                                                        • Part of subcall function 004013B0: StrokePath.GDI32(?), ref: 0040141C
                                                                                        • Part of subcall function 00401424: MoveToEx.GDI32(?,000000FE,?,00000000), ref: 0043B8CD
                                                                                        • Part of subcall function 00401424: AngleArc.GDI32(?,000000FE,?,?,-00000010,-00000010), ref: 0043B90E
                                                                                        • Part of subcall function 00401424: LineTo.GDI32(?,000000FE,?), ref: 0043B919
                                                                                        • Part of subcall function 00401424: CloseFigure.GDI32(?), ref: 0043B920
                                                                                        • Part of subcall function 00401424: Ellipse.GDI32(?,000000FE,?,?,00000000), ref: 0043B967
                                                                                        • Part of subcall function 00401424: Rectangle.GDI32(?,000000FE,?,?,?), ref: 0043B9C2
                                                                                        • Part of subcall function 00401424: SetPixel.GDI32(?,000000FE,?,?), ref: 0043B9FE
                                                                                        • Part of subcall function 0040152E: BeginPath.GDI32(00000000), ref: 0040154C
                                                                                        • Part of subcall function 0040152E: PolyDraw.GDI32(00000000,00000002,?,?), ref: 004015C3
                                                                                        • Part of subcall function 0040152E: PolyDraw.GDI32(00000000,00000002,00000810,?), ref: 00401602
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectPath$BeginSelect$DeleteDrawPaintPolyRectangleStrokeWindow$AngleClientCloseCreateEllipseFigureFillLineLongMovePixelRectScreenViewport
                                                                                      • String ID:
                                                                                      • API String ID: 248873171-0
                                                                                      • Opcode ID: 96bee910b95448c1c32d2d7cbaec34173df8798859d468da8578c2ee1054d098
                                                                                      • Instruction ID: f496b0d24a919446a821901bb08c967343d20a2d6e91284dadc4af8012d8984c
                                                                                      • Opcode Fuzzy Hash: 96bee910b95448c1c32d2d7cbaec34173df8798859d468da8578c2ee1054d098
                                                                                      • Instruction Fuzzy Hash: F8418C71100200AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C7359946DB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.16%

                                                                                      Function 0048B958, Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                      APIs
                                                                                      • ShowWindow.USER32(004C67B0,00000000), ref: 0048B9CC
                                                                                      • EnableWindow.USER32(?,00000000), ref: 0048B9F0
                                                                                      • ShowWindow.USER32(004C67B0,00000000), ref: 0048BA50
                                                                                      • ShowWindow.USER32(?,00000004), ref: 0048BA62
                                                                                      • EnableWindow.USER32(?,00000001), ref: 0048BA86
                                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 642888154-0
                                                                                      • Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                                      • Instruction ID: 4bbfffa5aca34bc284a6f875752b5b7a56a0dd7a11c68d007de5de2d50af2dcc
                                                                                      • Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                                      • Instruction Fuzzy Hash: 6E416470600241EFDB25DF14C489B9A7BE0FF05314F1846BAEE589F3A2C735A84ADB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0048C19A, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0048C1C4
                                                                                      • LineTo.GDI32(00000000,00000003,?), ref: 0048C1D8
                                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C1E6
                                                                                      • LineTo.GDI32(00000000,00000000,?), ref: 0048C1F6
                                                                                      • EndPath.GDI32(00000000), ref: 0048C206
                                                                                      • StrokePath.GDI32(00000000), ref: 0048C216
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                      • String ID:
                                                                                      • API String ID: 372113273-0
                                                                                      • Opcode ID: bcce67e3e298e3a6bc6f4242255c7147e032c19fae9192ab638b55bf4357f776
                                                                                      • Instruction ID: 89b87adcafcd02c20156ebc744166949cd87f219d271a2b64e3a0db778f8eb43
                                                                                      • Opcode Fuzzy Hash: bcce67e3e298e3a6bc6f4242255c7147e032c19fae9192ab638b55bf4357f776
                                                                                      • Instruction Fuzzy Hash: E5111B7640010CBFDB11AF90DC88EAA7FADEB04394F048476BE185A1A1C7719E55DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 004674D2, Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 004674E5
                                                                                      • EnterCriticalSection.KERNEL32(?,?,00411044,?,?), ref: 004674F6
                                                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00411044,?,?), ref: 00467503
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00467510
                                                                                        • Part of subcall function 00466ED7: CloseHandle.KERNEL32(00000000), ref: 00466EE1
                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467523
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00411044,?,?), ref: 0046752A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 3495660284-0
                                                                                      • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                      • Instruction ID: 9734b5ccd6540a82fb48e8287cb809d44fcf662c2da7f217d7ce71899fdcd72b
                                                                                      • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                      • Instruction Fuzzy Hash: 9EF0823A140A12EBDB111B64FC8C9EF773AFF45312B5009BAF203914B0EB7A5815CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0040410D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowUNIQUE
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040463E: _wcsncpy.LIBCMT ref: 00404652
                                                                                      • _wcscpy.LIBCMT ref: 004041E1
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$IconLoadNotifyShell_String_memset_wcscpy_wcsncpy
                                                                                      • String ID: Line:
                                                                                      • API String ID: 3448885215-1585850449
                                                                                      • Opcode ID: 4dabcb287aa0014f2b865201e2cf0eafda2d30f8a4c5563cc53a3e2912b2ce29
                                                                                      • Instruction ID: 58a74a7614972f0f445e6137c0dd90b430b5bf5ec00f8e3566b7ff54c1cdf52a
                                                                                      • Opcode Fuzzy Hash: 4dabcb287aa0014f2b865201e2cf0eafda2d30f8a4c5563cc53a3e2912b2ce29
                                                                                      • Instruction Fuzzy Hash: 8B31C171408304AAD761EB60DC45FDB73E8AF44304F10497FB184A21D1EB78A649C79F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00486656, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowlibraryCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004866D0
                                                                                      • LoadLibraryW.KERNEL32(?), ref: 004866D7
                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004866EC
                                                                                      • DestroyWindow.USER32(?), ref: 004866F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$CreateDestroyLibraryLoadObjectShowStock
                                                                                      • String ID: SysAnimate32
                                                                                      • API String ID: 2125232845-1011021900
                                                                                      • Opcode ID: 6ff0cea8df7c8dbd966367875cc0fa59ce0a78d58aa6e2900808d1d81c72dfb1
                                                                                      • Instruction ID: 107bb2381c9b110c9a3b8e0dc5be6575e68445ddc2201bb672f8ab0b69eab8f0
                                                                                      • Opcode Fuzzy Hash: 6ff0cea8df7c8dbd966367875cc0fa59ce0a78d58aa6e2900808d1d81c72dfb1
                                                                                      • Instruction Fuzzy Hash: 6E21D471100205BFEF506F64EC80EBF37ADEF55328F114A2AF910A2290E779CC419769
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 004241C9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderUNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004241E3
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004241EA
                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004241F6
                                                                                      • DecodePointer.KERNEL32(00000001), ref: 00424213
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoInitialize$combase.dll
                                                                                      • API String ID: 3489934621-340411864
                                                                                      • Opcode ID: dd13c08ab37e80bf1927b8ff06d098bbfda6e910d72f62f948d3123e59d291c0
                                                                                      • Instruction ID: 4a732e24270c1dda5bee5a6c288e9bc2dfac411a4ff9226b3ae07dfd94810194
                                                                                      • Opcode Fuzzy Hash: dd13c08ab37e80bf1927b8ff06d098bbfda6e910d72f62f948d3123e59d291c0
                                                                                      • Instruction Fuzzy Hash: 5EE01770391300AAEF612BB1ED0DF193994ABA0B43FA08979B551E40E0DBE944999B1C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042564D, Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                      APIs
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      • _memset.LIBCMT ref: 004256AB
                                                                                      • _memcpy_s.LIBCMT ref: 0042571D
                                                                                        • Part of subcall function 00430F18: _memmove.LIBCMT ref: 00430F51
                                                                                        • Part of subcall function 00430F18: _memset.LIBCMT ref: 00430F63
                                                                                      • __read_nolock.LIBCMT ref: 0042577B
                                                                                        • Part of subcall function 004310AB: __malloc_crt.LIBCMT ref: 00431194
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 004311C5
                                                                                        • Part of subcall function 004310AB: GetConsoleMode.KERNEL32(00000080,?), ref: 004312A7
                                                                                        • Part of subcall function 004310AB: ReadConsoleW.KERNEL32(0048FB24,?,004385D3,?,00000000), ref: 004312D3
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,?,?,?,?,0048FB24,00000001,00000000,?,?,?,?,?,?,004385D3,0048FB24), ref: 004312DD
                                                                                        • Part of subcall function 004310AB: __dosmaperr.LIBCMT ref: 004312E4
                                                                                        • Part of subcall function 004310AB: ReadFile.KERNEL32(0048FB24,?,004385D3,?,00000000), ref: 00431317
                                                                                        • Part of subcall function 004310AB: ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 004313DD
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,0048FB24,00000001,00000000,?,?,?,?,?,?,004385D3,0048FB24,00000080,00000003), ref: 004313E7
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 00431452
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 00431561
                                                                                        • Part of subcall function 004310AB: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004385D3,004385D2,0048FB24,?,?,?,?,?,?,0048FB24,00000001,00000000), ref: 00431580
                                                                                        • Part of subcall function 004310AB: _free.LIBCMT ref: 004315B3
                                                                                        • Part of subcall function 004310AB: ReadFile.KERNEL32(00000080,00000080,00000002,?,00000000), ref: 004316E6
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,0048FB24,00000001,00000000), ref: 004316F0
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 0043178A
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,0048FB24,00000001,00000000,?,?,?,?,?,?,004385D3,0048FB24,00000080,00000003), ref: 004317E3
                                                                                      • __filbuf.LIBCMT ref: 0042579E
                                                                                        • Part of subcall function 00430DF7: __getbuf.LIBCMT ref: 00430E47
                                                                                        • Part of subcall function 00430DF7: __read.LIBCMT ref: 00430E62
                                                                                      • _memset.LIBCMT ref: 004257E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastRead__lseeki64_nolock$File_memset$Console$ByteCharModeMultiWide__dosmaperr__filbuf__getbuf__getptd_noexit__malloc_crt__read__read_nolock_free_memcpy_s_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 1189629394-0
                                                                                      • Opcode ID: 81411999657e3e763d812df863fa8787a6ab3c9ff8487da223325fcefd1e7ca8
                                                                                      • Instruction ID: 8f486d84be92ee44d8014861303fa160b6b430e9f344387c801a4323594451c0
                                                                                      • Opcode Fuzzy Hash: 81411999657e3e763d812df863fa8787a6ab3c9ff8487da223325fcefd1e7ca8
                                                                                      • Instruction Fuzzy Hash: B951D930B00B25DBDB248F79E88466F77B1AF40324FA4832FF829962D0D7789D518B49
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 3.75%

                                                                                      Function 0043196E, Relevance: 7.6, APIs: 5, Instructions: 69UNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004319A8
                                                                                      • SetFilePointerEx.KERNEL32(00000000,?,?,?,?), ref: 004319BC
                                                                                      • GetLastError.KERNEL32(?,?), ref: 004319C2
                                                                                      • __dosmaperr.LIBCMT ref: 004319C9
                                                                                      • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004319E2
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FilePointer$ErrorLast__dosmaperr__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 3275556073-0
                                                                                      • Opcode ID: 5020ea8c7c08a2c1d974e05f6122347255403b42e583d755c53856760baf4a0f
                                                                                      • Instruction ID: 42343e62d8a757b4a28060c1c9b42eb39466e64cca7891ad5fd8ae8a4149cba5
                                                                                      • Opcode Fuzzy Hash: 5020ea8c7c08a2c1d974e05f6122347255403b42e583d755c53856760baf4a0f
                                                                                      • Instruction Fuzzy Hash: 65113D72611228BFDB115BA89C40FBE3778AF45724F50025BF520A71E1DB78D800C759
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004012F3, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                      APIs
                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                      • BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                      • DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$CreateSelect$BeginBrushDeletePathSolid
                                                                                      • String ID:
                                                                                      • API String ID: 1512498296-0
                                                                                      • Opcode ID: ebd5db839387be117ed7d3fbb214bec0919e75378db44ca2cc759e7a000b0216
                                                                                      • Instruction ID: 01809ca1199762821c7ccc43aba1927c018ed3358b57c1522327ad2857708082
                                                                                      • Opcode Fuzzy Hash: ebd5db839387be117ed7d3fbb214bec0919e75378db44ca2cc759e7a000b0216
                                                                                      • Instruction Fuzzy Hash: 9B213070801304EFEB11AF65DC04B6A7BB8FB00321F55863BF810A62F0D7799995DBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00457631, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 0045810E: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,00457651,-C0000018,00000001,?,0045758C,80070057,?,?,?,0045799D), ref: 0045811B
                                                                                      • CLSIDFromProgID.OLE32 ref: 0045766F
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 0045768A
                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 00457698
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 004576A8
                                                                                      • CLSIDFromString.OLE32(?,?), ref: 004576B4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 450394209-0
                                                                                      • Opcode ID: bc25b6519a94f10dbb251a0eebce8836490a121c9ede26846711f318317bd882
                                                                                      • Instruction ID: 7358ad2804b9dc9911c054a84f83c2ad3ef792169d9fc978e4c4218005fc1a73
                                                                                      • Opcode Fuzzy Hash: bc25b6519a94f10dbb251a0eebce8836490a121c9ede26846711f318317bd882
                                                                                      • Instruction Fuzzy Hash: 4B11E572604618BBDB105F69EC04B9E7BACEB04762F144439FD08D2212E779DE4487A8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 004654E6, Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465502
                                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465510
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465518
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465522
                                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                      • String ID:
                                                                                      • API String ID: 2833360925-0
                                                                                      • Opcode ID: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
                                                                                      • Instruction ID: 904bb0919bfdc2718e962a82bb6b112c9c46cd464800c0dd09bb372580e459e7
                                                                                      • Opcode Fuzzy Hash: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
                                                                                      • Instruction Fuzzy Hash: 1A016131D00A19EBCF00DFE8E84D6EDBB78FB09711F04046AE502F2154EB345954C7AA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.22%

                                                                                      Function 004013B0, Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                      • String ID:
                                                                                      • API String ID: 2625713937-0
                                                                                      • Opcode ID: 61c54fb263eb1c5a127bc7e68abcd113e5aa2c7f8e8059b9e487d898b006b3c2
                                                                                      • Instruction ID: f812cb0b4e4429ed7f7e618ed03f07a0aa621b4c15f073e4694ef7f498b4602e
                                                                                      • Opcode Fuzzy Hash: 61c54fb263eb1c5a127bc7e68abcd113e5aa2c7f8e8059b9e487d898b006b3c2
                                                                                      • Instruction Fuzzy Hash: 67F01930001208EFDB516F26EC4CB593BA4AB41326F15C639E829941F1C7358999DF28
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 0045B7B6, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 0045BC53: GetDC.USER32(00000000), ref: 0045BC78
                                                                                        • Part of subcall function 0045BC53: GetDeviceCaps.GDI32(00000000,00000058), ref: 0045BC89
                                                                                        • Part of subcall function 0045BC53: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045BC90
                                                                                        • Part of subcall function 0045BC53: ReleaseDC.USER32(00000000,00000000), ref: 0045BC98
                                                                                        • Part of subcall function 0045BC53: MulDiv.KERNEL32(000009EC,0045B928,00000000), ref: 0045BCAF
                                                                                        • Part of subcall function 0045BC53: MulDiv.KERNEL32(000009EC,016A52EC,?), ref: 0045BCC1
                                                                                      • OleSetContainedObject.OLE32(0000000C,00000001), ref: 0045B981
                                                                                        • Part of subcall function 0045BCCD: OleSetContainedObject.OLE32(?,00000000), ref: 0045BD3F
                                                                                        • Part of subcall function 0045BCCD: IsWindow.USER32(?), ref: 0045BD9C
                                                                                        • Part of subcall function 0045BCCD: DestroyWindow.USER32(?), ref: 0045BDA9
                                                                                        • Part of subcall function 004796DB: GetLastError.KERNEL32(?,00000000,?,0048FB84,?,00000016,?,00000016), ref: 004798A5
                                                                                        • Part of subcall function 004796DB: #8.OLEAUT32(?,?,?,?), ref: 00479999
                                                                                        • Part of subcall function 004796DB: #9.OLEAUT32(?,0048FB84,00000000,?,?,?,?,?), ref: 00479A43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsContainedDeviceObjectWindow$DestroyErrorException@8LastReleaseThrowstd::exception::exception
                                                                                      • String ID: AutoIt3GUI$Container$%I
                                                                                      • API String ID: 2766584483-4251005282
                                                                                      • Opcode ID: 29290dedffe005a17191b9d84606516f9259bcdc4a782ed29488de89124237b8
                                                                                      • Instruction ID: fb3361167640a3393b05a66091946d0b3b2d9ad6d528c81b3883d5ecba530668
                                                                                      • Opcode Fuzzy Hash: 29290dedffe005a17191b9d84606516f9259bcdc4a782ed29488de89124237b8
                                                                                      • Instruction Fuzzy Hash: 66914B70600601AFDB24DF24C885B6ABBE8FF48711F24856EED49CB392DB74E845CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042524D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                      APIs
                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 004252DD
                                                                                      • __powhlp.LIBCMT ref: 00425360
                                                                                        • Part of subcall function 00430594: __d_inttype.LIBCMT ref: 00430675
                                                                                        • Part of subcall function 00430357: __87except.LIBCMT ref: 0043037B
                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 004304CE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHandling__start$__87except__d_inttype__powhlp
                                                                                      • String ID: pow
                                                                                      • API String ID: 2541061979-2276729525
                                                                                      • Opcode ID: c0169014571c8a50f035cbb27ee8a623963b058b02fd8f6767b6d6d046ddd236
                                                                                      • Instruction ID: af649323224186c0ce66bda7a16df25405c3c0d3a13ea4765fd3bccd6769ca7e
                                                                                      • Opcode Fuzzy Hash: c0169014571c8a50f035cbb27ee8a623963b058b02fd8f6767b6d6d046ddd236
                                                                                      • Instruction Fuzzy Hash: AC517C21B1C60197C710B724E92137F27949F14350FA0ABABE885823E6EE7C8DD4DA5E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.38%

                                                                                      Function 0042023B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                      APIs
                                                                                      • VkKeyScanW.USER32(?), ref: 00455DD0
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      • VkKeyScanW.USER32(?), ref: 00455D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Scan$__wcsicmp_l
                                                                                      • String ID: #$+
                                                                                      • API String ID: 18157523-2552117581
                                                                                      • Opcode ID: 78aac638b891657a84596e610b96ba33317af811142ca3f19ad5b172345e43d7
                                                                                      • Instruction ID: 37aff8002e02ada0918aa30981c6d68896c3d675e4df38188cf454e749cffd85
                                                                                      • Opcode Fuzzy Hash: 78aac638b891657a84596e610b96ba33317af811142ca3f19ad5b172345e43d7
                                                                                      • Instruction Fuzzy Hash: EB513232200215CBCB14DF28D4986FA7BB0EF55310F548067EC80AB3A2D7389C4ACB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 00413297, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      • _memmove.LIBCMT ref: 004133D7
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00413470
                                                                                      • _free.LIBCMT ref: 00413496
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      • _memmove.LIBCMT ref: 00413549
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Heap$AllocateErrorException@8FreeLastThrow_freestd::exception::exception
                                                                                      • String ID: OaA
                                                                                      • API String ID: 1824289774-4189730831
                                                                                      • Opcode ID: 38c948e852b62267e39f965348a95f4e8dfcd4bdf0d603f868d564617685fc43
                                                                                      • Instruction ID: b445b8fa1597fd77ac91e8f36571279a65bd22c4855345799867881e3280ac98
                                                                                      • Opcode Fuzzy Hash: 38c948e852b62267e39f965348a95f4e8dfcd4bdf0d603f868d564617685fc43
                                                                                      • Instruction Fuzzy Hash: 58518AB16083519FDB24CF29C440B6BBBE1BF85304F45496EE88987351DB39D941CB8A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00487648, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004876D0
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004876E4
                                                                                        • Part of subcall function 0046589F: GetLocalTime.KERNEL32(?,00000200,?), ref: 004658AC
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004658E1
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465913
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465946
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465988
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004659C2
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004659F1
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487708
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcsncpy$MessageSendWindow$CreateLocalObjectShowStockTime
                                                                                      • String ID: SysMonthCal32
                                                                                      • API String ID: 3258503128-1439706946
                                                                                      • Opcode ID: 8df40860f00383b0d6c3c964195447c3cde1b00ce37527eab5e6f159fde48afd
                                                                                      • Instruction ID: 1307edf48a77a6559d14c6dee31d15e92fea33bca7a193078042eb65218a36c2
                                                                                      • Opcode Fuzzy Hash: 8df40860f00383b0d6c3c964195447c3cde1b00ce37527eab5e6f159fde48afd
                                                                                      • Instruction Fuzzy Hash: B421AD32600218ABDF119E94CC52FEF3B69EF48764F210615FA156B1D0DAB9E8548BA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.16%

                                                                                      Function 0048797D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004879E1
                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004879F6
                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487A03
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock
                                                                                      • String ID: msctls_trackbar32
                                                                                      • API String ID: 269107984-1010561917
                                                                                      • Opcode ID: f9de2675f9dbbe1aac8b53f7c0ec9e088f0411dbf2a2d6fcc0aa0f3bf777801e
                                                                                      • Instruction ID: 0de93e4c80c6f3c9c16b6b4dc0969efecf6b6414ad0caf4bffc16717d87381f0
                                                                                      • Opcode Fuzzy Hash: f9de2675f9dbbe1aac8b53f7c0ec9e088f0411dbf2a2d6fcc0aa0f3bf777801e
                                                                                      • Instruction Fuzzy Hash: 9F113A72244208BEEF24AF60CC15FDF37ADEF89764F21491AFA01A61D0D675D811CB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 004576C5, Relevance: 6.3, APIs: 4, Instructions: 334stringUNIQUE
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeString$lstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3563800057-0
                                                                                      • Opcode ID: 243eb1bb77c329aa80634928938631c45a4dd5376c5b101ad48a1cfc64343361
                                                                                      • Instruction ID: 84902a8fcdc76aa46939935bd970338d8b2f52d4cee566ed92c109812de06c3e
                                                                                      • Opcode Fuzzy Hash: 243eb1bb77c329aa80634928938631c45a4dd5376c5b101ad48a1cfc64343361
                                                                                      • Instruction Fuzzy Hash: E8C19E74A04216EFDB14CF94D884EAEB7B5FF48311B1085AAE805EB352D734ED85CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042493A, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      • _memmove.LIBCMT ref: 004249D0
                                                                                      • __flush.LIBCMT ref: 004249F0
                                                                                        • Part of subcall function 00424C6D: __write.LIBCMT ref: 00424C9F
                                                                                      • __write.LIBCMT ref: 00424A23
                                                                                        • Part of subcall function 0042DAC6: ___lock_fhandle.LIBCMT ref: 0042DB33
                                                                                        • Part of subcall function 0042DAC6: __write_nolock.LIBCMT ref: 0042DB52
                                                                                      • __flsbuf.LIBCMT ref: 00424A51
                                                                                        • Part of subcall function 0042B05E: __getbuf.LIBCMT ref: 0042B0F5
                                                                                        • Part of subcall function 0042B05E: __write.LIBCMT ref: 0042B121
                                                                                        • Part of subcall function 0042B05E: __lseeki64.LIBCMT ref: 0042B165
                                                                                        • Part of subcall function 0042B05E: __write.LIBCMT ref: 0042B18A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __write$___lock_fhandle__flsbuf__flush__getbuf__getptd_noexit__lseeki64__write_nolock_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 653938232-0
                                                                                      • Opcode ID: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
                                                                                      • Instruction ID: 44f2cbb3ea973b2da694034fd3275bff3404365078f258258cd20a66cb2e0f27
                                                                                      • Opcode Fuzzy Hash: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
                                                                                      • Instruction Fuzzy Hash: FE41E5B07006259BDB288EB9E88096F77A6EFC0360B64816FE85587740D7799D818B4C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.64%

                                                                                      Function 00436415, Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043644B
                                                                                      • __isleadbyte_l.LIBCMT ref: 00436479
                                                                                        • Part of subcall function 004237FB: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00423807
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004364A7
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004364DD
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Locale$ByteCharMultiUpdateUpdate::_Wide$__getptd_noexit__isleadbyte_l
                                                                                      • String ID:
                                                                                      • API String ID: 3164516598-0
                                                                                      • Opcode ID: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
                                                                                      • Instruction ID: 00bfbab79281597f36fe53e4f64e7450777474697505dafcb940073344e51601
                                                                                      • Opcode Fuzzy Hash: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
                                                                                      • Instruction Fuzzy Hash: 4A31F030A00257BFDB218F65CC44BAB7BA9FF59310F16802AE8548B290D738E850DB9C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.46%

                                                                                      Function 0048C788, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetCursorPos.USER32(?), ref: 0048C7C2
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048C7D7
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • GetCursorPos.USER32(?), ref: 0048C824
                                                                                      • DefDlgProcW.USER32(?,0000007B,?), ref: 0048C85E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CursorLongWindow$MenuPopupProcTrack
                                                                                      • String ID:
                                                                                      • API String ID: 2780618515-0
                                                                                      • Opcode ID: a5a98a92077e2aaa59aca06ed05bce2560aa70a0f09ba78dbcc783647833ee95
                                                                                      • Instruction ID: 757619bd3f98b372d46f3818d8faf94b3fa09ae1c323e5c89f059bb0ed552e39
                                                                                      • Opcode Fuzzy Hash: a5a98a92077e2aaa59aca06ed05bce2560aa70a0f09ba78dbcc783647833ee95
                                                                                      • Instruction Fuzzy Hash: 00318F35600018AFCB15EF58C898EEF7BB6EB49311F04486AF9058B2A1C7359950DB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 00426007, Relevance: 6.1, APIs: 4, Instructions: 67threadUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 0042A007: TlsGetValue.KERNEL32(?,?,00429C19,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 0042A01E
                                                                                      • GetLastError.KERNEL32 ref: 00426030
                                                                                      • ExitThread.KERNEL32 ref: 00426037
                                                                                      • __freefls@4.LIBCMT ref: 00426053
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429AA1
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429AB0
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429ABF
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429ACE
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429ADD
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429AEC
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429AFB
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429B0D
                                                                                        • Part of subcall function 00429A81: __lock.LIBCMT ref: 00429B15
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429B38
                                                                                        • Part of subcall function 00429A81: __lock.LIBCMT ref: 00429B4C
                                                                                        • Part of subcall function 00429A81: ___removelocaleref.LIBCMT ref: 00429B61
                                                                                        • Part of subcall function 00429A81: ___freetlocinfo.LIBCMT ref: 00429B7D
                                                                                        • Part of subcall function 00429A81: _free.LIBCMT ref: 00429B90
                                                                                        • Part of subcall function 00425F9B: __XcptFilter.LIBCMT ref: 00425FC8
                                                                                      • __indefinite.LIBCMT ref: 004320B0
                                                                                        • Part of subcall function 0042A026: TlsSetValue.KERNEL32(?,?,?,00429C40,00000000,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 0042A040
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$Value__lock$ErrorExitFilterLastThreadXcpt___freetlocinfo___removelocaleref__freefls@4__indefinite
                                                                                      • String ID:
                                                                                      • API String ID: 3523928031-0
                                                                                      • Opcode ID: 09eca4a38ffbd79079618dca8b3590f84901a86624746c396240826a582f099c
                                                                                      • Instruction ID: 77b52fc407f2c0acf1bbb9cbbec5ad7614d10c7695271f01b9e1a8fbf42c950b
                                                                                      • Opcode Fuzzy Hash: 09eca4a38ffbd79079618dca8b3590f84901a86624746c396240826a582f099c
                                                                                      • Instruction Fuzzy Hash: 53113674604215ABCB14BFB4D80655E7BA4EF04308F50896EF9048A351EB3CEC91DB8F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00435332, Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00435351
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      • HeapReAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,?,00428AB6,?,?,00000000,00000000,?,00422F40,00000000,00000010), ref: 0043536F
                                                                                      • GetLastError.KERNEL32(?,00428AB6,?,?,00000000,00000000,?,00422F40,00000000,00000010,?,?,?,?,?,00422EA5), ref: 004353CA
                                                                                        • Part of subcall function 004235E1: DecodePointer.KERNEL32(?,004259CD,?,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 004235EA
                                                                                      • GetLastError.KERNEL32(?,00428AB6,?,?,00000000,00000000,?,00422F40,00000000,00000010,?,?,?,?,?,00422EA5), ref: 004353B2
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHeapLast$AllocAllocateDecodeFreePointer__getptd_noexit_free
                                                                                      • String ID:
                                                                                      • API String ID: 2334374242-0
                                                                                      • Opcode ID: ab35778a9cc97f6e0a94f0b3f5ee58bea3ade87e3782345d4463fa0fc8671856
                                                                                      • Instruction ID: ca36ded951c5b74dcd14922bdbfcb28a3672708b69dba933c6c60362b96cb12c
                                                                                      • Opcode Fuzzy Hash: ab35778a9cc97f6e0a94f0b3f5ee58bea3ade87e3782345d4463fa0fc8671856
                                                                                      • Instruction Fuzzy Hash: 7211C132605A25AECB212F71B84565E37A89F183B4F60182FFD049A290DABD8941879D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.55%

                                                                                      Function 00404531, Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00404560
                                                                                        • Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
                                                                                        • Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 0040410D: LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                      • KillTimer.USER32(?,00000001), ref: 004045B5
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004045C4
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D6CE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_Timer_memset$KillLoadString_wcscpy
                                                                                      • String ID:
                                                                                      • API String ID: 1203397457-0
                                                                                      • Opcode ID: 9017d92aafd25a15b7bd45833115f0549aca239c36473df683567b390838c4b6
                                                                                      • Instruction ID: ee13d0e14117257c6e1bf6a2afa9c18cb2a9610526be340c73f4befcf8864d37
                                                                                      • Opcode Fuzzy Hash: 9017d92aafd25a15b7bd45833115f0549aca239c36473df683567b390838c4b6
                                                                                      • Instruction Fuzzy Hash: 14210AB0904784AFE7328B24DC45BE7BBEC9F45308F0000AFE79E66281C7781A858B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 00401290, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                        • Part of subcall function 0048A779: LoadCursorW.USER32(00000000,00007F00), ref: 0048A7F1
                                                                                        • Part of subcall function 0048A779: SetCursor.USER32(00000000), ref: 0048A7F8
                                                                                      • GetClientRect.USER32(?,?), ref: 0043B84B
                                                                                      • GetCursorPos.USER32(?), ref: 0043B855
                                                                                      • ScreenToClient.USER32(?,?), ref: 0043B860
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Client$LoadLongProcRectScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3055988096-0
                                                                                      • Opcode ID: 0ece2ee9bdbf1d33a90fc67de420260cd1354e737385e85e7b59386c5e1efca1
                                                                                      • Instruction ID: 88478fa3ad29557ab13713681797212a94603c3b61ccda0d63648654153e7648
                                                                                      • Opcode Fuzzy Hash: 0ece2ee9bdbf1d33a90fc67de420260cd1354e737385e85e7b59386c5e1efca1
                                                                                      • Instruction Fuzzy Hash: 82112B39510019EBCB00EF94D8859AE77B8FB05300F1048AAF901F7291D734AA569BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.23%

                                                                                      Function 00437207, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • __cftof_l.LIBCMT ref: 0043722B
                                                                                        • Part of subcall function 00437912: __fltout2.LIBCMT ref: 0043793B
                                                                                        • Part of subcall function 00437912: __fptostr.LIBCMT ref: 0043799D
                                                                                        • Part of subcall function 00437912: __cftof2_l.LIBCMT ref: 004379BA
                                                                                      • __cftog_l.LIBCMT ref: 00437251
                                                                                        • Part of subcall function 004379D3: __fltout2.LIBCMT ref: 004379FC
                                                                                        • Part of subcall function 004379D3: __fptostr.LIBCMT ref: 00437A5D
                                                                                        • Part of subcall function 004379D3: __cftof2_l.LIBCMT ref: 00437A9E
                                                                                        • Part of subcall function 004379D3: __cftoe2_l.LIBCMT ref: 00437AB9
                                                                                      • __cftoa_l.LIBCMT ref: 0043726A
                                                                                        • Part of subcall function 0043728D: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004372AD
                                                                                        • Part of subcall function 0043728D: _mbstowcs_s.LIBCMT ref: 00437324
                                                                                        • Part of subcall function 0043728D: _strrchr.LIBCMT ref: 0043735F
                                                                                        • Part of subcall function 0043728D: _memset.LIBCMT ref: 004374F6
                                                                                        • Part of subcall function 0043728D: __alldvrm.LIBCMT ref: 00437571
                                                                                        • Part of subcall function 0043728D: __alldvrm.LIBCMT ref: 00437594
                                                                                        • Part of subcall function 0043728D: __alldvrm.LIBCMT ref: 004375B7
                                                                                      • __cftoe_l.LIBCMT ref: 00437283
                                                                                        • Part of subcall function 00437758: __fltout2.LIBCMT ref: 00437785
                                                                                        • Part of subcall function 00437758: __fptostr.LIBCMT ref: 004377ED
                                                                                        • Part of subcall function 00437758: __cftoe2_l.LIBCMT ref: 0043780D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __alldvrm__fltout2__fptostr$Locale__cftoe2_l__cftof2_l$UpdateUpdate::___cftoa_l__cftoe_l__cftof_l__cftog_l_mbstowcs_s_memset_strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 621885885-0
                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                      • Instruction ID: 99b9b692cf18fd2280f287716e5b4489036060bef9d5190ceb0c0b5b499c977f
                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                      • Instruction Fuzzy Hash: 71016DB204418EBBCF225E84CC018EE3F22BF1D354F089656FE9858121C23AC9B1AB85
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.60%

                                                                                      Function 0048B57F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                      • ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                      • ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                      • InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 357397906-0
                                                                                      • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                      • Instruction ID: c1ec13a6a315efdf6b243f43d6614c5161e9ce39f19ad1524a172358c11b1c05
                                                                                      • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                      • Instruction Fuzzy Hash: 261146B5D00209EFDB41DF99C444AEEFBB5FF18310F104566E914E3620D735AA558F94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 0048B8EF, Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0048B8FE
                                                                                      • _memset.LIBCMT ref: 0048B90D
                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C7F20,004C7F64), ref: 0048B93C
                                                                                      • CloseHandle.KERNEL32 ref: 0048B94E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 3277943733-0
                                                                                      • Opcode ID: 20938f2380c00bee8b77b7cffb68c01d981cfa171dd9b4496317a146dae37767
                                                                                      • Instruction ID: 82d0d7306074909859a51e75144c9fe9cb012601897826516f2148835353e407
                                                                                      • Opcode Fuzzy Hash: 20938f2380c00bee8b77b7cffb68c01d981cfa171dd9b4496317a146dae37767
                                                                                      • Instruction Fuzzy Hash: DDF05EB26443107BE2506B61AC85FBB3A5CEB08358F00443AFB08D5296D77959008BBC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 0048C00C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C030
                                                                                      • LineTo.GDI32(00000000,?,?), ref: 0048C03D
                                                                                      • EndPath.GDI32(00000000), ref: 0048C04D
                                                                                      • StrokePath.GDI32(00000000), ref: 0048C05B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                      • String ID:
                                                                                      • API String ID: 2783949968-0
                                                                                      • Opcode ID: edfbcd623de5c465fbf958c9dabb36f9443974b16c1799f8a50be9d4dd4f4236
                                                                                      • Instruction ID: 674b4468024ad211d301666b20e3bfa7de505a3549e2e29f62cfbf593809ea28
                                                                                      • Opcode Fuzzy Hash: edfbcd623de5c465fbf958c9dabb36f9443974b16c1799f8a50be9d4dd4f4236
                                                                                      • Instruction Fuzzy Hash: BAF0BE31001219BBDB127F90AC09FCE3F58AF06310F148429FA11210E287794564DBAD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00402218, Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000008), ref: 00402231
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                      • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                      • GetWindowDC.USER32(?), ref: 0043C0D3
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043C0E0
                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0043C0F9
                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0043C112
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0043C132
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043C13D
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0043C159
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pixel$Color$BrushCreateModeObjectReleaseSolidStockTextWindow
                                                                                      • String ID:
                                                                                      • API String ID: 88331326-0
                                                                                      • Opcode ID: 27b2581c254cdff319ff0ea5d8f2be35128cc34943b3abbe395981e759962590
                                                                                      • Instruction ID: 007a7e945b926db1975f0eb4024d1954444be121fda63f18d3fd7a61cce91000
                                                                                      • Opcode Fuzzy Hash: 27b2581c254cdff319ff0ea5d8f2be35128cc34943b3abbe395981e759962590
                                                                                      • Instruction Fuzzy Hash: 58E03932100244EADB215FA8EC4D7DD3B20AB05332F10837AFAA9580E287764994DB15
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 00442187, Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 00442187
                                                                                      • GetDC.USER32(00000000), ref: 00442191
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004421B1
                                                                                      • ReleaseDC.USER32(?), ref: 004421D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 6ccce6c581eecdf91341cc96db6383502fda410d9a8940bdb714612b0f6538cf
                                                                                      • Instruction ID: e80bcdaed25015b38fc075b9af120d0661f73bd954452babf2cca2976e4e6e99
                                                                                      • Opcode Fuzzy Hash: 6ccce6c581eecdf91341cc96db6383502fda410d9a8940bdb714612b0f6538cf
                                                                                      • Instruction Fuzzy Hash: 8BE01A75900204EFDB019FA0C808A9D7BF1EF5C350F108A3AF95AE7260DB7885569F49
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.08%

                                                                                      Function 0044219B, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 0044219B
                                                                                      • GetDC.USER32(00000000), ref: 004421A5
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004421B1
                                                                                      • ReleaseDC.USER32(?), ref: 004421D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 56bdb0173f3b1fd63dc82c5c3953b40893d4d886f94812d9d464ad18ef1fe862
                                                                                      • Instruction ID: 0585887194f83d5896a0f01572a955ee9a0ca529f388d05c95cdd3c21f880870
                                                                                      • Opcode Fuzzy Hash: 56bdb0173f3b1fd63dc82c5c3953b40893d4d886f94812d9d464ad18ef1fe862
                                                                                      • Instruction Fuzzy Hash: 98E01A75900204EFCB019FB0C80869D7BF1EF5C310F108939F95AA7260DB3895569F48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.08%

                                                                                      Function 004063A0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317UNIQUE
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 0043E402
                                                                                        • Part of subcall function 00407CB3: _memmove.LIBCMT ref: 00407D13
                                                                                        • Part of subcall function 00407FAF: _memmove.LIBCMT ref: 00408003
                                                                                      • CharUpperBuffW.USER32(00000000,00000000), ref: 004065A1
                                                                                        • Part of subcall function 0040766F: _memmove.LIBCMT ref: 0040774A
                                                                                        • Part of subcall function 00405FD2: CharUpperBuffW.USER32(00000040,?), ref: 00406032
                                                                                        • Part of subcall function 00407A84: _memmove.LIBCMT ref: 00407B0D
                                                                                        • Part of subcall function 00407A84: _memmove.LIBCMT ref: 0043F009
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 0045FDBA: GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000001,?,0043E452,00000001,0000138C,00000001,00000001,00000001,?,00000000,00000001), ref: 0045FDEF
                                                                                        • Part of subcall function 0045FDBA: LoadStringW.USER32(00000000,?,0043E452,00000001), ref: 0045FDF8
                                                                                        • Part of subcall function 0045FDBA: GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0043E452,00000001,0000138C,00000001,00000001,00000001,?,00000000,00000001,00000001), ref: 0045FE1A
                                                                                        • Part of subcall function 0045FDBA: LoadStringW.USER32(00000000,?,0043E452,00000001), ref: 0045FE1D
                                                                                        • Part of subcall function 0045FDBA: __swprintf.LIBCMT ref: 0045FE6D
                                                                                        • Part of subcall function 0045FDBA: __swprintf.LIBCMT ref: 0045FE7E
                                                                                        • Part of subcall function 0045FDBA: _wprintf.LIBCMT ref: 0045FF27
                                                                                        • Part of subcall function 0045FDBA: MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045FF3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$BuffCharHandleLoadModuleStringUpper__swprintf$Exception@8MessageThrow_wprintfstd::exception::exception
                                                                                      • String ID: %I
                                                                                      • API String ID: 1460846173-63094095
                                                                                      • Opcode ID: 8f5c73ea1c93cb2696c2b0e3a7f91fe69737ae6729f64a5f08641e96e0e69f4a
                                                                                      • Instruction ID: 84bc00bdb2e4020951578f3af3c94fec4ee35539559d4017637e04890254edec
                                                                                      • Opcode Fuzzy Hash: 8f5c73ea1c93cb2696c2b0e3a7f91fe69737ae6729f64a5f08641e96e0e69f4a
                                                                                      • Instruction Fuzzy Hash: 25B18F71900109AACF14EB99C8819EEB7B4EF44314F51403BE903B72D5DA3C9D96CB5E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00486943, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004869D0
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004869DB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock
                                                                                      • String ID: Combobox
                                                                                      • API String ID: 269107984-2096851135
                                                                                      • Opcode ID: 9cfe375ed6e0b34d9a506390f0cd77aadc23eb3c644841765a6bbab8cb0b8bcc
                                                                                      • Instruction ID: 83f828f06193a85efc0b0adebec9c430e4e02a922dab4690574673653ee6290d
                                                                                      • Opcode Fuzzy Hash: 9cfe375ed6e0b34d9a506390f0cd77aadc23eb3c644841765a6bbab8cb0b8bcc
                                                                                      • Instruction Fuzzy Hash: 9711B6B17002086FEF51AE14CC90EAF376FEB853A4F22452AF9589B3D0D6799C5187A4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0048E0E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: .dll$OaA
                                                                                      • API String ID: 4104443479-4235742178
                                                                                      • Opcode ID: d023c89e2568cbe47c7e9be05447d0614d03dd1bdc5753fbcacbf1ef5e56afe8
                                                                                      • Instruction ID: 4a953e2e287933c67df9e601e5b7dd51d2cf1e1eb743514fd817fef83038cb5d
                                                                                      • Opcode Fuzzy Hash: d023c89e2568cbe47c7e9be05447d0614d03dd1bdc5753fbcacbf1ef5e56afe8
                                                                                      • Instruction Fuzzy Hash: 19018071204B019FD7209E2DDD8891AB7F9FB44304B504D3EE146C6B51E7B5F8048B48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0046901B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __fread_nolock_memmove
                                                                                      • String ID: EA06
                                                                                      • API String ID: 1988441806-3962188686
                                                                                      • Opcode ID: 0ffa3d434e5b6a956c6ed572106e06fd0ca4870dbeab2ecb47157eb41c369f2b
                                                                                      • Instruction ID: 69ed26fe311b0cc63e55e163675035c3f2ff08f97f20fd5c9232a639071a0922
                                                                                      • Opcode Fuzzy Hash: 0ffa3d434e5b6a956c6ed572106e06fd0ca4870dbeab2ecb47157eb41c369f2b
                                                                                      • Instruction Fuzzy Hash: 50014971904228AEDB28C6A8D816FFE7BFC8B11301F00419FF152D2181E4B8EA188B64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.71%

                                                                                      Function 0043B511, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 0043B564: _memset.LIBCMT ref: 0043B571
                                                                                        • Part of subcall function 00420B84: InitializeCriticalSectionAndSpinCount.KERNEL32(004C5158,00000000,004C5144,0043B540,?,?,?,0040100A), ref: 00420B89
                                                                                        • Part of subcall function 00420B84: GetLastError.KERNEL32(?,?,?,0040100A), ref: 004562E7
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B544
                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B553
                                                                                      Strings
                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B54E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1829962092.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1829911393.00400000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1830852023.00564000.00000004.sdmp
                                                                                      • Associated: 00000000.00000002.1832043812.00565000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1839239526.00575000.00000002.sdmp
                                                                                      • Associated: 00000000.00000002.1840068284.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString_memset
                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                      • API String ID: 436010757-631824599
                                                                                      • Opcode ID: cfdba6c3f5d1c47e0915195a6a61c30b6b4130fea4c9ebe93c9a57294c91e8a4
                                                                                      • Instruction ID: bbad548b5aabf2add28ed68359945d9081cd17edac9c4c9c4009ad7997521b12
                                                                                      • Opcode Fuzzy Hash: cfdba6c3f5d1c47e0915195a6a61c30b6b4130fea4c9ebe93c9a57294c91e8a4
                                                                                      • Instruction Fuzzy Hash: 7EE06DB02003108BD720DF69E5047467BE0EB14748F00C97EE946C6251D7BCE448CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Analysis Process: TkAngEQurH.exe PID: 1292 Parent PID: 3768TkAngEQurH.exeUNIQUE

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.6%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:6.2%
                                                                                      Total number of Nodes:1372
                                                                                      Total number of Limit Nodes:98

                                                                                      Graph

                                                                                      execution_graph 70402 401000 70407 43b511 70402->70407 70408 43b519 70407->70408 70417 420b84 InitializeCriticalSectionAndSpinCount 70408->70417 70411 40100a 70414 422f80 70411->70414 70412 43b544 IsDebuggerPresent 70412->70411 70413 43b54e OutputDebugStringW 70412->70413 70413->70411 70420 422e84 70414->70420 70416 401014 70418 4562e7 GetLastError 70417->70418 70419 420b97 70417->70419 70418->70419 70419->70411 70419->70412 70421 422e90 ___lock_fhandle 70420->70421 70428 423457 70421->70428 70427 422eb7 ___lock_fhandle 70427->70416 70445 429e4b 70428->70445 70430 422e99 70431 422ec8 RtlDecodePointer RtlDecodePointer 70430->70431 70432 422ea5 70431->70432 70433 422ef5 70431->70433 70442 422ec2 70432->70442 70433->70432 70491 4289e4 70433->70491 70435 422f58 RtlEncodePointer RtlEncodePointer 70435->70432 70436 422f2c 70436->70432 70440 422f46 EncodePointer 70436->70440 70499 428aa4 61 API calls 2 library calls 70436->70499 70437 422f07 70437->70435 70437->70436 70498 428aa4 61 API calls 2 library calls 70437->70498 70440->70435 70441 422f40 70441->70432 70441->70440 70502 423460 70442->70502 70446 429e6f EnterCriticalSection 70445->70446 70447 429e5c 70445->70447 70446->70430 70452 429ed3 70447->70452 70449 429e62 70449->70446 70476 4232f5 58 API calls 3 library calls 70449->70476 70453 429edf ___lock_fhandle 70452->70453 70454 429f00 70453->70454 70455 429ee8 70453->70455 70464 429f21 ___lock_fhandle 70454->70464 70480 428a5d 58 API calls __malloc_crt 70454->70480 70477 42a3ab 58 API calls 2 library calls 70455->70477 70458 429eed 70478 42a408 58 API calls 7 library calls 70458->70478 70460 429f15 70462 429f2b 70460->70462 70463 429f1c 70460->70463 70461 429ef4 70479 4232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 70461->70479 70467 429e4b __lock 58 API calls 70462->70467 70481 428d68 58 API calls __getptd_noexit 70463->70481 70464->70449 70469 429f32 70467->70469 70470 429f57 70469->70470 70471 429f3f 70469->70471 70483 422f95 70470->70483 70482 42a06b InitializeCriticalSectionAndSpinCount 70471->70482 70474 429f4b 70489 429f73 LeaveCriticalSection __freefls@4 70474->70489 70477->70458 70478->70461 70480->70460 70481->70464 70482->70474 70484 422f9e HeapFree 70483->70484 70488 422fc7 __dosmaperr 70483->70488 70485 422fb3 70484->70485 70484->70488 70490 428d68 58 API calls __getptd_noexit 70485->70490 70487 422fb9 GetLastError 70487->70488 70488->70474 70489->70464 70490->70487 70492 428a02 HeapSize 70491->70492 70493 4289ed 70491->70493 70492->70437 70500 428d68 58 API calls __getptd_noexit 70493->70500 70495 4289f2 70501 428ff6 9 API calls __strnicmp_l 70495->70501 70497 4289fd 70497->70437 70498->70436 70499->70441 70500->70495 70501->70497 70505 429fb5 LeaveCriticalSection 70502->70505 70504 422ec7 70504->70427 70505->70504 70506 38c579 70507 38c59e 70506->70507 70511 38c643 70507->70511 70512 38c6d8 CreateFileA 70507->70512 70513 38c718 DeviceIoControl 70512->70513 70514 38c5ea 70512->70514 70513->70514 70514->70511 70515 38c787 70514->70515 70520 38c91d 70515->70520 70518 38c7e8 DeviceIoControl 70519 38c827 70518->70519 70519->70511 70521 38c7c2 CreateFileA 70520->70521 70521->70518 70521->70519 70522 401044 70527 403ca8 70522->70527 70525 422f80 __cinit 67 API calls 70526 401053 70525->70526 70534 4077c7 70527->70534 70530 4077c7 59 API calls 70531 403cbc 70530->70531 70532 4077c7 59 API calls 70531->70532 70533 401049 70532->70533 70533->70525 70539 420ff6 70534->70539 70536 4077e8 70537 420ff6 59 API calls 70536->70537 70538 403cb2 70537->70538 70538->70530 70542 420ffe 70539->70542 70541 421018 70541->70536 70542->70541 70544 42101c std::exception::exception 70542->70544 70549 42594c 70542->70549 70566 4235e1 DecodePointer 70542->70566 70567 4287db RaiseException 70544->70567 70546 421046 70568 428711 58 API calls _free 70546->70568 70548 421058 70548->70536 70550 4259c7 70549->70550 70553 425958 70549->70553 70575 4235e1 DecodePointer 70550->70575 70552 4259cd 70576 428d68 58 API calls __getptd_noexit 70552->70576 70556 42598b RtlAllocateHeap 70553->70556 70559 425963 70553->70559 70560 4259b3 70553->70560 70564 4259b1 70553->70564 70572 4235e1 DecodePointer 70553->70572 70556->70553 70557 4259bf 70556->70557 70557->70542 70559->70553 70569 42a3ab 58 API calls 2 library calls 70559->70569 70570 42a408 58 API calls 7 library calls 70559->70570 70571 4232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 70559->70571 70573 428d68 58 API calls __getptd_noexit 70560->70573 70574 428d68 58 API calls __getptd_noexit 70564->70574 70566->70542 70567->70546 70568->70548 70569->70559 70570->70559 70572->70553 70573->70564 70574->70557 70575->70552 70576->70557 70577 40e608 70580 40d260 70577->70580 70579 40e616 70581 40d27d 70580->70581 70598 40d4dd 70580->70598 70582 442b0a 70581->70582 70583 442abb 70581->70583 70605 40d2a4 70581->70605 70661 47a6fb 240 API calls __cinit 70582->70661 70586 442abe 70583->70586 70592 442ad9 70583->70592 70587 442aca 70586->70587 70586->70605 70659 47ad0f 240 API calls 70587->70659 70589 422f80 __cinit 67 API calls 70589->70605 70591 40d6ab 70591->70579 70592->70598 70660 47b1b7 240 API calls 2 library calls 70592->70660 70593 40d594 70654 408bb2 68 API calls 70593->70654 70594 442cdf 70594->70594 70598->70591 70670 46a0b5 84 API calls 2 library calls 70598->70670 70599 40d5a3 70599->70579 70600 442c26 70669 47aa66 84 API calls 70600->70669 70605->70589 70605->70591 70605->70593 70605->70598 70605->70600 70614 409f3a 70605->70614 70619 4088a0 70605->70619 70626 4086a2 68 API calls 70605->70626 70627 40a000 70605->70627 70650 408620 70605->70650 70655 40859a 68 API calls 70605->70655 70656 40d0dc 240 API calls 70605->70656 70657 40d060 84 API calls 70605->70657 70658 40cedd 240 API calls 70605->70658 70662 408bb2 68 API calls 70605->70662 70663 409e9c 60 API calls 70605->70663 70664 456d03 60 API calls 70605->70664 70665 4081a7 70605->70665 70615 420ff6 59 API calls 70614->70615 70616 409f47 70615->70616 70617 409f56 70616->70617 70671 407f41 70616->70671 70617->70605 70620 408a81 70619->70620 70621 4088b3 70619->70621 70620->70605 70622 4077c7 59 API calls 70621->70622 70625 4088c4 70621->70625 70623 408ae3 70622->70623 70624 422f80 __cinit 67 API calls 70623->70624 70624->70625 70625->70605 70626->70605 70628 40a01f 70627->70628 70637 40a04d 70627->70637 70629 420ff6 59 API calls 70628->70629 70629->70637 70630 40b5d5 70631 4081a7 59 API calls 70630->70631 70632 40a1b7 70631->70632 70632->70605 70633 40b5da 70680 46a0b5 84 API calls 2 library calls 70633->70680 70634 420ff6 59 API calls 70634->70637 70637->70630 70637->70632 70637->70633 70637->70634 70639 44047f 70637->70639 70641 4081a7 59 API calls 70637->70641 70642 4077c7 59 API calls 70637->70642 70645 422f80 67 API calls __cinit 70637->70645 70646 457405 59 API calls 70637->70646 70647 440e00 70637->70647 70649 40a6ba 70637->70649 70675 40ca20 240 API calls __wsetenvp 70637->70675 70676 40ba60 60 API calls 70637->70676 70677 46a0b5 84 API calls 2 library calls 70639->70677 70641->70637 70642->70637 70644 44048e 70644->70605 70645->70637 70646->70637 70679 46a0b5 84 API calls 2 library calls 70647->70679 70678 46a0b5 84 API calls 2 library calls 70649->70678 70651 40862b 70650->70651 70652 408652 70651->70652 70681 408b13 70651->70681 70652->70605 70654->70599 70655->70605 70656->70605 70657->70605 70658->70605 70659->70591 70660->70598 70661->70605 70662->70605 70663->70605 70664->70605 70666 4081b2 70665->70666 70667 4081ba 70665->70667 70700 4080d7 59 API calls _memmove 70666->70700 70667->70605 70669->70598 70670->70594 70672 407f50 __wsetenvp _memmove 70671->70672 70673 420ff6 59 API calls 70672->70673 70674 407f8e 70673->70674 70674->70617 70675->70637 70676->70637 70677->70644 70678->70632 70679->70633 70680->70632 70682 4088a0 68 API calls 70681->70682 70683 408b23 70682->70683 70684 408b9d 70683->70684 70685 408b2d 70683->70685 70699 409e9c 60 API calls 70684->70699 70686 420ff6 59 API calls 70685->70686 70688 408b3e 70686->70688 70689 408b4c 70688->70689 70690 4077c7 59 API calls 70688->70690 70691 408b5b 70689->70691 70697 4080d7 59 API calls _memmove 70689->70697 70690->70689 70693 420ff6 59 API calls 70691->70693 70694 408b65 70693->70694 70698 4087c0 68 API calls 70694->70698 70696 408b8d 70696->70652 70697->70691 70698->70696 70699->70696 70700->70667 70701 397570 70702 397580 70701->70702 70704 397585 70702->70704 70706 39758a 70704->70706 70705 3977d8 70705->70702 70706->70705 70707 397735 70706->70707 70709 397926 KiUserExceptionDispatcher 70706->70709 70712 397e5f 70707->70712 70714 397e65 KiUserExceptionDispatcher 70712->70714 70715 4010cb 70716 4077c7 59 API calls 70715->70716 70717 4010d5 70716->70717 70718 422f80 __cinit 67 API calls 70717->70718 70719 4010df 70718->70719 70720 3988b6 70721 3988c5 70720->70721 70723 3988ca 70721->70723 70724 3988d1 70723->70724 70725 398a34 CheckRemoteDebuggerPresent 70724->70725 70726 398a3f 70724->70726 70725->70726 70727 427e93 70728 427e9f ___lock_fhandle 70727->70728 70764 42a048 GetStartupInfoW 70728->70764 70731 427ea4 70766 428dbc GetProcessHeap 70731->70766 70732 427efc 70733 427f07 70732->70733 70849 427fe3 58 API calls 3 library calls 70732->70849 70767 429d26 70733->70767 70736 427f0d 70737 427f18 __RTC_Initialize 70736->70737 70850 427fe3 58 API calls 3 library calls 70736->70850 70788 42d812 70737->70788 70740 427f27 70741 427f33 GetCommandLineW 70740->70741 70851 427fe3 58 API calls 3 library calls 70740->70851 70807 435173 GetEnvironmentStringsW 70741->70807 70745 427f32 70745->70741 70747 427f4d 70748 427f58 70747->70748 70852 4232f5 58 API calls 3 library calls 70747->70852 70817 434fa8 70748->70817 70752 427f69 70831 42332f 70752->70831 70755 427f71 70756 427f7c __wwincmdln 70755->70756 70854 4232f5 58 API calls 3 library calls 70755->70854 70837 40492e 70756->70837 70759 427f90 70760 427f9f 70759->70760 70855 423598 58 API calls _raise 70759->70855 70856 423320 58 API calls _raise 70760->70856 70763 427fa4 ___lock_fhandle 70765 42a05e 70764->70765 70765->70731 70766->70732 70857 4233c7 RtlEncodePointer 70767->70857 70769 429d2b 70862 429f7c InitializeCriticalSectionAndSpinCount ___lock_fhandle 70769->70862 70771 429d34 70863 429d9c 61 API calls 2 library calls 70771->70863 70772 429d30 70772->70771 70864 429fca TlsAlloc 70772->70864 70775 429d46 70775->70771 70777 429d51 70775->70777 70776 429d39 70776->70736 70865 428a15 70777->70865 70779 429d5e 70780 429d93 70779->70780 70871 42a026 TlsSetValue 70779->70871 70873 429d9c 61 API calls 2 library calls 70780->70873 70783 429d72 70783->70780 70785 429d78 70783->70785 70784 429d98 70784->70736 70872 429c73 58 API calls 4 library calls 70785->70872 70787 429d80 GetCurrentThreadId 70787->70736 70789 42d81e ___lock_fhandle 70788->70789 70790 429e4b __lock 58 API calls 70789->70790 70791 42d825 70790->70791 70792 428a15 __calloc_crt 58 API calls 70791->70792 70793 42d836 70792->70793 70794 42d8a1 GetStartupInfoW 70793->70794 70795 42d841 ___lock_fhandle @_EH4_CallFilterFunc@8 70793->70795 70796 42d9e5 70794->70796 70798 42d8b6 70794->70798 70795->70740 70797 42daad 70796->70797 70802 42da32 GetStdHandle 70796->70802 70803 42da45 GetFileType 70796->70803 70887 42a06b InitializeCriticalSectionAndSpinCount 70796->70887 70888 42dabd LeaveCriticalSection __freefls@4 70797->70888 70798->70796 70800 42d904 70798->70800 70801 428a15 __calloc_crt 58 API calls 70798->70801 70800->70796 70804 42d938 GetFileType 70800->70804 70886 42a06b InitializeCriticalSectionAndSpinCount 70800->70886 70801->70798 70802->70796 70803->70796 70804->70800 70808 435184 70807->70808 70809 427f43 70807->70809 70889 428a5d 58 API calls __malloc_crt 70808->70889 70813 434d6b GetModuleFileNameW 70809->70813 70811 4351aa _memmove 70812 4351c0 FreeEnvironmentStringsW 70811->70812 70812->70809 70814 434d9f _wparse_cmdline 70813->70814 70816 434ddf _wparse_cmdline 70814->70816 70890 428a5d 58 API calls __malloc_crt 70814->70890 70816->70747 70818 434fc1 __wsetenvp 70817->70818 70819 427f5e 70817->70819 70820 428a15 __calloc_crt 58 API calls 70818->70820 70819->70752 70853 4232f5 58 API calls 3 library calls 70819->70853 70821 434fea __wsetenvp 70820->70821 70821->70819 70823 428a15 __calloc_crt 58 API calls 70821->70823 70824 435041 70821->70824 70825 435066 70821->70825 70828 43507d 70821->70828 70891 434857 58 API calls __strnicmp_l 70821->70891 70822 422f95 _free 58 API calls 70822->70819 70823->70821 70824->70822 70826 422f95 _free 58 API calls 70825->70826 70826->70819 70892 429006 IsProcessorFeaturePresent 70828->70892 70830 435089 70832 42333b __IsNonwritableInCurrentImage 70831->70832 70915 42a711 70832->70915 70834 423359 __initterm_e 70835 422f80 __cinit 67 API calls 70834->70835 70836 423378 __cinit __IsNonwritableInCurrentImage 70834->70836 70835->70836 70836->70755 70838 404948 70837->70838 70848 4049e7 70837->70848 70839 404982 IsThemeActive 70838->70839 70918 4235ac 70839->70918 70843 4049ae 70930 404a5b SystemParametersInfoW SystemParametersInfoW 70843->70930 70845 4049ba 70931 403b4c 70845->70931 70847 4049c2 SystemParametersInfoW 70847->70848 70848->70759 70849->70733 70850->70737 70851->70745 70855->70760 70856->70763 70858 4233d8 __init_pointers __initp_misc_winsig 70857->70858 70874 42a764 RtlEncodePointer 70858->70874 70860 4233f0 __init_pointers 70861 42a0d9 34 API calls 70860->70861 70861->70769 70862->70772 70863->70776 70864->70775 70866 428a1c 70865->70866 70868 428a57 70866->70868 70870 428a3a 70866->70870 70875 435446 70866->70875 70868->70779 70870->70866 70870->70868 70883 42a372 Sleep 70870->70883 70871->70783 70872->70787 70873->70784 70874->70860 70876 435451 70875->70876 70882 43546c 70875->70882 70877 43545d 70876->70877 70876->70882 70884 428d68 58 API calls __getptd_noexit 70877->70884 70879 43547c HeapAlloc 70880 435462 70879->70880 70879->70882 70880->70866 70882->70879 70882->70880 70885 4235e1 DecodePointer 70882->70885 70883->70870 70884->70880 70885->70882 70886->70800 70887->70796 70888->70795 70889->70811 70890->70816 70891->70821 70893 429011 70892->70893 70898 428e99 70893->70898 70897 42902c 70897->70830 70899 428eb3 _memset __call_reportfault 70898->70899 70900 428ed3 IsDebuggerPresent 70899->70900 70906 42a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 70900->70906 70903 428fba 70905 42a380 GetCurrentProcess TerminateProcess 70903->70905 70904 428f97 __call_reportfault 70907 42c836 70904->70907 70905->70897 70906->70904 70908 42c840 IsProcessorFeaturePresent 70907->70908 70909 42c83e 70907->70909 70911 435b5a 70908->70911 70909->70903 70914 435b09 5 API calls 2 library calls 70911->70914 70913 435c3d 70913->70903 70914->70913 70916 42a714 RtlEncodePointer 70915->70916 70916->70916 70917 42a72e 70916->70917 70917->70834 70919 429e4b __lock 58 API calls 70918->70919 70920 4235b7 RtlDecodePointer RtlEncodePointer 70919->70920 70983 429fb5 LeaveCriticalSection 70920->70983 70922 4049a7 70923 423614 70922->70923 70924 423638 70923->70924 70925 42361e 70923->70925 70924->70843 70925->70924 70984 428d68 58 API calls __getptd_noexit 70925->70984 70927 423628 70985 428ff6 9 API calls __strnicmp_l 70927->70985 70929 423633 70929->70843 70930->70845 70932 403b59 __ftell_nolock 70931->70932 70933 4077c7 59 API calls 70932->70933 70934 403b63 GetCurrentDirectoryW 70933->70934 70935 403778 70934->70935 70936 403b8c IsDebuggerPresent 70935->70936 70937 403b9a 70936->70937 70938 43d4ad MessageBoxA 70936->70938 70939 43d4c7 70937->70939 70940 403bb7 70937->70940 70970 403c73 70937->70970 70938->70939 71115 407373 59 API calls 70939->71115 70986 4073e5 70940->70986 70941 403c7a SetCurrentDirectoryW 70944 403c87 70941->70944 70944->70847 70945 43d4d7 70950 43d4ed SetCurrentDirectoryW 70945->70950 70947 403bd5 GetFullPathNameW 71002 407d2c 70947->71002 70949 403c10 71011 410a8d 70949->71011 70950->70944 70953 403c2e 70954 403c38 70953->70954 71116 464c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 70953->71116 71027 403a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 70954->71027 70957 43d50a 70957->70954 70961 43d51b 70957->70961 70960 403c42 70962 403c55 70960->70962 71113 4043db 68 API calls _memset 70960->71113 71117 404864 70961->71117 71035 410b30 70962->71035 70966 43d523 70967 407f41 59 API calls 70966->70967 70969 43d530 70967->70969 70968 403c60 70968->70970 71114 4044cb Shell_NotifyIconW _memset 70968->71114 70971 43d53a 70969->70971 70972 43d55f 70969->70972 70970->70941 71124 407e0b 70971->71124 70975 407e0b 59 API calls 70972->70975 70977 43d55b GetForegroundWindow ShellExecuteW 70975->70977 70981 43d58f 70977->70981 70981->70970 70982 407e0b 59 API calls 70982->70977 70983->70922 70984->70927 70985->70929 70987 4073f2 __ftell_nolock 70986->70987 70988 43ee4b _memset 70987->70988 70989 40740b 70987->70989 70992 43ee67 GetOpenFileNameW 70988->70992 71140 4048ae 70989->71140 70994 43eeb6 70992->70994 70995 407d2c 59 API calls 70994->70995 70997 43eecb 70995->70997 70997->70997 70999 407429 71168 4069ca 70999->71168 71003 407da5 71002->71003 71004 407d38 __wsetenvp 71002->71004 71005 407e8c 59 API calls 71003->71005 71006 407d73 71004->71006 71007 407d4e 71004->71007 71010 407d56 _memmove 71005->71010 71597 408189 59 API calls 71006->71597 71596 408087 59 API calls 71007->71596 71010->70949 71012 410a9a __ftell_nolock 71011->71012 71598 406ee0 71012->71598 71014 410a9f 71026 403c26 71014->71026 71608 4112fe 84 API calls 71014->71608 71016 410aac 71016->71026 71609 414047 86 API calls 71016->71609 71018 410ab5 71019 410ab9 GetFullPathNameW 71018->71019 71018->71026 71020 407d2c 59 API calls 71019->71020 71021 410ae5 71020->71021 71022 407d2c 59 API calls 71021->71022 71023 410af2 71022->71023 71024 4450d5 _wcscat 71023->71024 71025 407d2c 59 API calls 71023->71025 71025->71026 71026->70945 71026->70953 71028 403ac2 LoadImageW RegisterClassExW 71027->71028 71029 43d49c 71027->71029 71611 403041 7 API calls 71028->71611 71612 4048fe LoadImageW EnumResourceNamesW 71029->71612 71032 403b46 71034 4039e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 71032->71034 71033 43d4a5 71034->70960 71036 4450ed 71035->71036 71048 410b55 71035->71048 71673 46a0b5 84 API calls 2 library calls 71036->71673 71038 410e5a 71038->70968 71041 411044 71041->71038 71043 411051 71041->71043 71042 410bab PeekMessageW 71101 410b65 71042->71101 71671 4111f3 240 API calls 71043->71671 71046 411058 LockWindowUpdate DestroyWindow GetMessageW 71046->71038 71050 41108a 71046->71050 71047 410e44 71047->71038 71670 4111d0 10 API calls 71047->71670 71048->71101 71674 409fbd 60 API calls 71048->71674 71675 4568bf 240 API calls 71048->71675 71049 4452ab Sleep 71049->71101 71051 446082 TranslateMessage DispatchMessageW GetMessageW 71050->71051 71051->71051 71053 4460b2 71051->71053 71053->71038 71054 44517a TranslateAcceleratorW 71056 410fa3 PeekMessageW 71054->71056 71054->71101 71055 409fbd 60 API calls 71055->71101 71056->71101 71057 410fbf TranslateMessage DispatchMessageW 71057->71056 71059 420ff6 59 API calls 71059->71101 71060 445c49 WaitForSingleObject 71062 445c66 GetExitCodeProcess CloseHandle 71060->71062 71060->71101 71061 410e73 timeGetTime 71061->71101 71097 4110f5 71062->71097 71063 410fdd Sleep 71063->71101 71064 4081a7 59 API calls 71064->71101 71065 4077c7 59 API calls 71096 44548d 71065->71096 71067 445f22 Sleep 71067->71096 71069 40b89c 213 API calls 71069->71101 71072 4110ae timeGetTime 71672 409fbd 60 API calls 71072->71672 71075 445fb9 GetExitCodeProcess 71078 445fe5 CloseHandle 71075->71078 71079 445fcf WaitForSingleObject 71075->71079 71077 40b93d 74 API calls 71077->71101 71078->71096 71079->71078 71079->71101 71082 4861ac 75 API calls 71082->71096 71083 445c9e 71083->71097 71084 4454a2 Sleep 71084->71101 71085 446041 Sleep 71085->71101 71087 407f41 59 API calls 71087->71096 71091 408b13 69 API calls 71091->71096 71096->71065 71096->71075 71096->71082 71096->71083 71096->71084 71096->71085 71096->71087 71096->71091 71096->71101 71696 4628f7 60 API calls 71096->71696 71697 409fbd 60 API calls 71096->71697 71698 40b89c 240 API calls 71096->71698 71699 456a50 60 API calls 71096->71699 71700 4654e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 71096->71700 71701 420719 timeGetTime 71096->71701 71702 463e91 66 API calls 71096->71702 71097->70968 71098 46a0b5 84 API calls 71098->71101 71100 408620 69 API calls 71100->71101 71101->71042 71101->71047 71101->71049 71101->71054 71101->71055 71101->71056 71101->71057 71101->71059 71101->71060 71101->71061 71101->71063 71101->71064 71101->71067 71101->71069 71101->71072 71101->71077 71101->71096 71101->71097 71101->71098 71101->71100 71102 409df0 59 API calls 71101->71102 71103 40a000 213 API calls 71101->71103 71105 4566f4 59 API calls 71101->71105 71106 408b13 69 API calls 71101->71106 71107 4459ff #9 71101->71107 71108 445a95 #9 71101->71108 71109 408e34 59 API calls 71101->71109 71110 445843 #9 71101->71110 71111 457405 59 API calls 71101->71111 71112 407f41 59 API calls 71101->71112 71613 40e580 71101->71613 71620 40e800 71101->71620 71651 40f5c0 71101->71651 71667 40fe40 240 API calls _memmove 71101->71667 71668 4031ce IsDialogMessageW GetClassLongW 71101->71668 71669 420719 timeGetTime 71101->71669 71676 48629f 59 API calls 71101->71676 71677 469c9f 59 API calls 71101->71677 71678 45d9e3 59 API calls 71101->71678 71679 409997 71101->71679 71693 456665 59 API calls _memmove 71101->71693 71694 408561 59 API calls 71101->71694 71695 40843f 59 API calls 71101->71695 71102->71101 71103->71101 71105->71101 71106->71101 71107->71101 71108->71101 71109->71101 71110->71101 71111->71101 71112->71101 71113->70962 71114->70970 71115->70945 71116->70957 71118 431b90 __ftell_nolock 71117->71118 71119 404871 GetModuleFileNameW 71118->71119 71120 407f41 59 API calls 71119->71120 71121 404897 71120->71121 71122 4048ae 60 API calls 71121->71122 71123 4048a1 71122->71123 71123->70966 71125 43f173 71124->71125 71126 407e1f 71124->71126 71730 408189 59 API calls 71125->71730 71725 407db0 71126->71725 71129 407e2a 71131 407c8e 71129->71131 71130 43f17e __wsetenvp _memmove 71132 407ca0 71131->71132 71133 43f094 71131->71133 71732 407bb1 71132->71732 71738 458123 59 API calls _memmove 71133->71738 71136 407cac 71136->70982 71137 43f09e 71138 4081a7 59 API calls 71137->71138 71139 43f0a6 71138->71139 71200 431b90 71140->71200 71143 4048f7 71206 407eec 71143->71206 71144 4048da 71145 407d2c 59 API calls 71144->71145 71147 4048e6 71145->71147 71202 407886 71147->71202 71150 4209d5 71151 431b90 __ftell_nolock 71150->71151 71152 4209e2 GetLongPathNameW 71151->71152 71153 407d2c 59 API calls 71152->71153 71154 40741d 71153->71154 71155 40716b 71154->71155 71156 4077c7 59 API calls 71155->71156 71157 40717d 71156->71157 71158 4048ae 60 API calls 71157->71158 71159 407188 71158->71159 71160 407193 71159->71160 71164 43ecae 71159->71164 71215 403f84 71160->71215 71165 43ecc8 71164->71165 71227 407a68 61 API calls 71164->71227 71167 4071b2 71167->70999 71228 404f3d 71168->71228 71171 43e45a 71175 43e473 71171->71175 71176 43e490 71171->71176 71172 404f3d 136 API calls 71173 406a03 71172->71173 71173->71171 71174 406a0b 71173->71174 71178 406a17 71174->71178 71179 43e47b 71174->71179 71366 404faa 71175->71366 71177 420ff6 59 API calls 71176->71177 71189 43e4d5 71177->71189 71252 406bec 71178->71252 71372 464534 85 API calls _wprintf 71179->71372 71183 43e489 71183->71176 71185 43e689 71186 422f95 _free 58 API calls 71185->71186 71187 43e691 71186->71187 71188 404faa 84 API calls 71187->71188 71194 43e69a 71188->71194 71189->71185 71189->71194 71197 407f41 59 API calls 71189->71197 71343 45fc4d 71189->71343 71346 467621 71189->71346 71352 40766f 71189->71352 71360 4074bd 71189->71360 71373 45fb6e 61 API calls 2 library calls 71189->71373 71193 422f95 _free 58 API calls 71193->71194 71194->71193 71196 404faa 84 API calls 71194->71196 71374 45fcb1 84 API calls 2 library calls 71194->71374 71196->71194 71197->71189 71201 4048bb GetFullPathNameW 71200->71201 71201->71143 71201->71144 71203 407894 71202->71203 71210 407e8c 71203->71210 71205 4048f2 71205->71150 71207 407f06 71206->71207 71208 407ef9 71206->71208 71209 420ff6 59 API calls 71207->71209 71208->71147 71209->71208 71211 407ea3 _memmove 71210->71211 71212 407e9a 71210->71212 71211->71205 71212->71211 71214 407faf 59 API calls _memmove 71212->71214 71214->71211 71216 403f92 71215->71216 71220 403fb4 _memmove 71215->71220 71218 420ff6 59 API calls 71216->71218 71217 420ff6 59 API calls 71219 403fc8 71217->71219 71218->71220 71221 4034c2 71219->71221 71220->71217 71222 4034f3 _memmove 71221->71222 71223 4034d4 71221->71223 71224 420ff6 59 API calls 71222->71224 71226 420ff6 59 API calls 71223->71226 71225 40350a 71224->71225 71225->71167 71226->71222 71227->71164 71375 404d13 71228->71375 71233 404f68 LoadLibraryExW 71385 404cc8 71233->71385 71234 43dd0f 71235 404faa 84 API calls 71234->71235 71237 43dd16 71235->71237 71240 404cc8 3 API calls 71237->71240 71242 43dd1e 71240->71242 71241 404f8f 71241->71242 71243 404f9b 71241->71243 71411 40506b 71242->71411 71244 404faa 84 API calls 71243->71244 71246 404fa0 71244->71246 71246->71171 71246->71172 71249 43dd45 71417 405027 71249->71417 71251 43dd52 71253 43e847 71252->71253 71254 406c15 71252->71254 71585 45fcb1 84 API calls 2 library calls 71253->71585 71568 405906 60 API calls 71254->71568 71257 406c37 71569 405956 67 API calls 71257->71569 71258 43e85a 71586 45fcb1 84 API calls 2 library calls 71258->71586 71260 406c4c 71260->71258 71261 406c54 71260->71261 71263 4077c7 59 API calls 71261->71263 71265 406c60 71263->71265 71264 43e876 71267 406cc1 71264->71267 71570 420b9b 60 API calls __ftell_nolock 71265->71570 71269 43e889 71267->71269 71270 406ccf 71267->71270 71268 406c6c 71272 4077c7 59 API calls 71268->71272 71273 405dcf CloseHandle 71269->71273 71271 4077c7 59 API calls 71270->71271 71275 406cd8 71271->71275 71276 406c78 71272->71276 71274 43e895 71273->71274 71277 404f3d 136 API calls 71274->71277 71278 4077c7 59 API calls 71275->71278 71279 4048ae 60 API calls 71276->71279 71288 43e8b1 71277->71288 71280 406ce1 71278->71280 71281 406c86 71279->71281 71573 4046f9 59 API calls 71280->71573 71571 4059b0 ReadFile SetFilePointerEx 71281->71571 71282 43e8da 71587 45fcb1 84 API calls 2 library calls 71282->71587 71285 406cf8 71289 407c8e 59 API calls 71285->71289 71287 406cb2 71572 405c4e SetFilePointerEx SetFilePointerEx 71287->71572 71288->71282 71292 43e8f6 71288->71292 71293 43e8d5 71288->71293 71294 406d09 SetCurrentDirectoryW 71289->71294 71290 43e8f1 71298 406e6c 71290->71298 71296 404faa 84 API calls 71292->71296 71295 404faa 84 API calls 71293->71295 71300 406d1c 71294->71300 71295->71282 71297 43e8fb 71296->71297 71299 420ff6 59 API calls 71297->71299 71563 405934 71298->71563 71306 43e92f 71299->71306 71302 420ff6 59 API calls 71300->71302 71304 406d2f 71302->71304 71303 403bcd 71303->70947 71303->70970 71305 40538e 59 API calls 71304->71305 71332 406d3a __wsetenvp 71305->71332 71307 40766f 59 API calls 71306->71307 71338 43e978 71307->71338 71308 406e47 71581 405dcf 71308->71581 71311 43eb69 71590 467581 59 API calls 71311->71590 71312 406e53 SetCurrentDirectoryW 71312->71298 71315 43eb8b 71591 46f835 59 API calls _memmove 71315->71591 71318 43eb98 71320 422f95 _free 58 API calls 71318->71320 71319 43ec02 71594 45fcb1 84 API calls 2 library calls 71319->71594 71320->71298 71323 43ec1b 71323->71308 71324 40766f 59 API calls 71324->71338 71326 43ebfa 71593 45fb07 59 API calls 3 library calls 71326->71593 71328 407f41 59 API calls 71328->71332 71331 45fc4d 59 API calls 71331->71338 71332->71308 71332->71319 71332->71326 71332->71328 71574 4059cd 67 API calls _wcscpy 71332->71574 71575 4070bd GetStringTypeW 71332->71575 71576 40702c 60 API calls __wcsnicmp 71332->71576 71577 40710a GetStringTypeW __wsetenvp 71332->71577 71578 42387d GetStringTypeW _iswctype 71332->71578 71579 406a3c 160 API calls 2 library calls 71332->71579 71580 407373 59 API calls 71332->71580 71333 407f41 59 API calls 71333->71338 71335 467621 59 API calls 71335->71338 71336 43ebbb 71592 45fcb1 84 API calls 2 library calls 71336->71592 71338->71311 71338->71324 71338->71331 71338->71333 71338->71335 71338->71336 71588 45fb6e 61 API calls 2 library calls 71338->71588 71589 407373 59 API calls 71338->71589 71340 43ebd4 71341 422f95 _free 58 API calls 71340->71341 71342 43ebe7 71341->71342 71342->71298 71344 420ff6 59 API calls 71343->71344 71345 45fc7d _memmove 71344->71345 71345->71189 71345->71345 71347 46762c 71346->71347 71348 420ff6 59 API calls 71347->71348 71349 467643 71348->71349 71350 467652 71349->71350 71351 407f41 59 API calls 71349->71351 71350->71189 71351->71350 71353 407682 _memmove 71352->71353 71354 40770f 71352->71354 71355 420ff6 59 API calls 71353->71355 71356 420ff6 59 API calls 71354->71356 71358 407689 71355->71358 71356->71353 71357 4076b2 71357->71189 71358->71357 71359 420ff6 59 API calls 71358->71359 71359->71357 71361 4074d0 71360->71361 71363 40757e 71360->71363 71362 420ff6 59 API calls 71361->71362 71365 407502 71361->71365 71362->71365 71363->71189 71364 420ff6 59 API calls 71364->71365 71365->71363 71365->71364 71367 404fb4 71366->71367 71369 404fbb 71366->71369 71595 4255d6 83 API calls 5 library calls 71367->71595 71370 404fca 71369->71370 71371 404fdb FreeLibrary 71369->71371 71370->71179 71371->71370 71372->71183 71373->71189 71374->71194 71422 404d61 71375->71422 71378 404d3a 71380 404d53 71378->71380 71381 404d4a FreeLibrary 71378->71381 71379 404d61 2 API calls 71379->71378 71382 42548b 71380->71382 71381->71380 71426 4254a0 71382->71426 71384 404f5c 71384->71233 71384->71234 71507 404d94 71385->71507 71388 404d08 71392 404dd0 71388->71392 71389 404cff FreeLibrary 71389->71388 71390 404d94 2 API calls 71391 404ced 71390->71391 71391->71388 71391->71389 71393 420ff6 59 API calls 71392->71393 71394 404de5 71393->71394 71511 40538e 71394->71511 71396 404df1 _memmove 71398 404f21 71396->71398 71399 404ee9 71396->71399 71402 404e2c 71396->71402 71397 405027 69 API calls 71407 404e35 71397->71407 71521 469ba5 95 API calls 71398->71521 71514 404fe9 CreateStreamOnHGlobal 71399->71514 71402->71397 71403 40506b 74 API calls 71403->71407 71405 404ec9 71405->71241 71406 43dcd0 71522 405045 85 API calls _fseek 71406->71522 71407->71403 71407->71405 71407->71406 71520 405045 85 API calls _fseek 71407->71520 71409 43dce4 71410 40506b 74 API calls 71409->71410 71410->71405 71412 40507d 71411->71412 71414 43ddf6 71411->71414 71523 425812 71412->71523 71416 469393 GetSystemTimeAsFileTime 71416->71249 71418 405036 71417->71418 71419 43ddb9 71417->71419 71544 425e90 71418->71544 71421 40503e 71421->71251 71423 404d2e 71422->71423 71424 404d6a LoadLibraryA 71422->71424 71423->71378 71423->71379 71424->71423 71425 404d7b GetProcAddress 71424->71425 71425->71423 71428 4254ac ___lock_fhandle 71426->71428 71427 4254bf 71475 428d68 58 API calls __getptd_noexit 71427->71475 71428->71427 71431 4254f0 71428->71431 71430 4254c4 71476 428ff6 9 API calls __strnicmp_l 71430->71476 71445 430738 71431->71445 71434 4254f5 71435 42550b 71434->71435 71436 4254fe 71434->71436 71438 425535 71435->71438 71439 425515 71435->71439 71477 428d68 58 API calls __getptd_noexit 71436->71477 71460 430857 71438->71460 71478 428d68 58 API calls __getptd_noexit 71439->71478 71441 4254cf ___lock_fhandle @_EH4_CallFilterFunc@8 71441->71384 71446 430744 ___lock_fhandle 71445->71446 71447 429e4b __lock 58 API calls 71446->71447 71457 430752 71447->71457 71448 4307c6 71480 43084e 71448->71480 71449 4307cd 71485 428a5d 58 API calls __malloc_crt 71449->71485 71452 430843 ___lock_fhandle 71452->71434 71453 4307d4 71453->71448 71486 42a06b InitializeCriticalSectionAndSpinCount 71453->71486 71454 429ed3 __mtinitlocknum 58 API calls 71454->71457 71457->71448 71457->71449 71457->71454 71483 426e8d 59 API calls __lock 71457->71483 71484 426ef7 LeaveCriticalSection LeaveCriticalSection __freefls@4 71457->71484 71458 4307fa EnterCriticalSection 71458->71448 71461 430877 __wopenfile 71460->71461 71462 430891 71461->71462 71474 430a4c 71461->71474 71493 423a0b 60 API calls 2 library calls 71461->71493 71491 428d68 58 API calls __getptd_noexit 71462->71491 71464 430896 71492 428ff6 9 API calls __strnicmp_l 71464->71492 71466 430aaf 71488 4387f1 71466->71488 71468 425540 71479 425562 LeaveCriticalSection LeaveCriticalSection _fprintf 71468->71479 71470 430a45 71470->71474 71494 423a0b 60 API calls 2 library calls 71470->71494 71472 430a64 71472->71474 71495 423a0b 60 API calls 2 library calls 71472->71495 71474->71462 71474->71466 71475->71430 71476->71441 71477->71441 71478->71441 71479->71441 71487 429fb5 LeaveCriticalSection 71480->71487 71482 430855 71482->71452 71483->71457 71484->71457 71485->71453 71486->71458 71487->71482 71496 437fd5 71488->71496 71490 43880a 71490->71468 71491->71464 71492->71468 71493->71470 71494->71472 71495->71474 71498 437fe1 ___lock_fhandle 71496->71498 71497 437ff7 71499 428d68 __strnicmp_l 58 API calls 71497->71499 71498->71497 71501 43802d 71498->71501 71500 437ffc 71499->71500 71502 428ff6 __strnicmp_l 9 API calls 71500->71502 71503 43809e __wsopen_nolock 109 API calls 71501->71503 71506 438006 ___lock_fhandle 71502->71506 71504 438049 71503->71504 71505 438072 __wsopen_helper LeaveCriticalSection 71504->71505 71505->71506 71506->71490 71508 404ce1 71507->71508 71509 404d9d LoadLibraryA 71507->71509 71508->71390 71508->71391 71509->71508 71510 404dae GetProcAddress 71509->71510 71510->71508 71512 420ff6 59 API calls 71511->71512 71513 4053a0 71512->71513 71513->71396 71515 405003 FindResourceExW 71514->71515 71519 405020 71514->71519 71516 43dd5c LoadResource 71515->71516 71515->71519 71517 43dd71 SizeofResource 71516->71517 71516->71519 71518 43dd85 LockResource 71517->71518 71517->71519 71518->71519 71519->71402 71520->71407 71521->71402 71522->71409 71526 42582d 71523->71526 71525 40508e 71525->71416 71527 425839 ___lock_fhandle 71526->71527 71528 42587c 71527->71528 71529 425874 ___lock_fhandle 71527->71529 71533 42584f _memset 71527->71533 71541 426e4e 59 API calls __lock 71528->71541 71529->71525 71532 425882 71542 42564d 72 API calls 6 library calls 71532->71542 71539 428d68 58 API calls __getptd_noexit 71533->71539 71534 425869 71540 428ff6 9 API calls __strnicmp_l 71534->71540 71537 425898 71543 4258b6 LeaveCriticalSection LeaveCriticalSection _fprintf 71537->71543 71539->71534 71540->71529 71541->71532 71542->71537 71543->71529 71545 425e9c ___lock_fhandle 71544->71545 71546 425ec3 71545->71546 71547 425eae 71545->71547 71560 426e4e 59 API calls __lock 71546->71560 71558 428d68 58 API calls __getptd_noexit 71547->71558 71550 425eb3 71559 428ff6 9 API calls __strnicmp_l 71550->71559 71551 425ec9 71561 425b00 67 API calls 6 library calls 71551->71561 71554 425ed4 71562 425ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 71554->71562 71556 425ebe ___lock_fhandle 71556->71421 71557 425ee6 71557->71556 71558->71550 71559->71556 71560->71551 71561->71554 71562->71557 71564 405dcf CloseHandle 71563->71564 71565 40593c 71564->71565 71566 405dcf CloseHandle 71565->71566 71567 40594b 71566->71567 71567->71303 71568->71257 71569->71260 71570->71268 71571->71287 71572->71267 71573->71285 71574->71332 71575->71332 71576->71332 71577->71332 71578->71332 71579->71332 71580->71332 71582 405de8 71581->71582 71583 405dd9 71581->71583 71582->71583 71584 405ded CloseHandle 71582->71584 71583->71312 71584->71583 71585->71258 71586->71264 71587->71290 71588->71338 71589->71338 71590->71315 71591->71318 71592->71340 71593->71319 71594->71323 71595->71369 71596->71010 71597->71010 71599 406ef5 71598->71599 71600 407009 71598->71600 71599->71600 71601 420ff6 59 API calls 71599->71601 71600->71014 71603 406f1c 71601->71603 71602 420ff6 59 API calls 71607 406f91 71602->71607 71603->71602 71605 4074bd 59 API calls 71605->71607 71606 40766f 59 API calls 71606->71607 71607->71600 71607->71605 71607->71606 71610 456ac9 59 API calls 71607->71610 71608->71016 71609->71018 71610->71607 71611->71032 71612->71033 71614 40e5b1 71613->71614 71615 40e59d 71613->71615 71704 46a0b5 84 API calls 2 library calls 71614->71704 71703 40e060 240 API calls _memmove 71615->71703 71617 40e5a8 71617->71101 71619 443ece 71619->71619 71621 40e835 71620->71621 71622 443ed3 71621->71622 71624 40e89f 71621->71624 71634 40e8f9 71621->71634 71623 40a000 240 API calls 71622->71623 71625 443ee8 71623->71625 71628 4077c7 59 API calls 71624->71628 71624->71634 71650 40ead0 71625->71650 71706 46a0b5 84 API calls 2 library calls 71625->71706 71626 4077c7 59 API calls 71626->71634 71629 443f2e 71628->71629 71632 422f80 __cinit 67 API calls 71629->71632 71630 422f80 __cinit 67 API calls 71630->71634 71631 443f50 71631->71101 71632->71634 71633 408620 69 API calls 71633->71650 71634->71626 71634->71630 71634->71631 71637 40eaba 71634->71637 71634->71650 71635 40a000 240 API calls 71635->71650 71637->71650 71707 46a0b5 84 API calls 2 library calls 71637->71707 71638 408ea0 59 API calls 71638->71650 71642 40f2f5 71711 46a0b5 84 API calls 2 library calls 71642->71711 71643 44424f 71643->71101 71646 46a0b5 84 API calls 71646->71650 71649 40ebd8 71649->71101 71650->71633 71650->71635 71650->71638 71650->71642 71650->71646 71650->71649 71705 4080d7 59 API calls _memmove 71650->71705 71708 457405 59 API calls 71650->71708 71709 47c8d7 240 API calls 71650->71709 71710 47b851 240 API calls 71650->71710 71712 409df0 59 API calls 71650->71712 71713 4796db 109 API calls 71650->71713 71652 40f7b0 71651->71652 71653 40f61a 71651->71653 71654 407f41 59 API calls 71652->71654 71655 444848 71653->71655 71656 40f626 71653->71656 71662 40f6ec 71654->71662 71723 47bf80 240 API calls 71655->71723 71721 40f3f0 240 API calls _memmove 71656->71721 71659 444856 71663 40f790 71659->71663 71724 46a0b5 84 API calls 2 library calls 71659->71724 71661 40f65d 71661->71659 71661->71662 71661->71663 71714 412e02 71662->71714 71663->71101 71665 40f743 71665->71663 71722 409df0 59 API calls 71665->71722 71667->71101 71668->71101 71669->71101 71670->71041 71671->71046 71672->71101 71673->71048 71674->71048 71675->71048 71676->71101 71677->71101 71678->71101 71680 4099b1 71679->71680 71681 4099ab 71679->71681 71682 4099b7 __itow 71680->71682 71684 43f903 71680->71684 71691 43f97b __i64tow _wcscpy 71680->71691 71681->71101 71683 420ff6 59 API calls 71682->71683 71685 4099d1 71683->71685 71687 420ff6 59 API calls 71684->71687 71684->71691 71685->71681 71686 407f41 59 API calls 71685->71686 71686->71681 71688 43f948 71687->71688 71689 420ff6 59 API calls 71688->71689 71690 43f96e 71689->71690 71690->71691 71692 407f41 59 API calls 71690->71692 71692->71691 71693->71101 71694->71101 71695->71101 71696->71096 71697->71096 71698->71096 71699->71096 71700->71096 71701->71096 71702->71096 71703->71617 71704->71619 71705->71650 71706->71650 71707->71650 71708->71650 71709->71650 71710->71650 71711->71643 71712->71650 71713->71650 71715 412e16 71714->71715 71716 412e51 Sleep 71715->71716 71717 412e1a timeGetTime 71715->71717 71718 412e49 71716->71718 71719 412e30 71717->71719 71718->71665 71720 410b30 238 API calls 71719->71720 71720->71718 71721->71661 71722->71665 71723->71659 71724->71663 71726 407dbf __wsetenvp 71725->71726 71728 407dd0 _memmove 71726->71728 71731 408189 59 API calls 71726->71731 71728->71129 71729 43f130 _memmove 71730->71130 71731->71729 71733 407bbf 71732->71733 71734 407be5 _memmove 71732->71734 71733->71734 71735 420ff6 59 API calls 71733->71735 71734->71136 71736 407c34 71735->71736 71737 420ff6 59 API calls 71736->71737 71737->71734 71738->71137 71739 398168 71740 398178 71739->71740 71742 39817d 71740->71742 71743 398180 71742->71743 71744 39834d VirtualAlloc 71743->71744 71745 398503 71743->71745 71746 398371 71743->71746 71744->71743 71745->71740 71746->71745 71748 3985a8 71746->71748 71750 3985ae KiUserExceptionDispatcher 71748->71750 71751 3985c9 71750->71751 71752 401055 71757 402649 71752->71757 71755 422f80 __cinit 67 API calls 71756 401064 71755->71756 71758 4077c7 59 API calls 71757->71758 71759 4026b7 71758->71759 71764 403582 71759->71764 71762 402754 71763 40105a 71762->71763 71767 403416 71762->71767 71763->71755 71773 4035b0 71764->71773 71768 40344e 71767->71768 71772 403428 _memmove 71767->71772 71770 420ff6 59 API calls 71768->71770 71769 420ff6 59 API calls 71771 40342e 71769->71771 71770->71772 71771->71762 71772->71769 71774 4035bd 71773->71774 71776 4035a1 71773->71776 71775 4035c4 RegOpenKeyExW 71774->71775 71774->71776 71775->71776 71777 4035de RegQueryValueExW 71775->71777 71776->71762 71778 403614 RegCloseKey 71777->71778 71779 4035ff 71777->71779 71778->71776 71779->71778 71780 401016 71785 404ad2 71780->71785 71783 422f80 __cinit 67 API calls 71784 401025 71783->71784 71786 420ff6 59 API calls 71785->71786 71787 404ada 71786->71787 71788 40101b 71787->71788 71792 404a94 71787->71792 71788->71783 71793 404aaf 71792->71793 71794 404a9d 71792->71794 71796 404afe 71793->71796 71795 422f80 __cinit 67 API calls 71794->71795 71795->71793 71797 4077c7 59 API calls 71796->71797 71798 404b16 GetVersionExW 71797->71798 71799 407d2c 59 API calls 71798->71799 71800 404b59 71799->71800 71801 407e8c 59 API calls 71800->71801 71811 404b86 71800->71811 71802 404b7a 71801->71802 71803 407886 59 API calls 71802->71803 71803->71811 71804 404bf1 GetCurrentProcess IsWow64Process 71805 404c0a 71804->71805 71807 404c20 71805->71807 71808 404c89 GetSystemInfo 71805->71808 71806 43dc8d 71818 404c95 LoadLibraryA GetProcAddress 71807->71818 71809 404c56 71808->71809 71809->71788 71811->71804 71811->71806 71812 404c2e 71813 404c32 71812->71813 71814 404c7d GetSystemInfo 71812->71814 71819 404c95 LoadLibraryA GetProcAddress 71813->71819 71815 404c3a 71814->71815 71815->71809 71817 404c4d FreeLibrary 71815->71817 71817->71809 71818->71812 71819->71815 71820 422e55 71821 428a15 __calloc_crt 58 API calls 71820->71821 71822 422e5f RtlEncodePointer 71821->71822 71823 422e78 71822->71823 71824 401098 71829 404233 71824->71829 71827 422f80 __cinit 67 API calls 71828 4010a7 71827->71828 71830 407f41 59 API calls 71829->71830 71831 40427f 71830->71831 71832 407f41 59 API calls 71831->71832 71833 40428e 71832->71833 71834 4077c7 59 API calls 71833->71834 71835 404298 71834->71835 71836 4077c7 59 API calls 71835->71836 71837 4042a2 71836->71837 71838 4077c7 59 API calls 71837->71838 71839 4042ac 71838->71839 71840 4077c7 59 API calls 71839->71840 71841 40109d 71839->71841 71840->71839 71841->71827 71842 444599 71846 45655c 71842->71846 71844 4445a4 71845 45655c 60 API calls 71844->71845 71845->71844 71851 456569 71846->71851 71856 456596 71846->71856 71847 456598 71858 409488 59 API calls 71847->71858 71849 45659d 71850 409997 59 API calls 71849->71850 71852 4565a4 71850->71852 71851->71847 71851->71849 71854 456590 71851->71854 71851->71856 71853 407c8e 59 API calls 71852->71853 71853->71856 71857 409700 59 API calls _wcsstr 71854->71857 71856->71844 71857->71856 71858->71849 71859 434d1c 71860 434d51 71859->71860 71862 434d2c 71859->71862 71862->71860 71866 42a730 71862->71866 71863 434d5c 71864 42a364 SetUnhandledExceptionFilter 71863->71864 71865 434d67 71864->71865 71867 42a73c ___lock_fhandle 71866->71867 71872 429bec 58 API calls 2 library calls 71867->71872 71869 42a741 71873 428683 62 API calls 3 library calls 71869->71873 71872->71869 71874 401066 71879 40f8cf 71874->71879 71876 40106c 71877 422f80 __cinit 67 API calls 71876->71877 71878 401076 71877->71878 71880 40f8f0 71879->71880 71912 420143 71880->71912 71884 40f937 71885 4077c7 59 API calls 71884->71885 71886 40f941 71885->71886 71887 4077c7 59 API calls 71886->71887 71888 40f94b 71887->71888 71889 4077c7 59 API calls 71888->71889 71890 40f955 71889->71890 71891 4077c7 59 API calls 71890->71891 71892 40f993 71891->71892 71893 4077c7 59 API calls 71892->71893 71894 40fa5e 71893->71894 71922 4160e7 71894->71922 71898 40fa90 71899 4077c7 59 API calls 71898->71899 71900 40fa9a 71899->71900 71950 41ffde 71900->71950 71902 40fae1 71903 40faf1 GetStdHandle 71902->71903 71904 4449d5 71903->71904 71905 40fb3d 71903->71905 71904->71905 71907 4449de 71904->71907 71906 40fb45 OleInitialize 71905->71906 71906->71876 71957 466dda 64 API calls 71907->71957 71909 4449e5 71958 4674a9 CreateThread 71909->71958 71911 4449f1 CloseHandle 71911->71906 71959 42021c 71912->71959 71915 42021c 59 API calls 71916 420185 71915->71916 71917 4077c7 59 API calls 71916->71917 71918 420191 71917->71918 71919 407d2c 59 API calls 71918->71919 71920 40f8f6 71919->71920 71921 4203a2 6 API calls 71920->71921 71921->71884 71923 4077c7 59 API calls 71922->71923 71924 4160f7 71923->71924 71925 4077c7 59 API calls 71924->71925 71926 4160ff 71925->71926 71966 415bfd 71926->71966 71929 415bfd 59 API calls 71930 41610f 71929->71930 71931 4077c7 59 API calls 71930->71931 71932 41611a 71931->71932 71933 420ff6 59 API calls 71932->71933 71934 40fa68 71933->71934 71935 416259 71934->71935 71936 416267 71935->71936 71937 4077c7 59 API calls 71936->71937 71938 416272 71937->71938 71939 4077c7 59 API calls 71938->71939 71940 41627d 71939->71940 71941 4077c7 59 API calls 71940->71941 71942 416288 71941->71942 71943 4077c7 59 API calls 71942->71943 71944 416293 71943->71944 71945 415bfd 59 API calls 71944->71945 71946 41629e 71945->71946 71947 420ff6 59 API calls 71946->71947 71948 4162a5 RegisterWindowMessageW 71947->71948 71948->71898 71951 455cc3 71950->71951 71952 41ffee 71950->71952 71969 469d71 60 API calls 71951->71969 71953 420ff6 59 API calls 71952->71953 71955 41fff6 71953->71955 71955->71902 71956 455cce 71957->71909 71958->71911 71960 4077c7 59 API calls 71959->71960 71961 420227 71960->71961 71962 4077c7 59 API calls 71961->71962 71963 42022f 71962->71963 71964 4077c7 59 API calls 71963->71964 71965 42017b 71964->71965 71965->71915 71967 4077c7 59 API calls 71966->71967 71968 415c05 71967->71968 71968->71929 71969->71956 71970 401027 71975 404a10 71970->71975 71973 422f80 __cinit 67 API calls 71974 401036 71973->71974 71976 420ff6 59 API calls 71975->71976 71977 404a18 71976->71977 71978 404a94 67 API calls 71977->71978 71979 40102c 71977->71979 71978->71979 71979->71973 71980 4010a9 71981 4010ae 71980->71981 71982 422f80 __cinit 67 API calls 71981->71982 71983 4010b8 71982->71983 71984 4037ee 71985 4037f6 71984->71985 71986 4081a7 59 API calls 71985->71986 71987 403801 71986->71987 72047 4093ea 71987->72047 71990 407f41 59 API calls 71991 40381a 71990->71991 71992 408620 69 API calls 71991->71992 71993 40382c 71992->71993 71994 407f41 59 API calls 71993->71994 71995 403852 71994->71995 71996 408620 69 API calls 71995->71996 71997 403861 71996->71997 71998 4077c7 59 API calls 71997->71998 71999 40387f 71998->71999 72050 403ee2 59 API calls 71999->72050 72001 40388b 72051 42313d 60 API calls 2 library calls 72001->72051 72003 403899 72004 4038a3 72003->72004 72005 43d3ea 72003->72005 72052 42313d 60 API calls 2 library calls 72004->72052 72062 403ee2 59 API calls 72005->72062 72008 4038ae 72009 43d3fe 72008->72009 72010 4038b8 72008->72010 72063 403ee2 59 API calls 72009->72063 72053 42313d 60 API calls 2 library calls 72010->72053 72013 4038c3 72014 43d41a 72013->72014 72015 4038cd 72013->72015 72017 404864 61 API calls 72014->72017 72054 42313d 60 API calls 2 library calls 72015->72054 72018 43d43f 72017->72018 72064 403ee2 59 API calls 72018->72064 72019 403919 72023 403926 72019->72023 72024 43d468 72019->72024 72021 4038d8 72021->72019 72021->72024 72055 403ee2 59 API calls 72021->72055 72022 43d44b 72027 4081a7 59 API calls 72022->72027 72057 40942e 59 API calls 72023->72057 72025 4081a7 59 API calls 72024->72025 72029 43d48a 72025->72029 72031 43d459 72027->72031 72066 403ee2 59 API calls 72029->72066 72030 4038fc 72034 4081a7 59 API calls 72030->72034 72065 403ee2 59 API calls 72031->72065 72032 403936 72058 4091b0 59 API calls 72032->72058 72038 40390a 72034->72038 72037 43d497 72037->72037 72056 403ee2 59 API calls 72038->72056 72039 403944 72059 409040 60 API calls 72039->72059 72042 4093ea 59 API calls 72044 403961 72042->72044 72044->72042 72046 4039a7 72044->72046 72060 409040 60 API calls 72044->72060 72061 403ee2 59 API calls 72044->72061 72048 420ff6 59 API calls 72047->72048 72049 40380d 72048->72049 72049->71990 72050->72001 72051->72003 72052->72008 72053->72013 72054->72021 72055->72030 72056->72019 72057->72032 72058->72039 72059->72044 72060->72044 72061->72044 72062->72009 72063->72014 72064->72022 72065->72024 72066->72037 72067 403633 72068 40366a 72067->72068 72069 4036e7 72068->72069 72070 403688 72068->72070 72106 4036e5 72068->72106 72072 4036ed 72069->72072 72073 43d31c 72069->72073 72074 403695 72070->72074 72075 40375d PostQuitMessage 72070->72075 72071 4036ca DefWindowProcW 72109 4036d8 72071->72109 72076 4036f2 72072->72076 72077 403715 SetTimer RegisterWindowMessageW 72072->72077 72117 4111d0 10 API calls 72073->72117 72078 4036a0 72074->72078 72079 43d38f 72074->72079 72075->72109 72081 4036f9 KillTimer 72076->72081 72082 43d2bf 72076->72082 72083 40373e CreatePopupMenu 72077->72083 72077->72109 72084 403767 72078->72084 72085 4036a8 72078->72085 72122 462a16 71 API calls _memset 72079->72122 72112 4044cb Shell_NotifyIconW _memset 72081->72112 72088 43d2c4 72082->72088 72089 43d2f8 MoveWindow 72082->72089 72083->72109 72115 404531 64 API calls _memset 72084->72115 72091 4036b3 72085->72091 72092 43d374 72085->72092 72087 43d343 72118 4111f3 240 API calls 72087->72118 72096 43d2e7 SetFocus 72088->72096 72097 43d2c8 72088->72097 72089->72109 72099 40374b 72091->72099 72100 4036be 72091->72100 72092->72071 72121 45817e 59 API calls 72092->72121 72093 43d3a1 72093->72071 72093->72109 72096->72109 72097->72100 72101 43d2d1 72097->72101 72098 40370c 72113 403114 DeleteObject DestroyWindow 72098->72113 72114 4045df 81 API calls _memset 72099->72114 72100->72071 72119 4044cb Shell_NotifyIconW _memset 72100->72119 72116 4111d0 10 API calls 72101->72116 72106->72071 72107 40375b 72107->72109 72110 43d368 72120 4043db 68 API calls _memset 72110->72120 72112->72098 72113->72109 72114->72107 72115->72109 72116->72109 72117->72087 72118->72100 72119->72110 72120->72106 72121->72106 72122->72093 72123 38c94c 72126 38c975 72123->72126 72125 38c957 72127 38c99d 72126->72127 72128 38ca2c 72127->72128 72129 38c9be VirtualAlloc 72127->72129 72128->72125 72129->72128 72130 38c9dc 72129->72130 72131 38ca15 VirtualFree 72130->72131 72131->72128 72132 468c33 72133 42594c __malloc_crt 58 API calls 72132->72133 72134 468c42 72133->72134 72135 42594c __malloc_crt 58 API calls 72134->72135 72136 468c56 72135->72136 72137 42594c __malloc_crt 58 API calls 72136->72137 72138 468c6a 72137->72138 72140 468c7d 72138->72140 72141 468f97 58 API calls _free 72138->72141 72141->72140 72142 401078 72147 4071eb 72142->72147 72144 40108c 72145 422f80 __cinit 67 API calls 72144->72145 72146 401096 72145->72146 72148 4071fb __ftell_nolock 72147->72148 72149 4077c7 59 API calls 72148->72149 72150 4072b1 72149->72150 72151 404864 61 API calls 72150->72151 72152 4072ba 72151->72152 72178 42074f 72152->72178 72155 407e0b 59 API calls 72156 4072d3 72155->72156 72157 403f84 59 API calls 72156->72157 72158 4072e2 72157->72158 72159 4077c7 59 API calls 72158->72159 72160 4072eb 72159->72160 72161 407eec 59 API calls 72160->72161 72162 4072f4 RegOpenKeyExW 72161->72162 72163 43ecda RegQueryValueExW 72162->72163 72167 407316 72162->72167 72164 43ecf7 72163->72164 72165 43ed6c RegCloseKey 72163->72165 72166 420ff6 59 API calls 72164->72166 72165->72167 72170 43ed7e _wcscat __wsetenvp 72165->72170 72168 43ed10 72166->72168 72167->72144 72169 40538e 59 API calls 72168->72169 72171 43ed1b RegQueryValueExW 72169->72171 72170->72167 72175 407b52 59 API calls 72170->72175 72176 407f41 59 API calls 72170->72176 72177 403f84 59 API calls 72170->72177 72172 43ed38 72171->72172 72174 43ed52 72171->72174 72173 407d2c 59 API calls 72172->72173 72173->72174 72174->72165 72175->72170 72176->72170 72177->72170 72179 431b90 __ftell_nolock 72178->72179 72180 42075c GetFullPathNameW 72179->72180 72181 42077e 72180->72181 72182 407d2c 59 API calls 72181->72182 72183 4072c5 72182->72183 72183->72155 72184 401038 72185 422f80 __cinit 67 API calls 72184->72185 72186 401042 72185->72186

                                                                                      Executed Functions

                                                                                      Function 00403B4C, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowUNIQUE
                                                                                      APIs
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B7A
                                                                                      • IsDebuggerPresent.KERNEL32(?,?), ref: 00403B8C
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C81
                                                                                        • Part of subcall function 004073E5: _memset.LIBCMT ref: 0043EE62
                                                                                        • Part of subcall function 004073E5: GetOpenFileNameW.COMDLG32(?), ref: 0043EEAC
                                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C62F8,004C62E0,?,?), ref: 00403BFD
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00410A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C26,004C62F8,?,?,?), ref: 00410ACE
                                                                                        • Part of subcall function 00410A8D: _wcscat.LIBCMT ref: 004450E1
                                                                                        • Part of subcall function 00403A58: GetSysColorBrush.USER32(0000000F), ref: 00403A62
                                                                                        • Part of subcall function 00403A58: LoadCursorW.USER32(00000000,00007F00), ref: 00403A71
                                                                                        • Part of subcall function 00403A58: LoadIconW.USER32(00000063), ref: 00403A88
                                                                                        • Part of subcall function 00403A58: LoadIconW.USER32(000000A4), ref: 00403A9A
                                                                                        • Part of subcall function 00403A58: LoadIconW.USER32(000000A2), ref: 00403AAC
                                                                                        • Part of subcall function 00403A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AD2
                                                                                        • Part of subcall function 00403A58: RegisterClassExW.USER32(?), ref: 00403B28
                                                                                        • Part of subcall function 004039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00403A15
                                                                                        • Part of subcall function 004039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A36
                                                                                        • Part of subcall function 004039E7: ShowWindow.USER32(00000000), ref: 00403A4A
                                                                                        • Part of subcall function 004039E7: ShowWindow.USER32(00000000), ref: 00403A53
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 00410FC7
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                        • Part of subcall function 00410B30: Sleep.KERNELBASE(0000000A), ref: 00410FDF
                                                                                        • Part of subcall function 00410B30: LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                        • Part of subcall function 00410B30: DestroyWindow.USER32 ref: 00411066
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 00410B30: TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,%I,?), ref: 004452AD
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,?,?,?,?,?), ref: 00445844
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000), ref: 00445A00
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(?,00000000,?,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,?,?,?,?,?), ref: 00445A96
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                        • Part of subcall function 004044CB: _memset.LIBCMT ref: 004044F7
                                                                                        • Part of subcall function 004044CB: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00404527
                                                                                        • Part of subcall function 004043DB: _memset.LIBCMT ref: 00404401
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004044A6
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004044C3
                                                                                        • Part of subcall function 00404864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004072BA,?,?,?,?,0040108C,-004C5E84), ref: 00404882
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B93F0,00000010), ref: 0043D4BC
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,004C62F8,?,?,?), ref: 0043D4F4
                                                                                        • Part of subcall function 00464C03: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00464C2C
                                                                                        • Part of subcall function 00464C03: CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00464C43
                                                                                        • Part of subcall function 00464C03: FreeSid.ADVAPI32(?), ref: 00464C53
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • GetForegroundWindow.USER32 ref: 0043D57A
                                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D581
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Window$Icon$LoadSleep$Name$CurrentDirectoryNotifyShell_Translate_memmove_memset$CloseCodeCreateDispatchExitFileFullHandleObjectPathPeekProcessShowSingleTimeWaittime$AcceleratorAllocateBrushCheckClassColorCursorDebuggerDestroyExecuteForegroundFreeImageInitializeLockMembershipModuleOpenPresentRegisterShellTokenUpdate_wcscat
                                                                                      • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                                                                      • API String ID: 1869514552-2806069697
                                                                                      • Opcode ID: 92bddc9d16258cac0c6ba8490af65682ccdc987d8cab2c76bacb08fcd54519d5
                                                                                      • Instruction ID: 0f2c37a458a75ddd4165d4490fb1e043a1c32b8e6bc4467291d23e22a2595f58
                                                                                      • Opcode Fuzzy Hash: 92bddc9d16258cac0c6ba8490af65682ccdc987d8cab2c76bacb08fcd54519d5
                                                                                      • Instruction Fuzzy Hash: F351B575D08248AADB11AFB5DC05EEE7B78AB45304B1081BFF811B21E1DA7C5645CB2E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0038C787, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106fileUNIQUE
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(00000000,553B5C78,\\.\PhysicalDrive,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?), ref: 0038C7D9
                                                                                      • DeviceIoControl.KERNELBASE(00000000,0AC8FB92,00000000,002D1400,00000040,0000000C,?,00000C00,?,00000000,?,?,?), ref: 0038C81D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ControlCreateDeviceFile
                                                                                      • String ID: Drive$PhysicalDrive$\\.\PhysicalDrive
                                                                                      • API String ID: 107608037-2339725666
                                                                                      • Opcode ID: dcafa7a0a2f5d4e0ef67c8717be0da1d6095b06ac5dfbc444127fdd3411b048a
                                                                                      • Instruction ID: 6e97d5f3dd76719445c4b58b64016f5afdb8d55bc7e53abbdfafe1e10bd25318
                                                                                      • Opcode Fuzzy Hash: dcafa7a0a2f5d4e0ef67c8717be0da1d6095b06ac5dfbc444127fdd3411b048a
                                                                                      • Instruction Fuzzy Hash: 3C31A472A50309BBEB11AFA4CC45FDEBB79FB49705F504655F618FA280D371E9108BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0038C6D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileUNIQUE
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(00000000,553B5C78,\\.\,00000000,00000003,00000000,00000003,00000000,00000000,?), ref: 0038C70D
                                                                                      • DeviceIoControl.KERNELBASE(00000000,0AC8FB92,00000000,00560000,00000000,00000000,?,00000020,?,00000000), ref: 0038C74B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ControlCreateDeviceFile
                                                                                      • String ID: :$\\.\$\\.\
                                                                                      • API String ID: 107608037-741549441
                                                                                      • Opcode ID: d57965d3291f6108405969ab9198c99898ee88127be41fb3baa620809d65ae0e
                                                                                      • Instruction ID: 1e9719f60d58091eab8599f90c6f6a6b8777df2fcb2d662cabdc3125379d0d3e
                                                                                      • Opcode Fuzzy Hash: d57965d3291f6108405969ab9198c99898ee88127be41fb3baa620809d65ae0e
                                                                                      • Instruction Fuzzy Hash: 22113071A44309BEE750DFB48C45FEDFBB8EB48715F508156F628B61C0E6B06A008BA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 003988CA, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 305UNIQUE
                                                                                      APIs
                                                                                      • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00398A38
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                      • String ID: $
                                                                                      • API String ID: 3662101638-3993045852
                                                                                      • Opcode ID: d8cc61129b63baa32b9eab7a95e1ab547848dc20c2337d8b7e00507b7179dedc
                                                                                      • Instruction ID: a150198904316d2c78137f8fd25e3ece2c28598d9d6eec270ca16433b53df820
                                                                                      • Opcode Fuzzy Hash: d8cc61129b63baa32b9eab7a95e1ab547848dc20c2337d8b7e00507b7179dedc
                                                                                      • Instruction Fuzzy Hash: 24B1C37090D246DADF278F10C480B79B678BBF3310F3A86A6D906598C6DF358D81E792
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0040E800, Relevance: 3.6, Strings: 2, Instructions: 1102UNIQUE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString_wprintf$ErrorLastMessage_memmove
                                                                                      • String ID: Variable must be of type 'Object'.$%I
                                                                                      • API String ID: 645758847-549709184
                                                                                      • Opcode ID: ceb3e4fcce268cff78fa85b5df37f718cd604031b0f498da301670de14921990
                                                                                      • Instruction ID: 646285330f24ea673303868bc9691634490c9c151704f09186753778590e683b
                                                                                      • Opcode Fuzzy Hash: ceb3e4fcce268cff78fa85b5df37f718cd604031b0f498da301670de14921990
                                                                                      • Instruction Fuzzy Hash: 88A28C74A04205CFDB24CF59C480AAAB7B1FF48304F24847AE916BB391D739EC56CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00397585, Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL(E00001A9), ref: 00397931
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 69a6b07ee7fe447d1970dcead3094be8cd3c3585ed5c51ff8be90354ab8af60f
                                                                                      • Instruction ID: 9013b0e4bc31c07bda94c1574e6c1d57f9ae631cc28807ff316b2e806f267c2e
                                                                                      • Opcode Fuzzy Hash: 69a6b07ee7fe447d1970dcead3094be8cd3c3585ed5c51ff8be90354ab8af60f
                                                                                      • Instruction Fuzzy Hash: 09817F3093D206EBDF575AA48D4EFB9777CAB05340F3544A6E90BAACD1D3308900FA62
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.19%

                                                                                      Function 0042A364, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A36A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                      • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                                                                      • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                      • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.01%

                                                                                      Function 00410B30, Relevance: 59.1, APIs: 27, Strings: 6, Instructions: 1304windowsleepsynchronizationUNIQUE
                                                                                      APIs
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                      • Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 0040FE40: _memmove.LIBCMT ref: 0041047A
                                                                                        • Part of subcall function 0040FE40: _memmove.LIBCMT ref: 004107DF
                                                                                        • Part of subcall function 0040FE40: _memmove.LIBCMT ref: 0041080E
                                                                                        • Part of subcall function 004031CE: IsDialogMessageW.USER32(?,?), ref: 00403208
                                                                                        • Part of subcall function 004031CE: GetClassLongW.USER32(?,000000E0), ref: 0043D186
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                      • TranslateMessage.USER32(?), ref: 00410FC7
                                                                                      • DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                      • Sleep.KERNELBASE(0000000A), ref: 00410FDF
                                                                                      • LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                      • DestroyWindow.USER32 ref: 00411066
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                      • timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,%I), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                      • Sleep.KERNEL32(0000000A,%I,?), ref: 004452AD
                                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                      • TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                      • #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,?,?,?,?,?), ref: 00445844
                                                                                      • #9.OLEAUT32(00000000), ref: 00445A00
                                                                                      • #9.OLEAUT32(?,00000000,?,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,?,?,?,?,?), ref: 00445A96
                                                                                      • DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 004628F7: Sleep.KERNEL32(0000000A,%I,?,00445B57,?), ref: 00462965
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                      • CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 004861AC: GetForegroundWindow.USER32 ref: 004861D7
                                                                                        • Part of subcall function 0040B93D: IsWindow.USER32(00000000), ref: 00441054
                                                                                        • Part of subcall function 004654E6: QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,%I,?), ref: 00465502
                                                                                        • Part of subcall function 004654E6: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,%I,?), ref: 00465510
                                                                                        • Part of subcall function 004654E6: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,%I,?), ref: 00465518
                                                                                        • Part of subcall function 004654E6: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,%I,?), ref: 00465522
                                                                                        • Part of subcall function 004654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,%I,?), ref: 0046555E
                                                                                      • Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                        • Part of subcall function 00463E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00463EB6
                                                                                        • Part of subcall function 00463E91: Process32FirstW.KERNEL32(00000000,?), ref: 00463EC4
                                                                                        • Part of subcall function 00463E91: Process32NextW.KERNEL32(00000000,?), ref: 00463EE4
                                                                                        • Part of subcall function 00463E91: CloseHandle.KERNEL32(00000000), ref: 00463F8E
                                                                                        • Part of subcall function 00420719: timeGetTime.WINMM ref: 0042071D
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                      • CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Sleep$_memmove$Window$CloseHandlePerformanceQueryTimeTranslatetime$CodeCounterDispatchExitLoadObjectPeekProcessProcess32SingleStringWait_wcscpy_wprintf$AcceleratorClassCreateDestroyDialogException@8FirstForegroundFrequencyLockLongNextSnapshotThrowToolhelp32Update__i64tow__itowstd::exception::exception
                                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$%I
                                                                                      • API String ID: 3301474788-2696040622
                                                                                      • Opcode ID: 1e3baf7e7487a3f4b25296290a3073f6f71e122eeff8e3c80853fc6499edc5cf
                                                                                      • Instruction ID: abb91fbfb1f178075637fae0d8e48f5fa84006329822cc06d63061e15e90d741
                                                                                      • Opcode Fuzzy Hash: 1e3baf7e7487a3f4b25296290a3073f6f71e122eeff8e3c80853fc6499edc5cf
                                                                                      • Instruction Fuzzy Hash: ABB2A570608741DFEB24DF25C844BAAB7E5BF84308F14492FE44997392DB79E885CB4A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00403015, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 75windowregistryUNIQUE
                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                      • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                      • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$F;@$TaskbarCreated
                                                                                      • API String ID: 2914291525-2219658845
                                                                                      • Opcode ID: b32fe6db03ccba481f670429e5c7b523f4edffb20c87d4c464e52b45bc5e04fc
                                                                                      • Instruction ID: 979edb967f183c55e8c669bfc31fc45122444ef7f147c2a4b30f384e98b85c10
                                                                                      • Opcode Fuzzy Hash: b32fe6db03ccba481f670429e5c7b523f4edffb20c87d4c464e52b45bc5e04fc
                                                                                      • Instruction Fuzzy Hash: 043149B1941304EFEB40DFA4D884ADDBBF4FB09310F14856EE941EA2A1D3B54545CFA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00403041, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 54windowregistryUNIQUE
                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                      • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                      • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$F;@$TaskbarCreated
                                                                                      • API String ID: 2914291525-2219658845
                                                                                      • Opcode ID: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
                                                                                      • Instruction ID: 0e09ac2d9919322b342d86481b19008a338d121ad3b6117744e7067feae746c8
                                                                                      • Opcode Fuzzy Hash: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
                                                                                      • Instruction Fuzzy Hash: 4021C9B1911218AFEB40EF94EC49B9DBBF4FB08710F10853AF511A62A0D7B545448FA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004071EB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 202registryCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00404864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004072BA,?,?,?,?,0040108C,-004C5E84), ref: 00404882
                                                                                        • Part of subcall function 0042074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004072C5,?,?,?,?,0040108C,-004C5E84), ref: 00420771
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                        • Part of subcall function 00403F84: _memmove.LIBCMT ref: 0040400E
                                                                                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0040108C,-004C5E84), ref: 00407308
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0040108C,-004C5E84), ref: 0043ECF1
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0040108C,-004C5E84), ref: 0043ED32
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,0040108C,-004C5E84), ref: 0043ED70
                                                                                      • _wcscat.LIBCMT ref: 0043EDC9
                                                                                      • _wcscat.LIBCMT ref: 0043EDFE
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$NameQueryValue_wcscat$CloseException@8FileFullModuleOpenPathThrowstd::exception::exception
                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                      • API String ID: 2320919795-2727554177
                                                                                      • Opcode ID: b2ce1c3b15ed0b52e14b87e964901d62c51fe1087ad277a6667d9399eeb24960
                                                                                      • Instruction ID: 261d5c66dfbaa65f37115b6835693a56036b98bc8c14fb280ac0ce69df8225bb
                                                                                      • Opcode Fuzzy Hash: b2ce1c3b15ed0b52e14b87e964901d62c51fe1087ad277a6667d9399eeb24960
                                                                                      • Instruction Fuzzy Hash: 2D7159715093019BC354EF26E88195BBBE8FF98354F80487FF445932A1EB749948CF5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.47%

                                                                                      Function 00403633, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryUNIQUE
                                                                                      APIs
                                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                                                                      • CreatePopupMenu.USER32 ref: 0040373E
                                                                                        • Part of subcall function 004045DF: _memset.LIBCMT ref: 004045F9
                                                                                        • Part of subcall function 004045DF: GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 0043D750
                                                                                        • Part of subcall function 004045DF: GetMenuItemCount.USER32(004C6890), ref: 0043D7CD
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000005,00000000), ref: 0043D85D
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000004,00000000), ref: 0043D865
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000006,00000000), ref: 0043D86D
                                                                                        • Part of subcall function 004045DF: DeleteMenu.USER32(004C6890,00000003,00000000), ref: 0043D875
                                                                                        • Part of subcall function 004045DF: GetMenuItemCount.USER32(004C6890), ref: 0043D87D
                                                                                        • Part of subcall function 004045DF: SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 0043D8B7
                                                                                        • Part of subcall function 004045DF: GetCursorPos.USER32(?), ref: 0043D8C1
                                                                                        • Part of subcall function 004045DF: SetForegroundWindow.USER32(00000000), ref: 0043D8CA
                                                                                        • Part of subcall function 004045DF: TrackPopupMenuEx.USER32(004C6890,00000000,?,00000000,00000000,00000000), ref: 0043D8DD
                                                                                        • Part of subcall function 004045DF: PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0043D8E9
                                                                                      • PostQuitMessage.USER32(00000000), ref: 0040375F
                                                                                        • Part of subcall function 00404531: _memset.LIBCMT ref: 00404560
                                                                                        • Part of subcall function 00404531: KillTimer.USER32(?,00000001), ref: 004045B5
                                                                                        • Part of subcall function 00404531: SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004045C4
                                                                                        • Part of subcall function 00404531: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D6CE
                                                                                      • SetFocus.USER32 ref: 0043D2ED
                                                                                      • MoveWindow.USER32(00000000,00000000,?,?,00000001), ref: 0043D311
                                                                                      • KillTimer.USER32(?,00000001), ref: 004036FC
                                                                                        • Part of subcall function 004044CB: _memset.LIBCMT ref: 004044F7
                                                                                        • Part of subcall function 004044CB: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00404527
                                                                                        • Part of subcall function 00403114: DeleteObject.GDI32(?), ref: 0040314D
                                                                                        • Part of subcall function 00403114: DestroyWindow.USER32(?), ref: 004031A6
                                                                                        • Part of subcall function 004043DB: _memset.LIBCMT ref: 00404401
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004044A6
                                                                                        • Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004044C3
                                                                                        • Part of subcall function 00462A16: _memset.LIBCMT ref: 00462A31
                                                                                        • Part of subcall function 00462A16: GetMenuItemInfoW.USER32(004C6890,000000FF,00000000,00000030), ref: 00462A92
                                                                                        • Part of subcall function 00462A16: SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 00462AC8
                                                                                        • Part of subcall function 00462A16: Sleep.KERNEL32(000001F4), ref: 00462ADA
                                                                                        • Part of subcall function 00462A16: GetMenuItemCount.USER32(?), ref: 00462B1E
                                                                                        • Part of subcall function 00462A16: GetMenuItemID.USER32(?,00000000), ref: 00462B3A
                                                                                        • Part of subcall function 00462A16: GetMenuItemID.USER32(?,-00000001), ref: 00462B64
                                                                                        • Part of subcall function 00462A16: GetMenuItemID.USER32(?,?), ref: 00462BA9
                                                                                        • Part of subcall function 00462A16: CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462BEF
                                                                                        • Part of subcall function 00462A16: GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C03
                                                                                        • Part of subcall function 00462A16: SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C24
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$Info$DeleteWindow_memset$IconNotifyShell_Timer$CountMessage$KillPopupPost$CheckCreateCursorDestroyFocusForegroundMoveObjectProcQuitRadioRegisterSleepTrack
                                                                                      • String ID: TaskbarCreated$%I
                                                                                      • API String ID: 2219433024-1195164674
                                                                                      • Opcode ID: 79d529fd6cdb04e6dfd49a914938d723b06876f1bf7da1c4650920242c0a1355
                                                                                      • Instruction ID: 10ee0b11622f1361c7ec63440bed57d6dff5d427fb300c744ab7812cb175661f
                                                                                      • Opcode Fuzzy Hash: 79d529fd6cdb04e6dfd49a914938d723b06876f1bf7da1c4650920242c0a1355
                                                                                      • Instruction Fuzzy Hash: 6A4117B11101057BDB646F68EC09F7A3A58E744302F10853FFA02A23E1CA7D9D45976E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00403A58, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72windowregistryCOMMON
                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00403A62
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00403A71
                                                                                      • LoadIconW.USER32(00000063), ref: 00403A88
                                                                                      • LoadIconW.USER32(000000A4), ref: 00403A9A
                                                                                      • LoadIconW.USER32(000000A2), ref: 00403AAC
                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AD2
                                                                                      • RegisterClassExW.USER32(?), ref: 00403B28
                                                                                        • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                        • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                        • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                        • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                        • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                        • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                        • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                        • Part of subcall function 004048FE: LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404922
                                                                                        • Part of subcall function 004048FE: EnumResourceNamesW.KERNEL32(00000000,0000000E,00464189,00000063), ref: 0043DA68
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Icon$Image$Register$BrushClassColorList_$CommonControlsCreateCursorEnumInitMessageNamesReplaceResourceWindow
                                                                                      • String ID: #$0$AutoIt v3
                                                                                      • API String ID: 2567192541-4155596026
                                                                                      • Opcode ID: 42269966c74440c862dba0538370040d40d20385bd46122014e27266a7ce1093
                                                                                      • Instruction ID: 8e7cc5216a3b211786643bcbc5a53bf5eabc0ef71c34cfd7d652ed0fcc69659d
                                                                                      • Opcode Fuzzy Hash: 42269966c74440c862dba0538370040d40d20385bd46122014e27266a7ce1093
                                                                                      • Instruction Fuzzy Hash: 7F214B74E00304BFEB50AFA4EC09F9D7FB4EB08711F11857AF504A62A0D3BA56548F98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.20%

                                                                                      Function 00404FE9, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62UNIQUE
                                                                                      APIs
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00404FF9
                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404EEE,?,?,00000000,00000000), ref: 00405010
                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD60
                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD75
                                                                                      • LockResource.KERNEL32(N@,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F,00000000), ref: 0043DD88
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                      • String ID: SCRIPT$N@
                                                                                      • API String ID: 3051347437-2499734412
                                                                                      • Opcode ID: 5ec92892c76f8d1a0b25561ef3fd13e1900f32b078569a65020aaf11a3c9a4ea
                                                                                      • Instruction ID: 67856c902de3f53bc3f8eb18af461e19ea0094fb9f07ee8290f0089f1c16aac3
                                                                                      • Opcode Fuzzy Hash: 5ec92892c76f8d1a0b25561ef3fd13e1900f32b078569a65020aaf11a3c9a4ea
                                                                                      • Instruction Fuzzy Hash: 33115A75200700AFD7218B65EC58F6B7BB9EBC9B11F20457DF406D62A0DB72E8048A69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00422EC8, Relevance: 10.6, APIs: 7, Instructions: 75UNIQUE
                                                                                      APIs
                                                                                      • RtlDecodePointer.NTDLL ref: 00422EDB
                                                                                      • RtlDecodePointer.NTDLL ref: 00422EE6
                                                                                        • Part of subcall function 004289E4: HeapSize.KERNEL32(00000000,00000000,?,00422F07,00000000,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?), ref: 00428A0D
                                                                                      • __realloc_crt.LIBCMT ref: 00422F27
                                                                                      • __realloc_crt.LIBCMT ref: 00422F3B
                                                                                      • EncodePointer.KERNEL32(00000000,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00422F4D
                                                                                      • RtlEncodePointer.NTDLL(?,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00422F5B
                                                                                      • RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,00422EA5,?,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00422F67
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$Encode$Decode__realloc_crt$HeapSize
                                                                                      • String ID:
                                                                                      • API String ID: 177749828-0
                                                                                      • Opcode ID: 84a00aaf028b4249c7e1c5d66ab9dc667d834f1d9d23803f899ef7f94023533b
                                                                                      • Instruction ID: ea3efdf8e2bad2a4f7d05d94394ea50cef9674f9c70b6f81548ced0ca2bbb24c
                                                                                      • Opcode Fuzzy Hash: 84a00aaf028b4249c7e1c5d66ab9dc667d834f1d9d23803f899ef7f94023533b
                                                                                      • Instruction Fuzzy Hash: BF118172714225BF9B149B34EF848AABBF9EB05390791457BF805D3210EB75EC009B98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004073E5, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65UNIQUE
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0043EE62
                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 0043EEAC
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,?,004072BA,?,?,?,?,0040108C), ref: 004048CE
                                                                                        • Part of subcall function 004209D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004209F4
                                                                                        • Part of subcall function 004069CA: _free.LIBCMT ref: 0043E68C
                                                                                        • Part of subcall function 004069CA: _free.LIBCMT ref: 0043E6D3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$Path_free$FileFullLongOpen_memmove_memset
                                                                                      • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                                                                      • API String ID: 1116811270-1954568251
                                                                                      • Opcode ID: b4d37d12c6d2a76a87de7929d6b0db4a55e5567a859db527ed9755684b5293fe
                                                                                      • Instruction ID: 5559bcc2e5b0ce129e075af18a443fb14fc0140c0908acbd47f5bc3bdc75694c
                                                                                      • Opcode Fuzzy Hash: b4d37d12c6d2a76a87de7929d6b0db4a55e5567a859db527ed9755684b5293fe
                                                                                      • Instruction Fuzzy Hash: CF21F671A142589BCB01DF95C845BEE7BF89F49314F00802BE508F7281DBBC598A8FA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004039E7, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00403A15
                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A36
                                                                                      • ShowWindow.USER32(00000000), ref: 00403A4A
                                                                                      • ShowWindow.USER32(00000000), ref: 00403A53
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateShow
                                                                                      • String ID: AutoIt v3$edit
                                                                                      • API String ID: 1584632944-3779509399
                                                                                      • Opcode ID: 0bc3cb8581d30033406bf709693028d192d2a29ffe70b3422ed3ac2c8c0a6a91
                                                                                      • Instruction ID: cb3e65218c39cbcb5fba8b0d7b0502fae8825f6b165f745e847789765139e861
                                                                                      • Opcode Fuzzy Hash: 0bc3cb8581d30033406bf709693028d192d2a29ffe70b3422ed3ac2c8c0a6a91
                                                                                      • Instruction Fuzzy Hash: 54F05E706412907EEA7027236C09F372E7DD7C3F50F21817EB900A2171C6A90800CAB8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.13%

                                                                                      Function 00404AFE, Relevance: 9.2, APIs: 6, Instructions: 223COMMON
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?,?,00000000), ref: 00404B2B
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                      • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?,?,00000000), ref: 00404BF8
                                                                                      • IsWow64Process.KERNELBASE(00000000,?,00000000), ref: 00404BFF
                                                                                      • GetSystemInfo.KERNELBASE(00000000,?,00000000), ref: 00404C8D
                                                                                        • Part of subcall function 00404C95: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00404CA3
                                                                                        • Part of subcall function 00404C95: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00000000), ref: 00404CB5
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00404C50
                                                                                      • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00404C81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLibraryProcessSystem_memmove$AddressCurrentFreeLoadProcVersionWow64
                                                                                      • String ID:
                                                                                      • API String ID: 4273104156-0
                                                                                      • Opcode ID: 3ed813c13ab6b729a72130ac9ebb5d7e38d938aafd0c7b4dc5ce7f0b8531fff9
                                                                                      • Instruction ID: a2a37668ba8dc9db7c0339275d8cd71390b5c234514a477f546c7b3e3bed8d02
                                                                                      • Opcode Fuzzy Hash: 3ed813c13ab6b729a72130ac9ebb5d7e38d938aafd0c7b4dc5ce7f0b8531fff9
                                                                                      • Instruction Fuzzy Hash: D591C17194A7C0DAC731CB6894511ABBFE4AF6A300F44496FD1CAA3B41D238F908D72E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.39%

                                                                                      Function 004069CA, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00404F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _free.LIBCMT ref: 0043E6D3
                                                                                        • Part of subcall function 0045FC4D: _memmove.LIBCMT ref: 0045FC88
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FB81
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FBA2
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FBBC
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00406999: _wcscmp.LIBCMT ref: 004069AC
                                                                                        • Part of subcall function 0040766F: _memmove.LIBCMT ref: 0040774A
                                                                                      • _free.LIBCMT ref: 0043E68C
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                        • Part of subcall function 00404FAA: FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 0045FCB1: GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E6C9,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045FCD2
                                                                                        • Part of subcall function 0045FCB1: LoadStringW.USER32(00000000,?,0043E6C9,00000010), ref: 0045FCD9
                                                                                        • Part of subcall function 0045FCB1: _wprintf.LIBCMT ref: 0045FD0C
                                                                                        • Part of subcall function 0045FCB1: MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045FD9D
                                                                                        • Part of subcall function 00464534: GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046454E
                                                                                        • Part of subcall function 00464534: LoadStringW.USER32(00000000), ref: 00464555
                                                                                        • Part of subcall function 00464534: GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046456B
                                                                                        • Part of subcall function 00464534: LoadStringW.USER32(00000000), ref: 00464572
                                                                                        • Part of subcall function 00464534: _wprintf.LIBCMT ref: 00464598
                                                                                        • Part of subcall function 00464534: MessageBoxW.USER32(00000000,?,?,00011010), ref: 004645B6
                                                                                        • Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406D0D
                                                                                        • Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?), ref: 00406E5A
                                                                                        • Part of subcall function 00406BEC: _free.LIBCMT ref: 0043EB9C
                                                                                        • Part of subcall function 00406BEC: _free.LIBCMT ref: 0043EBE2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load_free$HandleModuleString__wcsnicmp_memmove$CurrentDirectoryFreeLibraryMessage_wprintf$ErrorException@8HeapLastThrow_wcscmpstd::exception::exception
                                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                      • API String ID: 3239964445-1757145024
                                                                                      • Opcode ID: 95ae7851350ff6c6f6e42d18b6a68ba5525c75ab88974c659dd6f3e40d4efdb4
                                                                                      • Instruction ID: 2258a68d981662f44974eb8b497df540c6efdf5e7203b7320ea2560545df3755
                                                                                      • Opcode Fuzzy Hash: 95ae7851350ff6c6f6e42d18b6a68ba5525c75ab88974c659dd6f3e40d4efdb4
                                                                                      • Instruction Fuzzy Hash: 92915E71910219AFCF04EFA6C8819EEB7B4BF18318F54446FE815AB2D1DB38A905CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 0040F8CF, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004203D3
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 004203DB
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004203E6
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004203F1
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 004203F9
                                                                                        • Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00420401
                                                                                        • Part of subcall function 00416259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040FA90), ref: 004162B4
                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040FB2D
                                                                                      • OleInitialize.OLE32(00000000), ref: 0040FBAA
                                                                                        • Part of subcall function 004674A9: CreateThread.KERNEL32(00000000,00000000,0046748F,00000000,00000000,?), ref: 004674C4
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004449F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Handle$CloseCreateInitializeMessageRegisterThreadWindow
                                                                                      • String ID: %I
                                                                                      • API String ID: 2562920190-63094095
                                                                                      • Opcode ID: 02239ccd336f757ca34483d5bbfe3c2a34f3ebbc87da09f49494e0eb5c8a791c
                                                                                      • Instruction ID: 1cfffd179986f18d43a6ac5aa0dacd7918427e6922d3cb84a31c4b765cbc4a66
                                                                                      • Opcode Fuzzy Hash: 02239ccd336f757ca34483d5bbfe3c2a34f3ebbc87da09f49494e0eb5c8a791c
                                                                                      • Instruction Fuzzy Hash: 5B8198B49012909EC7C8EF2AE954E557BE5EB88308312C93FD819C7272EB399409CF5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004035B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValue
                                                                                      • String ID: Control Panel\Mouse
                                                                                      • API String ID: 3677997916-824357125
                                                                                      • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                      • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                                                                      • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                      • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.19%

                                                                                      Function 00404DD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00404E1A
                                                                                        • Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089
                                                                                        • Part of subcall function 00405045: _fseek.LIBCMT ref: 0040505D
                                                                                        • Part of subcall function 00404FE9: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00404FF9
                                                                                        • Part of subcall function 00404FE9: FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404EEE,?,?,00000000,00000000), ref: 00405010
                                                                                        • Part of subcall function 00404FE9: LoadResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD60
                                                                                        • Part of subcall function 00404FE9: SizeofResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD75
                                                                                        • Part of subcall function 00404FE9: LockResource.KERNEL32(N@,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F,00000000), ref: 0043DD88
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateException@8FindGlobalLoadLockSizeofStreamThrow__fread_nolock_fseek_memmovestd::exception::exception
                                                                                      • String ID: AU3!P/I$EA06
                                                                                      • API String ID: 2347112480-1914660620
                                                                                      • Opcode ID: 616ad67979b1f1bd45485429c489281964772726d7ecda918b3089ea528929d2
                                                                                      • Instruction ID: e4f2d0695f8a23f075e311890a29d80e38cea7919c4102c3fad58ec67193dbe6
                                                                                      • Opcode Fuzzy Hash: 616ad67979b1f1bd45485429c489281964772726d7ecda918b3089ea528929d2
                                                                                      • Instruction Fuzzy Hash: 11417BB1A041546BCF214B64C8517BF7FA6EB85304F28407BEE42BA2C2C57C8D41C7EA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00420FF6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00B90000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                        • Part of subcall function 004235E1: DecodePointer.KERNEL32(?,004259CD,?,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 004235EA
                                                                                      • std::exception::exception.LIBCMT ref: 0042102C
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 004287DB: RaiseException.KERNEL32(?,?,?,004BBAF8,?,?,?,?,?,00421046,?,004BBAF8,?,00000001), ref: 00428830
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateDecodeExceptionException@8HeapPointerRaiseThrowstd::exception::exception
                                                                                      • String ID: bad allocation
                                                                                      • API String ID: 2525242304-2104205924
                                                                                      • Opcode ID: 12e3ba17a8172669695ef04a998e8a6190de6a729f9817d9ed93927822ba5661
                                                                                      • Instruction ID: 7ef10c6c1173b09cd5bea89a6eb30a235393a82e45e25364796afe6b045364de
                                                                                      • Opcode Fuzzy Hash: 12e3ba17a8172669695ef04a998e8a6190de6a729f9817d9ed93927822ba5661
                                                                                      • Instruction Fuzzy Hash: BAF0F93470127DB6CB20AA55FD059DF7BA89F00354F90402FF804A2691EFF88A8082EC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 003898C5, Relevance: 4.8, APIs: 3, Instructions: 256memoryCOMMON
                                                                                      APIs
                                                                                      • VirtualProtect.KERNELBASE(?,?,00000004,00000004,?,00000000,53EC8B55,?,?,?,?), ref: 00389966
                                                                                      • VirtualProtect.KERNELBASE(?,00D1510B,00000004,?,?), ref: 0038998C
                                                                                      • VirtualProtect.KERNELBASE(?,?,?,00000040,?,00000000,53EC8B55,?,?,?,?), ref: 003899E7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 544645111-0
                                                                                      • Opcode ID: 79ca0a962b01af71572204504f8767120e5532883995fa19102ae5d9e3e05eb1
                                                                                      • Instruction ID: 6804c14baf8538b1f89881f23c7c1877b7e82823d3a45002173641ba3966a011
                                                                                      • Opcode Fuzzy Hash: 79ca0a962b01af71572204504f8767120e5532883995fa19102ae5d9e3e05eb1
                                                                                      • Instruction Fuzzy Hash: 3CB1F831645202EFEB2AEF90C495BB9F7B5BB84300B2E47D6D8099B641D731B980CBD1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.03%

                                                                                      Function 0042594C, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMON
                                                                                      APIs
                                                                                      • __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042A3AB: __NMSG_WRITE.LIBCMT ref: 0042A3D2
                                                                                        • Part of subcall function 0042A3AB: __NMSG_WRITE.LIBCMT ref: 0042A3DC
                                                                                      • __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042A408: GetModuleFileNameW.KERNEL32(00000000,004C43BA,00000104,00000000,00000000,?), ref: 0042A49A
                                                                                        • Part of subcall function 0042A408: GetStdHandle.KERNEL32(000000F4,00000000,00000000,?), ref: 0042A554
                                                                                        • Part of subcall function 0042A408: _strlen.LIBCMT ref: 0042A594
                                                                                        • Part of subcall function 0042A408: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042A5A3
                                                                                        • Part of subcall function 0042A408: __invoke_watson.LIBCMT ref: 0042A5BF
                                                                                        • Part of subcall function 004232DF: ___crtCorExitProcess.LIBCMT ref: 004232E5
                                                                                        • Part of subcall function 004232DF: ExitProcess.KERNEL32 ref: 004232EE
                                                                                      • RtlAllocateHeap.NTDLL(00B90000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                        • Part of subcall function 004235E1: DecodePointer.KERNEL32(?,004259CD,?,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 004235EA
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExitFileProcess$AllocateDecodeHandleHeapModuleNamePointerWrite___crt__getptd_noexit__invoke_watson_strlen
                                                                                      • String ID:
                                                                                      • API String ID: 15092741-0
                                                                                      • Opcode ID: c00ab26dc2cd3f1d57d41560e0b46e4202be8d45b80d44de397e9cae70c6823a
                                                                                      • Instruction ID: 51681375befe7b4efc193715c803360cbf5942a41623950cdb13c0d60d2addc5
                                                                                      • Opcode Fuzzy Hash: c00ab26dc2cd3f1d57d41560e0b46e4202be8d45b80d44de397e9cae70c6823a
                                                                                      • Instruction Fuzzy Hash: 0D01D2B1341B35EEE6157B26F852B6E72588F81775FD0003FF8049A2C1DA7C9D828A6D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 004235AC, Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 004235B2
                                                                                        • Part of subcall function 00429E4B: __mtinitlocknum.LIBCMT ref: 00429E5D
                                                                                        • Part of subcall function 00429E4B: EnterCriticalSection.KERNEL32(?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00429E76
                                                                                      • RtlDecodePointer.NTDLL(00000001,?,004049A7,004581BC), ref: 004235BE
                                                                                      • RtlEncodePointer.NTDLL(?,?,004049A7,004581BC), ref: 004235C9
                                                                                        • Part of subcall function 00429FB5: LeaveCriticalSection.KERNEL32(?,00429D1B,0000000D,00429CD6), ref: 00429FC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalPointerSection$DecodeEncodeEnterLeave__lock__mtinitlocknum
                                                                                      • String ID:
                                                                                      • API String ID: 2625109469-0
                                                                                      • Opcode ID: f0f687c99d72e35ff3597eea0d1eb39ddd87317301f877e45278460e588003d2
                                                                                      • Instruction ID: 43b77fceb529d27b8fed4b1eaa527640059df970b8b7b5fac95191ab6a691f5a
                                                                                      • Opcode Fuzzy Hash: f0f687c99d72e35ff3597eea0d1eb39ddd87317301f877e45278460e588003d2
                                                                                      • Instruction Fuzzy Hash: 69D05B726003146BCA017BF6FD0EA497F54D7447A1F04043EFF08C61A0DE754850878C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 4.01%

                                                                                      Function 00407BB1, Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00407CB3: _memmove.LIBCMT ref: 00407D13
                                                                                      • _memmove.LIBCMT ref: 00407C0B
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00407C76
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1300846289-0
                                                                                      • Opcode ID: 777cbc845bfd00394b90e8724b6553a128f1c9f6bd5f96b2cd1a45470a349808
                                                                                      • Instruction ID: dca2659d15994c90c6c09ac9109f1b02cf59a28755a4f5d1953427ae19ac93cb
                                                                                      • Opcode Fuzzy Hash: 777cbc845bfd00394b90e8724b6553a128f1c9f6bd5f96b2cd1a45470a349808
                                                                                      • Instruction Fuzzy Hash: 2F31D3B1A08506AFD714CF28D881E6AB3A8FF48314715823EE915CB391EB74F851CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0040492E, Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                      APIs
                                                                                      • IsThemeActive.UXTHEME ref: 00404992
                                                                                        • Part of subcall function 004235AC: __lock.LIBCMT ref: 004235B2
                                                                                        • Part of subcall function 004235AC: RtlDecodePointer.NTDLL(00000001,?,004049A7,004581BC), ref: 004235BE
                                                                                        • Part of subcall function 004235AC: RtlEncodePointer.NTDLL(?,?,004049A7,004581BC), ref: 004235C9
                                                                                        • Part of subcall function 00404A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404A73
                                                                                        • Part of subcall function 00404A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404A88
                                                                                        • Part of subcall function 00403B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B7A
                                                                                        • Part of subcall function 00403B4C: IsDebuggerPresent.KERNEL32(?,?), ref: 00403B8C
                                                                                        • Part of subcall function 00403B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C62F8,004C62E0,?,?), ref: 00403BFD
                                                                                        • Part of subcall function 00403B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C81
                                                                                        • Part of subcall function 00403B4C: MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B93F0,00000010), ref: 0043D4BC
                                                                                        • Part of subcall function 00403B4C: SetCurrentDirectoryW.KERNEL32(?,004C62F8,?,?,?), ref: 0043D4F4
                                                                                        • Part of subcall function 00403B4C: GetForegroundWindow.USER32 ref: 0043D57A
                                                                                        • Part of subcall function 00403B4C: ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D581
                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 004049D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryInfoParametersSystem$Pointer$ActiveDebuggerDecodeEncodeExecuteForegroundFullMessageNamePathPresentShellThemeWindow__lock
                                                                                      • String ID:
                                                                                      • API String ID: 266129024-0
                                                                                      • Opcode ID: 5410f46a1a81539200a2eeef6a8c5e81a175194c6352785b6e035db14a7f21cc
                                                                                      • Instruction ID: 4f3c985aaa7260ea6862a91c50e24ca429db6960d63ed6b712eae347e098ba5b
                                                                                      • Opcode Fuzzy Hash: 5410f46a1a81539200a2eeef6a8c5e81a175194c6352785b6e035db14a7f21cc
                                                                                      • Instruction Fuzzy Hash: FA116D716043119BC300EF29E80591AFBF8EB94714F00853FF545932A2DB749945CB9E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 00412E02, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                      APIs
                                                                                      • timeGetTime.WINMM ref: 00412E1A
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 00410FC7
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                        • Part of subcall function 00410B30: Sleep.KERNELBASE(0000000A), ref: 00410FDF
                                                                                        • Part of subcall function 00410B30: LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                        • Part of subcall function 00410B30: DestroyWindow.USER32 ref: 00411066
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 00410B30: TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,%I,?), ref: 004452AD
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,?,?,?,?,?), ref: 00445844
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000), ref: 00445A00
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(?,00000000,?,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,?,?,?,?,?), ref: 00445A96
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                      • Sleep.KERNEL32(00000000), ref: 00412E53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Sleep$TimeTranslatetime$CloseCodeDispatchExitHandleObjectPeekProcessSingleWaitWindow$AcceleratorDestroyLockUpdate
                                                                                      • String ID:
                                                                                      • API String ID: 2075848024-0
                                                                                      • Opcode ID: 4f661270d66c229034034d54e3c30d960e7b35e1359dad9d1b9127d91c7bc182
                                                                                      • Instruction ID: d1c300ea91655eb9307443d86ffdf73ab59f85eace83877eb630077676957e6f
                                                                                      • Opcode Fuzzy Hash: 4f661270d66c229034034d54e3c30d960e7b35e1359dad9d1b9127d91c7bc182
                                                                                      • Instruction Fuzzy Hash: 54F05E312446019BD350AF69D559BA6B7E4AF45350F00003EE86DD7352CB70AC44C795
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.31%

                                                                                      Function 00422E55, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                      APIs
                                                                                      • __calloc_crt.LIBCMT ref: 00422E5A
                                                                                        • Part of subcall function 00428A15: __calloc_impl.LIBCMT ref: 00428A24
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00422E64
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer__calloc_crt__calloc_impl
                                                                                      • String ID:
                                                                                      • API String ID: 1313826993-0
                                                                                      • Opcode ID: c8676dd660c7eefd106528180395904a2849ec008534d2bae86df56401002fe1
                                                                                      • Instruction ID: da289241f13c79bf68db0239506904f1207daf2422722450c71c90c663fb0b43
                                                                                      • Opcode Fuzzy Hash: c8676dd660c7eefd106528180395904a2849ec008534d2bae86df56401002fe1
                                                                                      • Instruction Fuzzy Hash: FDD05B33A497305EE3B16B257C05B9A37D0D744730F12446FF900D61C0DF644841478C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.23%

                                                                                      Function 0038C975, Relevance: 2.6, APIs: 2, Instructions: 64memoryCOMMON
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,09CE0D4A,00000000,00000000,00003000,00000004), ref: 0038C9D2
                                                                                      • VirtualFree.KERNELBASE(00000000,CD53F5DD,?,00000000,00008000), ref: 0038CA26
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$AllocFree
                                                                                      • String ID:
                                                                                      • API String ID: 2087232378-0
                                                                                      • Opcode ID: 14568cc286a4688675cd45f9b73adf225e7e265cd117d232f7d45d2520d78309
                                                                                      • Instruction ID: d8c311b08a9e992617a5dc4ab8b3b6204c11ed6d73d53bbd9efa0abdac57d2fa
                                                                                      • Opcode Fuzzy Hash: 14568cc286a4688675cd45f9b73adf225e7e265cd117d232f7d45d2520d78309
                                                                                      • Instruction Fuzzy Hash: 16211F70A54309BFFB119F708C8AFA9BB78FF04B40F5491A5BA18BE1D1D77599108B24
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 00397C16, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL(E0000216,00000000,003977D1,?,?,?,003A47F0,?), ref: 00397C22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 4caa01125b3d56e58b4fa56734df7197a4113a0d9abc20f14e24a50d037a8e4c
                                                                                      • Instruction ID: 9c9e2e50d5b835af339f433660e9b859514305efc3f8e6807e7bb9358ba3de5a
                                                                                      • Opcode Fuzzy Hash: 4caa01125b3d56e58b4fa56734df7197a4113a0d9abc20f14e24a50d037a8e4c
                                                                                      • Instruction Fuzzy Hash: E441C13192D6D68BDF2B9E78C8943E5BBA1FF57360B6905D5C4804F193D713944ACB80
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.19%

                                                                                      Function 0040766F, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 0040774A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1602317333-0
                                                                                      • Opcode ID: c7ff76707e68dd1649446b8809288c315ccfb6490b93a1f86683a2138af42fb8
                                                                                      • Instruction ID: 148bf7845b9bfd5bb1bd6289e710206c27fb0d1581dedbb952c856e9d84f120b
                                                                                      • Opcode Fuzzy Hash: c7ff76707e68dd1649446b8809288c315ccfb6490b93a1f86683a2138af42fb8
                                                                                      • Instruction Fuzzy Hash: 5131D475A08A12DFC7249F19D190922F7A0FF08360714C53FE84A9B7A1E774F881CB8A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00407CB3, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID:
                                                                                      • API String ID: 4104443479-0
                                                                                      • Opcode ID: 691215b5fde71f84ba4157909e6c6bd8e9f2b14ba3ae5d5d846b05b691d97e04
                                                                                      • Instruction ID: 4f35de3bd7cb32edc3c82026cddc1214cbdb1bf771d77ce34197b3f11daa4a73
                                                                                      • Opcode Fuzzy Hash: 691215b5fde71f84ba4157909e6c6bd8e9f2b14ba3ae5d5d846b05b691d97e04
                                                                                      • Instruction Fuzzy Hash: 3E21FE71A08609EBEB144F25FC4277A7BB4FF18350F21857FE486D5191EB3894A4874E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00404F3D, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00404D13: FreeLibrary.KERNEL32(00000000,?), ref: 00404D4D
                                                                                        • Part of subcall function 0042548B: __wfsopen.LIBCMT ref: 00425496
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F
                                                                                        • Part of subcall function 00404DD0: _memmove.LIBCMT ref: 00404E1A
                                                                                        • Part of subcall function 00404FAA: FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 00404CC8: FreeLibrary.KERNEL32(00000000), ref: 00404D02
                                                                                        • Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$Free$Load__fread_nolock__wfsopen_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 1609775715-0
                                                                                      • Opcode ID: fbbe6342810aae6eb3a13c8902bab970ddb5b1228b8784956d1a4a8ed967591a
                                                                                      • Instruction ID: 5856fbc04598f8720763e5afc42e8c3a4794c7060b7466c2264c1c7e33684289
                                                                                      • Opcode Fuzzy Hash: fbbe6342810aae6eb3a13c8902bab970ddb5b1228b8784956d1a4a8ed967591a
                                                                                      • Instruction Fuzzy Hash: 8211E771600606AADB10BF71DC02B6E77A89F84714F10843FFA41B72C1DA7D9A159B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.09%

                                                                                      Function 00407F41, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1602317333-0
                                                                                      • Opcode ID: 8760702c13fc74c5039c64040808ec9a9645cb46cb96adaba1e76e788e64bae9
                                                                                      • Instruction ID: a481b228ba030df6875f9a6dd2da52b06f57c7a09d876ea22ea353c417f4835c
                                                                                      • Opcode Fuzzy Hash: 8760702c13fc74c5039c64040808ec9a9645cb46cb96adaba1e76e788e64bae9
                                                                                      • Instruction Fuzzy Hash: EB0126B26043027ED3205B39DC02F63BB94AB44760F10863FF51ACB2D1EA79E4008758
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0045FC4D, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 0045FC88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1602317333-0
                                                                                      • Opcode ID: bb67aa961ed85a7a54b5feca877a1ff1f2a2effc2d0ffda91d0c5cec861b0993
                                                                                      • Instruction ID: 2728c7377d2fb3091888e666e74eab3efefd279969e8fcd463a9dd8d880a9b88
                                                                                      • Opcode Fuzzy Hash: bb67aa961ed85a7a54b5feca877a1ff1f2a2effc2d0ffda91d0c5cec861b0993
                                                                                      • Instruction Fuzzy Hash: B401D6322002256BCB24DF2DD88196BB7A9EFC5358714443EFC0ACB246E631E905C791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00404FAA, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 004255D6: __lock_file.LIBCMT ref: 0042561B
                                                                                        • Part of subcall function 004255D6: __fclose_nolock.LIBCMT ref: 00425626
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary__fclose_nolock__lock_file
                                                                                      • String ID:
                                                                                      • API String ID: 1424536762-0
                                                                                      • Opcode ID: 33e20a952f2e8d0d1fe5c77e63e757c0056158892867987900cbbd52313694f7
                                                                                      • Instruction ID: 9f4c00c3caf65de6ea716a0b429dd2d7583c2b82718a0f3f6db7eedc70ddef11
                                                                                      • Opcode Fuzzy Hash: 33e20a952f2e8d0d1fe5c77e63e757c0056158892867987900cbbd52313694f7
                                                                                      • Instruction Fuzzy Hash: B3F039B1105712DFCB349F64E494816BBE2BF443293208A3FE2D692A50C739A884DF49
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.03%

                                                                                      Function 004209D5, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004209F4
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 2514874351-0
                                                                                      • Opcode ID: 782b4155a6be5666b9d6f7013c8adbab57ca25bad31f58bf0dd3291e7fbeca14
                                                                                      • Instruction ID: 7974ecc8d6474924d437b965a90c8222220e8c30f7c7811ba04b272f454b6667
                                                                                      • Opcode Fuzzy Hash: 782b4155a6be5666b9d6f7013c8adbab57ca25bad31f58bf0dd3291e7fbeca14
                                                                                      • Instruction Fuzzy Hash: 23E0263290022857C720E2589C05FFAB3ACDF88290F0001BAFC0CD3204D964AC818694
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.21%

                                                                                      Function 0039817D, Relevance: 1.5, APIs: 1, Instructions: 273memoryCOMMON
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,09CE0D4A,00000000,?,00003000,00000004), ref: 0039835E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 5b072f8f7ccd644d1863391c81af6dae480b7708c2c32fcbde894d917b1f8024
                                                                                      • Instruction ID: 7ccf41003649a3e5a7e17a3623c913186d81a12512e5ab7771863117e0061afd
                                                                                      • Opcode Fuzzy Hash: 5b072f8f7ccd644d1863391c81af6dae480b7708c2c32fcbde894d917b1f8024
                                                                                      • Instruction Fuzzy Hash: 5C91C23490C206EAEF134B658D85FBA767CAFC3740F354867E947A9C80DF309905BA26
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 0042548B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      APIs
                                                                                      • __wfsopen.LIBCMT ref: 00425496
                                                                                        • Part of subcall function 004254A0: __getstream.LIBCMT ref: 004254F0
                                                                                        • Part of subcall function 004254A0: @_EH4_CallFilterFunc@8.LIBCMT ref: 0042552B
                                                                                        • Part of subcall function 004254A0: __wopenfile.LIBCMT ref: 0042553B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallFilterFunc@8__getstream__wfsopen__wopenfile
                                                                                      • String ID:
                                                                                      • API String ID: 4064380324-0
                                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                      • Instruction ID: 46a80e34e794c1a8cabf707ff87d233abccaec3d4d3113a971d4033361891bdf
                                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                      • Instruction Fuzzy Hash: CBB0927694020C77DE012E82FC02B697B199B44678F808021FB0C18162A677A6A09689
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 003985AE, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL(E0000156,?,003984D1,?,00380198,?,-00DA36EC,00380198,-6345E181,00380198,?,?), ref: 003985BA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 8d000ff5603b81d0488a500497f1b8ef7f2d3fc7e3d88bdb03da15b1d34e2658
                                                                                      • Instruction ID: 4f396ec3a82cd598686e0c6bb24346187e1e1b115ab055eacadd83e131ab56df
                                                                                      • Opcode Fuzzy Hash: 8d000ff5603b81d0488a500497f1b8ef7f2d3fc7e3d88bdb03da15b1d34e2658
                                                                                      • Instruction Fuzzy Hash: 06B092791618108FC201EB99D99CEA9B3E1FFCD312F5598E1E25DCB211DA1046029B84
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.19%

                                                                                      Function 00397E65, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL(E0000107,?,00397751,?), ref: 00397E71
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: a37cf9b971665701cfb3ec4bfeb27e3888c67994b9ea65ffdbd490416e5108fe
                                                                                      • Instruction ID: 44a40747177551ccd23d9d07e4ef71f414bfd9716f7cb3d6abfcb7930697a32c
                                                                                      • Opcode Fuzzy Hash: a37cf9b971665701cfb3ec4bfeb27e3888c67994b9ea65ffdbd490416e5108fe
                                                                                      • Instruction Fuzzy Hash: 3EB09231A441168FC601EFA8D08CAE873E6BB8C300F3188B1E288C7230E620990A8B11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.19%

                                                                                      Function 0042A764, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(0042A730,004233F0,00000000,00000000,00000000,00000000,00000000), ref: 0042A769
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: b099f3d81180c5901ffbe3b9a6e79c65983757674502b88ca7a2d2bad456539b
                                                                                      • Instruction ID: eebce8f2417fcbd939ec70b27f3c6012329136301deee71cbb14e520e27e25f6
                                                                                      • Opcode Fuzzy Hash: b099f3d81180c5901ffbe3b9a6e79c65983757674502b88ca7a2d2bad456539b
                                                                                      • Instruction Fuzzy Hash: 69A002F4E563608B87505F70FE1990A7AF0B7C5702B51057EEC5181264DB784025AB1E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.05%

                                                                                      Non-executed Functions

                                                                                      Function 0048804A, Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 575windowUNIQUE
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004880E0
                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004880FF
                                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00488123
                                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00488134
                                                                                      • SendMessageW.USER32(?,00000149,00000000,00000000), ref: 00488153
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00488186
                                                                                      • SendMessageW.USER32(?,0000133C,00000000,?), ref: 004881AC
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004881E7
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 0048822E
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 00488256
                                                                                      • IsMenu.USER32(?), ref: 0048826F
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882CA
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882F8
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0048836C
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004883BB
                                                                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 00488456
                                                                                      • wsprintfW.USER32 ref: 0048847E
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004884A0
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 004884C8
                                                                                      • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004884EA
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048850A
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00488531
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 0040463E: _wcsncpy.LIBCMT ref: 00404652
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 004885AB
                                                                                      • _memset.LIBCMT ref: 004885BD
                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 004885EC
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00488625
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00488676
                                                                                      • CharNextW.USER32(00000000), ref: 004886B1
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 004886E1
                                                                                      • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 004886FC
                                                                                      • _memset.LIBCMT ref: 00488709
                                                                                      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 0048872A
                                                                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0048873F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$Menu$InfoItemLongText_memset_wcscpy$CharException@8NextThrow__i64tow__itow_wcsncpystd::exception::exceptionwsprintf
                                                                                      • String ID: %d/%02d/%02d$0
                                                                                      • API String ID: 2743317742-4206205729
                                                                                      • Opcode ID: 5059ae11ea541f98f5c1cd242e66ed88df343c98d396fc69c2da753e30ebbc98
                                                                                      • Instruction ID: 1694620be85d9f4a29f3fb548ce2e2fcd9673ad025b7a1e90bc8429aa5b278b6
                                                                                      • Opcode Fuzzy Hash: 5059ae11ea541f98f5c1cd242e66ed88df343c98d396fc69c2da753e30ebbc98
                                                                                      • Instruction Fuzzy Hash: DA12F471500214ABEB24AF24CC49FAF7BB4EF45710F60492EF915EA2E1EF788941CB18
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0041710E, Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$_memset
                                                                                      • String ID: DEFINE$OaA$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$athan
                                                                                      • API String ID: 1357608183-1312225879
                                                                                      • Opcode ID: 7d82e88c8c583c3cf55e43ee8ba79f162b63989cccceeed3ce797de6903fdd66
                                                                                      • Instruction ID: 0f2016292ce7af36af0f0c3c89fa088be26185f2ba7aa12bc90a9d7b287e4a4c
                                                                                      • Opcode Fuzzy Hash: 7d82e88c8c583c3cf55e43ee8ba79f162b63989cccceeed3ce797de6903fdd66
                                                                                      • Instruction Fuzzy Hash: 2C93A371A002199BDB24CF58C8817EEB7B1FF48715F24816BED45AB381E7789D86CB48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00435CCC, Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 173libraryloaderUNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00435CF4
                                                                                      • ___crtIsPackagedApp.LIBCMT ref: 00435CFB
                                                                                      • LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000800,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D1A
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D26
                                                                                      • LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000000,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D3C
                                                                                      • GetProcAddress.KERNEL32(00000000,MessageBoxW,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D52
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00435D61
                                                                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D6E
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00435D75
                                                                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D82
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00435D89
                                                                                      • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435D96
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00435D9D
                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435DAE
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00435DB5
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435DBF
                                                                                      • OutputDebugStringW.KERNEL32(?,?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435DD1
                                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,0042A54D,004C4388,Microsoft Visual C++ Runtime Library,00012010), ref: 00435DEF
                                                                                      • RtlDecodePointer.NTDLL(00000000), ref: 00435E11
                                                                                      • RtlDecodePointer.NTDLL ref: 00435E1C
                                                                                      • RtlDecodePointer.NTDLL(00000000), ref: 00435E61
                                                                                      • RtlDecodePointer.NTDLL(00000000), ref: 00435E79
                                                                                      • RtlDecodePointer.NTDLL ref: 00435E8D
                                                                                        • Part of subcall function 0042C836: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435B51
                                                                                        • Part of subcall function 0042C836: ___raise_securityfailure.LIBCMT ref: 00435C38
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$DecodeEncode$AddressProc$LibraryLoadPresent$DebugDebuggerErrorFeatureLastOutputPackagedProcessorString___crt___raise_securityfailure
                                                                                      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                                                      • API String ID: 97357100-564504941
                                                                                      • Opcode ID: 67692df2a90b64cfb2ca71d2dab81c6183001a442f09778e226da224704586d6
                                                                                      • Instruction ID: de014ab2273c1a8db88a068a7f435dd34fa8e165460fc89267ca89f4e15a35a6
                                                                                      • Opcode Fuzzy Hash: 67692df2a90b64cfb2ca71d2dab81c6183001a442f09778e226da224704586d6
                                                                                      • Instruction Fuzzy Hash: 59518271900A06ABCB119BB59C49E6F7BB8BF48B40F24553AF505E3250DB78DD40CBAC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00404A35, Relevance: 49.1, APIs: 24, Strings: 4, Instructions: 136threadkeyboardwindowUNIQUE
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32 ref: 00404A3D
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043DA8E
                                                                                      • IsIconic.USER32(?), ref: 0043DA97
                                                                                      • ShowWindow.USER32(?,00000009), ref: 0043DAA4
                                                                                      • SetForegroundWindow.USER32(?), ref: 0043DAAE
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043DAC4
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0043DACB
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043DAD7
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAE8
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAF0
                                                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043DAF8
                                                                                      • SetForegroundWindow.USER32(?), ref: 0043DAFB
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB10
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0043DB1B
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB25
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0043DB2A
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB33
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0043DB38
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB42
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0043DB47
                                                                                      • SetForegroundWindow.USER32(?), ref: 0043DB4A
                                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 0043DB71
                                                                                      • AttachThreadInput.USER32(?,00000000,00000000), ref: 0043DB79
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043DB81
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                      • String ID: $k w$$k w$Lj w$Shell_TrayWnd
                                                                                      • API String ID: 3778422247-3904050060
                                                                                      • Opcode ID: f9275528528b807d0c255385b8317845eae72d2de6d0c65feb9d7ed8998e7865
                                                                                      • Instruction ID: b87912adca826af034faba5527973e3e3f308b649105ed48d0b0d9dcf2124600
                                                                                      • Opcode Fuzzy Hash: f9275528528b807d0c255385b8317845eae72d2de6d0c65feb9d7ed8998e7865
                                                                                      • Instruction Fuzzy Hash: 47318771E803187BEB306BA19C49F7F7E6CDB44B51F215036BA04E61C1CAB44D11AAA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00416843, Relevance: 19.6, Strings: 15, Instructions: 883UNIQUE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$__isdigit_l_memcmp
                                                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$OaA$UCP)$UTF)$UTF16)
                                                                                      • API String ID: 354189410-3302439341
                                                                                      • Opcode ID: b575eb5cd43adaea0de128a74aa3f58823f576806eefacb0f2dd0bce3e4b62d6
                                                                                      • Instruction ID: 3784516a1003e1c275ce3f2ff5430e7d36dc90e0b9f0d34c2957a4bb797dab3e
                                                                                      • Opcode Fuzzy Hash: b575eb5cd43adaea0de128a74aa3f58823f576806eefacb0f2dd0bce3e4b62d6
                                                                                      • Instruction Fuzzy Hash: 8B72AE71E002199BDB24CF59C8807EEB7B5EF48310F15806BE849EB391E7789D85CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00413190, Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00B90000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      • _memmove.LIBCMT ref: 004133D7
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00413470
                                                                                      • _free.LIBCMT ref: 00413496
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      • _memmove.LIBCMT ref: 00413549
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Heap_wcscpy$AllocateErrorException@8FreeLastThrow__i64tow__itow_freestd::exception::exception
                                                                                      • String ID: OaA
                                                                                      • API String ID: 403207814-4189730831
                                                                                      • Opcode ID: ed206b401d3418ddabb68cbd665224f90af44a32e33aa6551fdfab0439b26318
                                                                                      • Instruction ID: 2ffd56a64c60677c5789fbd16bfbcfb13b798939f1cd0f2cf633511a31807f6c
                                                                                      • Opcode Fuzzy Hash: ed206b401d3418ddabb68cbd665224f90af44a32e33aa6551fdfab0439b26318
                                                                                      • Instruction Fuzzy Hash: 70229D716083019FD724DF14C881BABB7E5AF84704F10492EF89697392DB78EE45CB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00463E91, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85processUNIQUE
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00463EB6
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00463EC4
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00463EE4
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00463F8E
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                      • String ID: %I
                                                                                      • API String ID: 2576544623-63094095
                                                                                      • Opcode ID: 3ffacf92776744d34e5bed9ce163fb83ba132918f27232e59d0ab2f5e8250a37
                                                                                      • Instruction ID: bc57a40dc23490dc388bdabf7fd9d7894261e16e4d08916f741d4787c1592c25
                                                                                      • Opcode Fuzzy Hash: 3ffacf92776744d34e5bed9ce163fb83ba132918f27232e59d0ab2f5e8250a37
                                                                                      • Instruction Fuzzy Hash: B731C2715083419FD304EF21C885AAFBBF8EF99344F10093EF481921A1EB75AA49CB57
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0040192B, Relevance: 7.8, APIs: 5, Instructions: 308COMMON
                                                                                      APIs
                                                                                      • DefDlgProcW.USER32(?,?), ref: 004019FA
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetSysColor.USER32(0000000F), ref: 00401A4E
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                        • Part of subcall function 0040167D: DefDlgProcW.USER32(?,00000007,?,00000000), ref: 004016AB
                                                                                        • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                        • Part of subcall function 00401290: GetClientRect.USER32(?,?), ref: 0043B84B
                                                                                        • Part of subcall function 00401290: GetCursorPos.USER32(?), ref: 0043B855
                                                                                        • Part of subcall function 00401290: ScreenToClient.USER32(?,?), ref: 0043B860
                                                                                        • Part of subcall function 0040189B: DefDlgProcW.USER32(?,00000006,00000000,?), ref: 004018E2
                                                                                        • Part of subcall function 0048CC88: GetWindowRect.USER32(?,?), ref: 0048CCAD
                                                                                        • Part of subcall function 0048CC88: GetWindowRect.USER32(?,?), ref: 0048CD0C
                                                                                        • Part of subcall function 0048CC88: MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0048CD46
                                                                                        • Part of subcall function 0048D74C: GetSystemMetrics.USER32(0000000F), ref: 0048D78A
                                                                                        • Part of subcall function 0048D74C: GetSystemMetrics.USER32(0000000F), ref: 0048D7AA
                                                                                        • Part of subcall function 0048D74C: MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0048D9E5
                                                                                        • Part of subcall function 0048D74C: SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048DA03
                                                                                        • Part of subcall function 0048D74C: SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048DA24
                                                                                        • Part of subcall function 0048D74C: ShowWindow.USER32(00000003,00000000), ref: 0048DA43
                                                                                        • Part of subcall function 0048D74C: InvalidateRect.USER32(?,00000000,00000001), ref: 0048DA68
                                                                                        • Part of subcall function 0048D74C: DefDlgProcW.USER32(?,00000005,?,?), ref: 0048DA8B
                                                                                        • Part of subcall function 004016B5: DefDlgProcW.USER32(?,00000002,00000000,00000000), ref: 004016D4
                                                                                        • Part of subcall function 0048C86D: SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0048C8C7
                                                                                        • Part of subcall function 0048C86D: DefDlgProcW.USER32(?,0000002B,?,?), ref: 0048C8E1
                                                                                        • Part of subcall function 0048D6C6: DefDlgProcW.USER32(?,00000115,?,?), ref: 0048D740
                                                                                        • Part of subcall function 0048DA9A: DefDlgProcW.USER32(?,00000112,?,00000000), ref: 0048DB46
                                                                                        • Part of subcall function 0048C49C: PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C4EC
                                                                                        • Part of subcall function 0048C49C: GetFocus.USER32 ref: 0048C4FC
                                                                                        • Part of subcall function 0048C49C: GetDlgCtrlID.USER32(00000000), ref: 0048C507
                                                                                        • Part of subcall function 0048C49C: _memset.LIBCMT ref: 0048C632
                                                                                        • Part of subcall function 0048C49C: GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C65D
                                                                                        • Part of subcall function 0048C49C: GetMenuItemCount.USER32(?), ref: 0048C67D
                                                                                        • Part of subcall function 0048C49C: GetMenuItemID.USER32(?,00000000), ref: 0048C690
                                                                                        • Part of subcall function 0048C49C: GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C6C4
                                                                                        • Part of subcall function 0048C49C: GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C70C
                                                                                        • Part of subcall function 0048C49C: CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C744
                                                                                        • Part of subcall function 0048C49C: DefDlgProcW.USER32(?,00000111,?,?), ref: 0048C779
                                                                                        • Part of subcall function 0048CD6C: GetWindowLongW.USER32(?,000000EC), ref: 0048CD74
                                                                                        • Part of subcall function 0048CD6C: DefDlgProcW.USER32(?,00000084,00000000), ref: 0048CDA2
                                                                                        • Part of subcall function 0048C788: GetCursorPos.USER32(?), ref: 0048C7C2
                                                                                        • Part of subcall function 0048C788: TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048C7D7
                                                                                        • Part of subcall function 0048C788: GetCursorPos.USER32(?), ref: 0048C824
                                                                                        • Part of subcall function 0048C788: DefDlgProcW.USER32(?,0000007B,?), ref: 0048C85E
                                                                                        • Part of subcall function 0048CBF9: DefDlgProcW.USER32(?,00000053,?,?), ref: 0048CC24
                                                                                        • Part of subcall function 0048CDAC: DefDlgProcW.USER32(?,0000004E,?,?), ref: 0048CE50
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CE91
                                                                                        • Part of subcall function 0048CDAC: GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048CED6
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CF00
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048CF29
                                                                                        • Part of subcall function 0048CDAC: _wcsncpy.LIBCMT ref: 0048CFA1
                                                                                        • Part of subcall function 0048CDAC: GetKeyState.USER32(00000011), ref: 0048CFC2
                                                                                        • Part of subcall function 0048CDAC: GetKeyState.USER32(00000009), ref: 0048CFCF
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CFE5
                                                                                        • Part of subcall function 0048CDAC: GetKeyState.USER32(00000010), ref: 0048CFEF
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048D018
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D03F
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001030,?,0048B602), ref: 0048D145
                                                                                        • Part of subcall function 0048CDAC: ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?), ref: 0048D15B
                                                                                        • Part of subcall function 0048CDAC: ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048D16E
                                                                                        • Part of subcall function 0048CDAC: SetCapture.USER32(?), ref: 0048D177
                                                                                        • Part of subcall function 0048CDAC: ClientToScreen.USER32(?,?), ref: 0048D1DC
                                                                                        • Part of subcall function 0048CDAC: ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048D1E9
                                                                                        • Part of subcall function 0048CDAC: InvalidateRect.USER32(?,00000000,00000001), ref: 0048D203
                                                                                        • Part of subcall function 0048CDAC: ReleaseCapture.USER32 ref: 0048D20E
                                                                                        • Part of subcall function 0048CDAC: GetCursorPos.USER32(?), ref: 0048D248
                                                                                        • Part of subcall function 0048CDAC: ScreenToClient.USER32(?,?), ref: 0048D255
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D2B1
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D2DF
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D31C
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D34B
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D36C
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D37B
                                                                                        • Part of subcall function 0048CDAC: GetCursorPos.USER32(?), ref: 0048D39B
                                                                                        • Part of subcall function 0048CDAC: ScreenToClient.USER32(?,?), ref: 0048D3A8
                                                                                        • Part of subcall function 0048CDAC: GetParent.USER32(?), ref: 0048D3C8
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D431
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D462
                                                                                        • Part of subcall function 0048CDAC: ClientToScreen.USER32(?,?), ref: 0048D4C0
                                                                                        • Part of subcall function 0048CDAC: TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D4F0
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D51A
                                                                                        • Part of subcall function 0048CDAC: SendMessageW.USER32 ref: 0048D53D
                                                                                        • Part of subcall function 0048CDAC: ClientToScreen.USER32(?,?), ref: 0048D58F
                                                                                        • Part of subcall function 0048CDAC: TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D5C3
                                                                                        • Part of subcall function 0048CDAC: GetWindowLongW.USER32(?,000000F0), ref: 0048D65F
                                                                                        • Part of subcall function 00456BAE: GetSysColor.USER32(0000000F), ref: 00456BCD
                                                                                        • Part of subcall function 00456BAE: SetBkColor.GDI32(?,00000000), ref: 00456BE2
                                                                                        • Part of subcall function 00401765: BeginPaint.USER32(?,?), ref: 0040179A
                                                                                        • Part of subcall function 00401765: GetWindowRect.USER32(?,?), ref: 004017FE
                                                                                        • Part of subcall function 00401765: ScreenToClient.USER32(?,?), ref: 0040181B
                                                                                        • Part of subcall function 00401765: SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
                                                                                        • Part of subcall function 00401765: EndPaint.USER32(?,?), ref: 00401876
                                                                                        • Part of subcall function 00401765: Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0043BACB
                                                                                        • Part of subcall function 0048C220: DefDlgProcW.USER32(?,00000204,?), ref: 0048C272
                                                                                        • Part of subcall function 0048CC2E: ClientToScreen.USER32(?,?), ref: 0048CC51
                                                                                        • Part of subcall function 0048CC2E: ImageList_DragMove.COMCTL32(?,?,?,?,?,?,?,0043BC66), ref: 0048CC5D
                                                                                        • Part of subcall function 0048CC2E: DefDlgProcW.USER32(?,00000200,?,?), ref: 0048CC7A
                                                                                        • Part of subcall function 004016DE: GetParent.USER32(?), ref: 0043BA0A
                                                                                        • Part of subcall function 004016DE: DefDlgProcW.USER32(?,00000133,?,?), ref: 0043BA84
                                                                                        • Part of subcall function 0048C27C: ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 0048C2E4
                                                                                        • Part of subcall function 0048C27C: ImageList_EndDrag.COMCTL32 ref: 0048C2EA
                                                                                        • Part of subcall function 0048C27C: ReleaseCapture.USER32 ref: 0048C2F0
                                                                                        • Part of subcall function 0048C27C: SetWindowTextW.USER32(?,00000000), ref: 0048C39A
                                                                                        • Part of subcall function 0048C27C: SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0048C3AD
                                                                                        • Part of subcall function 0048C27C: DefDlgProcW.USER32(?,00000202,?), ref: 0048C48F
                                                                                      • IsThemeActive.UXTHEME ref: 0043BC84
                                                                                      • DefDlgProcW.USER32(?,0000031A), ref: 0043BC97
                                                                                        • Part of subcall function 0048C8EE: DragQueryPoint.SHELL32(?,?), ref: 0048C917
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B0,?,?), ref: 0048C980
                                                                                        • Part of subcall function 0048C8EE: DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C98B
                                                                                        • Part of subcall function 0048C8EE: DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C9AE
                                                                                        • Part of subcall function 0048C8EE: _wcscat.LIBCMT ref: 0048C9DE
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C9F5
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B0,?,?), ref: 0048CA0E
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA25
                                                                                        • Part of subcall function 0048C8EE: SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA47
                                                                                        • Part of subcall function 0048C8EE: DragFinish.SHELL32(?), ref: 0048CA4E
                                                                                        • Part of subcall function 0048C8EE: DefDlgProcW.USER32(?,00000233,?,00000000), ref: 0048CB41
                                                                                        • Part of subcall function 0048CBAE: DefDlgProcW.USER32(?,00000232,?,?), ref: 0048CBEE
                                                                                        • Part of subcall function 0048CB7F: DefDlgProcW.USER32 ref: 0048CBA4
                                                                                        • Part of subcall function 0048CB50: DefDlgProcW.USER32 ref: 0048CB75
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$Proc$Window$Drag$ClientMenu$Screen$Image$CursorItemList_Rect$ColorLong$CaptureInfoMovePopupQueryStateTrack$BeginFileInvalidateMetricsPaintParentReleaseSystem$ActiveBrushCheckCountCreateCtrlEnterFinishFocusLeavePointPostRadioRectangleShowSolidTextThemeViewport_memset_wcscat_wcsncpy
                                                                                      • String ID:
                                                                                      • API String ID: 961471779-0
                                                                                      • Opcode ID: 2fb92fa242998f351c79376ef6791cc8e7c1b3e924aa0510fce2328af909611d
                                                                                      • Instruction ID: 84d1a059880b126f76773d033bf70feb67e7e293265a24d36894b0b11499e700
                                                                                      • Opcode Fuzzy Hash: 2fb92fa242998f351c79376ef6791cc8e7c1b3e924aa0510fce2328af909611d
                                                                                      • Instruction Fuzzy Hash: DE7135A12064847AE53976AA4C89E7F244DDB85386F14093FF102F56F2CE3D9D0296BF
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.46%

                                                                                      Function 0040E060, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 539UNIQUE
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 0040E234
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00443BAC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,%I), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString_memmove_wprintf$Exception@8MessageThrowstd::exception::exception
                                                                                      • String ID: %I
                                                                                      • API String ID: 120496405-63094095
                                                                                      • Opcode ID: 85bb46bc2b1aa6167ab40a2ccaaf29d2805d63f1e8d932882a5f436b636b35b6
                                                                                      • Instruction ID: 717d1ab0d90b391ed1eaae52652e6e1fa3a898975f929f0a44a13a0e96a5ed75
                                                                                      • Opcode Fuzzy Hash: 85bb46bc2b1aa6167ab40a2ccaaf29d2805d63f1e8d932882a5f436b636b35b6
                                                                                      • Instruction Fuzzy Hash: 0822A170A00215DFDB24DF55C480AAEBBF0FF04304F14887BE956AB391D778A995CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0040FE40, Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004082E0: CharUpperBuffW.USER32(?,?), ref: 004082FD
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 0041047A
                                                                                      • _memmove.LIBCMT ref: 004107DF
                                                                                      • _memmove.LIBCMT ref: 0041080E
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(00000066,?,00000FFF,%I), ref: 0046A0FC
                                                                                        • Part of subcall function 0046A0B5: LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A246
                                                                                        • Part of subcall function 0046A0B5: _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 0046A0B5: MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                        • Part of subcall function 00409E9C: #9.OLEAUT32(?,?,?,?,?,00469D81,?,00000001,-004C5E88,?,00455CCE,?,?,?,0040FAE1,00000000), ref: 0043FE11
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410BBB
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 00410E76
                                                                                        • Part of subcall function 00410B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410FB3
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 00410FC7
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00410FD5
                                                                                        • Part of subcall function 00410B30: Sleep.KERNELBASE(0000000A), ref: 00410FDF
                                                                                        • Part of subcall function 00410B30: LockWindowUpdate.USER32(00000000), ref: 0041105A
                                                                                        • Part of subcall function 00410B30: DestroyWindow.USER32 ref: 00411066
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
                                                                                        • Part of subcall function 00410B30: timeGetTime.WINMM ref: 004110B2
                                                                                        • Part of subcall function 00410B30: TranslateAcceleratorW.USER32(?,?,?), ref: 00445189
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,%I,?), ref: 004452AD
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A,?,?), ref: 004454A2
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000,00000000,?,00000000,?,00000001,?,?,?,00000001,?,?,?,?,?), ref: 00445844
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(00000000), ref: 00445A00
                                                                                        • Part of subcall function 00410B30: #9.OLEAUT32(?,00000000,?,00000000,00000000,?,-00000001,00000000,00000001,@COM_EVENTOBJ,?,?,?,?,?), ref: 00445A96
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00445C51
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445C71
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445C7D
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(0000000A), ref: 00445F24
                                                                                        • Part of subcall function 00410B30: GetExitCodeProcess.KERNEL32(?,?), ref: 00445FBF
                                                                                        • Part of subcall function 00410B30: WaitForSingleObject.KERNEL32(?,00000000), ref: 00445FD7
                                                                                        • Part of subcall function 00410B30: CloseHandle.KERNEL32(?), ref: 00445FEB
                                                                                        • Part of subcall function 00410B30: Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00446058
                                                                                        • Part of subcall function 00410B30: TranslateMessage.USER32(?), ref: 0044608A
                                                                                        • Part of subcall function 00410B30: DispatchMessageW.USER32(?), ref: 00446098
                                                                                        • Part of subcall function 00410B30: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC
                                                                                        • Part of subcall function 0047A5EE: CharUpperBuffW.USER32(?,?), ref: 0047A67E
                                                                                        • Part of subcall function 00456C62: _memmove.LIBCMT ref: 00456CAC
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Sleep_memmove$Translate$BuffCharCloseCodeDispatchExitHandleLoadObjectPeekProcessSingleStringTimeUpperWaitWindow_wprintftime$AcceleratorDestroyException@8LockThrowUpdatestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1936138902-0
                                                                                      • Opcode ID: 85ec54913d2ec06f42e54e0da5903a1174201aa5957c6857b12228ccd3c05745
                                                                                      • Instruction ID: a3b9221dc64c310c941b5016b295edb8af427260a8d4055f717b05a0858251c0
                                                                                      • Opcode Fuzzy Hash: 85ec54913d2ec06f42e54e0da5903a1174201aa5957c6857b12228ccd3c05745
                                                                                      • Instruction Fuzzy Hash: B7926C706083419FD720DF15C580B6BB7E1BF84304F14896EE8969B392D7B9EC85CB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 00384017, Relevance: 5.2, Strings: 4, Instructions: 213UNIQUE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883487060.00380000.00000040.sdmp, Offset: 00380000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_380000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 6[6o$8F8K$G=i=$==
                                                                                      • API String ID: 0-215436572
                                                                                      • Opcode ID: f596ada32ba792109b92588ca95fa04a8cc938c57e523e540bb77404e5ebec36
                                                                                      • Instruction ID: 6041a404935fe5e8f3c4124b5cfa89bc0f77da838e037d01bc32aeca3a1498c9
                                                                                      • Opcode Fuzzy Hash: f596ada32ba792109b92588ca95fa04a8cc938c57e523e540bb77404e5ebec36
                                                                                      • Instruction Fuzzy Hash: 8D71D5314493D2AFCB669F7484662C3BFE1AE4731035B65DEC8C18F863D2215497DB82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00464C03, Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00464C2C
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00464C43
                                                                                      • FreeSid.ADVAPI32(?), ref: 00464C53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID:
                                                                                      • API String ID: 3429775523-0
                                                                                      • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                                      • Instruction ID: 10b911d193db4ddcb2d704d9467f516d67823663164fbfa441d12c43b64d2f16
                                                                                      • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                                      • Instruction Fuzzy Hash: 86F04F7591130CBFDF04DFF0DC89AAEB7BCEF09201F104879A501E2281E7746A148B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.04%

                                                                                      Function 00464696, Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNEL32(?,0043E7C1), ref: 004646A6
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 004646B7
                                                                                      • FindClose.KERNEL32(00000000), ref: 004646C7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                                      • String ID:
                                                                                      • API String ID: 48322524-0
                                                                                      • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                      • Instruction ID: d948841d4539c93f635718a430456d5b2beea82774a4ad5489b04229db4e1113
                                                                                      • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                      • Instruction Fuzzy Hash: 81E0D8318104005B46106738EC4D4EF7B5C9E86335F100B6BFC35C15E0F7B85964869F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.13%

                                                                                      Function 0042A395, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042A39A
                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0042A3A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                      • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                                                                      • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                      • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.02%

                                                                                      Function 0042F419, Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                      APIs
                                                                                      • ___libm_error_support.LIBCMT ref: 0042FC43
                                                                                        • Part of subcall function 00433718: DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00432653), ref: 00433734
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: DecodePointer___libm_error_support
                                                                                      • String ID:
                                                                                      • API String ID: 3413902329-0
                                                                                      • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                      • Instruction ID: bce05383f65911ef53e75d5f2b7ae8bd864113105c6f5f1cb0bb4096b20a0191
                                                                                      • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                      • Instruction Fuzzy Hash: 9A325921E29F114DD7235634D832336A258AFB73C8F95D737F819B5EA6DB28D4834208
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.05%

                                                                                      Function 00418A0E, Relevance: .6, Instructions: 608COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4f66ab0580a314d221ab9376d4eb50f49803d2a8e394490c5a9382fd7f99d6c8
                                                                                      • Instruction ID: 9a981ba99b4911944b9919f44c7759cb7337f05dfe0c326ced162c2a54403da9
                                                                                      • Opcode Fuzzy Hash: 4f66ab0580a314d221ab9376d4eb50f49803d2a8e394490c5a9382fd7f99d6c8
                                                                                      • Instruction Fuzzy Hash: 47222730505656CBDF288B18C4A46BF77A1EB41311F64446FE8468B392EB3C9DC6CBAD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 00422405, Relevance: .3, Instructions: 345COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction ID: 3a63805bb8c2c01de1b6144fc2d7500bdbb157a027ed3d5f9b560445ff49f309
                                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction Fuzzy Hash: C2C1C6323050B309DB2D8639A63013FBAE15EA27B139A076FE4B3CB6D4EF58D564D614
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 0042283A, Relevance: .3, Instructions: 341COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction ID: aaf8636ec1f05b4987ac2accbf93641bd6487308852fa21464a5fdbc51815f71
                                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction Fuzzy Hash: 18C1B7323050B309DB2D8639A63413FBBE15EA27B139A076FE4B2DB6D4EF18D524D614
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 00421FD0, Relevance: .3, Instructions: 331COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                      • Instruction ID: 352b80a13901650c5d1a9b37a84c8fb9e1ba645c1686a9e0a67cf8c2712344ee
                                                                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                      • Instruction Fuzzy Hash: DEC1B7323050B30ADF1D8639A63403FBAE15EA27B135A076FE4B2CB6D5EF58D524D624
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 00421BB8, Relevance: .3, Instructions: 323COMMON
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                      • Instruction ID: bd4c7480dd6a54fddd699a2b0be912f6d58b05d3aceaa853b4bc4e982cd790e2
                                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                      • Instruction Fuzzy Hash: 3FC165363051A309DB2D863AA53403FBAE15EB27B135B076FE4B2CB6E4EF18D5249614
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.00%

                                                                                      Function 0048A849, Relevance: 49.8, APIs: 33, Instructions: 274windowCOMMON
                                                                                      APIs
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0048A89F
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0048A8BE
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0048A8D0
                                                                                      • GetSysColor.USER32(0000000F), ref: 0048A8DC
                                                                                      • CreateSolidBrush.GDI32(000000FF), ref: 0048A8E7
                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 0048A8F6
                                                                                      • SelectObject.GDI32(?,?), ref: 0048A905
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A930
                                                                                      • GetSysColor.USER32(00000010), ref: 0048A938
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0048A93F
                                                                                      • FrameRect.USER32(?,?,00000000), ref: 0048A94E
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048A955
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A96D
                                                                                      • DrawFrameControl.USER32(?,?,00000004,00000010), ref: 0048A97D
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A9A0
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A9BA
                                                                                      • FillRect.USER32(?,?,?), ref: 0048A9D2
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0048A9FD
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048AA4E
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 0048AA79
                                                                                      • DrawTextW.USER32(?,?,000000FF,?,00000104), ref: 0048AA8C
                                                                                      • GetSysColor.USER32(00000011), ref: 0048AAAF
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0048AAB7
                                                                                      • DrawTextW.USER32(?,?,000000FF,?,00000000), ref: 0048AACD
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0048AAE8
                                                                                      • FrameRect.USER32(?,00000000,00000000), ref: 0048AAF7
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048AAFE
                                                                                      • InflateRect.USER32(?,000000FC,000000FC), ref: 0048AB0D
                                                                                      • DrawFocusRect.USER32(?,00000000), ref: 0048AB19
                                                                                      • SelectObject.GDI32(?,?), ref: 0048AB2E
                                                                                      • DeleteObject.GDI32(?), ref: 0048AB38
                                                                                      • SetTextColor.GDI32(?,?), ref: 0048AB43
                                                                                      • SetBkColor.GDI32(?,?), ref: 0048AB4E
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(00000012), ref: 0048AB99
                                                                                        • Part of subcall function 0048AB60: SetTextColor.GDI32(?,?), ref: 0048AB9D
                                                                                        • Part of subcall function 0048AB60: GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(0000000F), ref: 0048ABBE
                                                                                        • Part of subcall function 0048AB60: CreateSolidBrush.GDI32(?), ref: 0048ABC3
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(00000011), ref: 0048ABDB
                                                                                        • Part of subcall function 0048AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,00000000), ref: 0048ABFA
                                                                                        • Part of subcall function 0048AB60: SetBkColor.GDI32(?,00000000), ref: 0048AC03
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,?), ref: 0048AC10
                                                                                        • Part of subcall function 0048AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
                                                                                        • Part of subcall function 0048AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
                                                                                        • Part of subcall function 0048AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B
                                                                                        • Part of subcall function 0048AB60: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048ACA7
                                                                                        • Part of subcall function 0048AB60: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048ACCE
                                                                                        • Part of subcall function 0048AB60: InflateRect.USER32(?,000000FD,000000FD), ref: 0048ACEC
                                                                                        • Part of subcall function 0048AB60: DrawFocusRect.USER32(?,?), ref: 0048ACF7
                                                                                        • Part of subcall function 0048AB60: GetSysColor.USER32(00000011), ref: 0048AD05
                                                                                        • Part of subcall function 0048AB60: SetTextColor.GDI32(?,00000000), ref: 0048AD0D
                                                                                        • Part of subcall function 0048AB60: DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AD21
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,0048A869), ref: 0048AD38
                                                                                        • Part of subcall function 0048AB60: DeleteObject.GDI32(?), ref: 0048AD43
                                                                                        • Part of subcall function 0048AB60: SelectObject.GDI32(?,?), ref: 0048AD49
                                                                                        • Part of subcall function 0048AB60: DeleteObject.GDI32(?), ref: 0048AD4E
                                                                                        • Part of subcall function 0048AB60: SetTextColor.GDI32(?,?), ref: 0048AD54
                                                                                        • Part of subcall function 0048AB60: SetBkColor.GDI32(?,?), ref: 0048AD5E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Rect$Text$Object$Inflate$BrushDrawSelect$CreateDelete$SolidWindow$Frame$FocusLongMessageSend$ControlException@8FillRoundThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 2948665181-0
                                                                                      • Opcode ID: 76d3aff8c14f81946196c8a998a3575b65bbb248a9691f256eae4fa49a1bd179
                                                                                      • Instruction ID: 452232081cd78e43451fe9d0edc745e4d0d3487f89d4aa1c860563aee330a7d3
                                                                                      • Opcode Fuzzy Hash: 76d3aff8c14f81946196c8a998a3575b65bbb248a9691f256eae4fa49a1bd179
                                                                                      • Instruction Fuzzy Hash: ACA17D72408301BFD710AF64DC08A6F7BA9FB89321F104E3EF962961A1D774D859CB56
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 00402C18, Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 488windowCOMMON
                                                                                      APIs
                                                                                      • DestroyWindow.USER32 ref: 00402CA2
                                                                                      • DeleteObject.GDI32(00000000), ref: 00402CE8
                                                                                      • DeleteObject.GDI32(00000000), ref: 00402CF3
                                                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                                                                                      • DestroyWindow.USER32(00000000), ref: 00402D09
                                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C68B
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C6C4
                                                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 0043C792
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048B9CC
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(00000000,00000000), ref: 0048B9F0
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048BA50
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(00000000,00000004), ref: 0048BA62
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(00000000,00000001), ref: 0048BA86
                                                                                        • Part of subcall function 0048B958: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9
                                                                                        • Part of subcall function 00402C18: MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043CAED
                                                                                      • DestroyWindow.USER32 ref: 0043C856
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?), ref: 0043C869
                                                                                      • DestroyMenu.USER32(?), ref: 0043C8EB
                                                                                      • DestroyMenu.USER32(?), ref: 0043C904
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C92F
                                                                                      • _memset.LIBCMT ref: 0043C98C
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0043C9A7
                                                                                      • DeleteMenu.USER32(?,?,00000000), ref: 0043CA00
                                                                                      • DeleteMenu.USER32(?,?,00000000), ref: 0043CA16
                                                                                      • GetMenuItemCount.USER32(?), ref: 0043CA2D
                                                                                      • SetMenu.USER32(?,00000000), ref: 0043CA3A
                                                                                      • DestroyMenu.USER32(?), ref: 0043CA46
                                                                                      • DrawMenuBar.USER32(?), ref: 0043CA55
                                                                                      • SendMessageW.USER32(?,00001101,00000000,?), ref: 0043CA6D
                                                                                      • SendMessageW.USER32(?,00001053), ref: 0043CB2A
                                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043CB41
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$DestroyMenu$MessageSend$Delete$ImageList_Show$EnableItemObject$CountDrawIconInfoLongMoveRemove_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 1516704526-4108050209
                                                                                      • Opcode ID: 6187f4c0bb388091fe11e685e7b7da9a09c521fa3c2b3010c7494aa3c4575cd4
                                                                                      • Instruction ID: b7389f8fee4e5da017ea5760de9854557745ca7af685468a7280b0f07d881e75
                                                                                      • Opcode Fuzzy Hash: 6187f4c0bb388091fe11e685e7b7da9a09c521fa3c2b3010c7494aa3c4575cd4
                                                                                      • Instruction Fuzzy Hash: CD12C030604201EFDB14DF24C988BAAB7E1BF09314F54557EE885EB2A2C779EC42CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 5.06%

                                                                                      Function 00406A3C, Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • __wcsnicmp.LIBCMT ref: 00406A91
                                                                                        • Part of subcall function 00423A0B: __wcsnicmp_l.LIBCMT ref: 00423AB4
                                                                                      • __wcsnicmp.LIBCMT ref: 00406AA9
                                                                                      • __wcsnicmp.LIBCMT ref: 00406AC1
                                                                                      • __wcsnicmp.LIBCMT ref: 00406AD9
                                                                                      • __wcsnicmp.LIBCMT ref: 00406AF1
                                                                                      • __wcsnicmp.LIBCMT ref: 00406B09
                                                                                      • __wcsnicmp.LIBCMT ref: 00406B21
                                                                                      • __wcsnicmp.LIBCMT ref: 00406B35
                                                                                      • __wcsnicmp.LIBCMT ref: 00406B76
                                                                                      • __wcsnicmp.LIBCMT ref: 00406B8A
                                                                                      • __wcsnicmp.LIBCMT ref: 00406B9E
                                                                                      • __wcsnicmp.LIBCMT ref: 00406BB2
                                                                                        • Part of subcall function 0041FEC6: _wcscpy.LIBCMT ref: 0041FEE9
                                                                                        • Part of subcall function 0046000D: _wcscpy.LIBCMT ref: 00460152
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406D0D
                                                                                        • Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?), ref: 00406E5A
                                                                                        • Part of subcall function 00406BEC: _free.LIBCMT ref: 0043EB9C
                                                                                        • Part of subcall function 00406BEC: _free.LIBCMT ref: 0043EBE2
                                                                                        • Part of subcall function 0045FCB1: GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E6C9,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045FCD2
                                                                                        • Part of subcall function 0045FCB1: LoadStringW.USER32(00000000,?,0043E6C9,00000010), ref: 0045FCD9
                                                                                        • Part of subcall function 0045FCB1: _wprintf.LIBCMT ref: 0045FD0C
                                                                                        • Part of subcall function 0045FCB1: MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045FD9D
                                                                                        • Part of subcall function 004059CD: _wcscpy.LIBCMT ref: 00405A05
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wcsnicmp$_wcscpy$CurrentDirectory_free$Exception@8HandleLoadMessageModuleStringThrow__wcsnicmp_l_memmove_wprintfstd::exception::exception
                                                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                      • API String ID: 1646735393-86951937
                                                                                      • Opcode ID: da2fcaf9ef5c9a10b3db8a2e7ba8459d79afd212a10ec52453b0bee91e935911
                                                                                      • Instruction ID: 8187de94c8bffb5aa90f003ee6c2c3bd34f27edaa7f64cb26bdd9306e81e5eb5
                                                                                      • Opcode Fuzzy Hash: da2fcaf9ef5c9a10b3db8a2e7ba8459d79afd212a10ec52453b0bee91e935911
                                                                                      • Instruction Fuzzy Hash: B381F8B0741215A6CB20BB22DD82FAF7768AF15304F14403BF946BA1C1E77CEA55C65D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 0048AB60, Relevance: 39.2, APIs: 26, Instructions: 205windowCOMMON
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000012), ref: 0048AB99
                                                                                      • SetTextColor.GDI32(?,?), ref: 0048AB9D
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
                                                                                      • GetSysColor.USER32(0000000F), ref: 0048ABBE
                                                                                      • CreateSolidBrush.GDI32(?), ref: 0048ABC3
                                                                                      • GetSysColor.USER32(00000011), ref: 0048ABDB
                                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0048ABFA
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0048AC03
                                                                                      • SelectObject.GDI32(?,?), ref: 0048AC10
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
                                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048ACA7
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048ACCE
                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0048ACEC
                                                                                      • DrawFocusRect.USER32(?,?), ref: 0048ACF7
                                                                                      • GetSysColor.USER32(00000011), ref: 0048AD05
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0048AD0D
                                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AD21
                                                                                      • SelectObject.GDI32(?,0048A869), ref: 0048AD38
                                                                                      • DeleteObject.GDI32(?), ref: 0048AD43
                                                                                      • SelectObject.GDI32(?,?), ref: 0048AD49
                                                                                      • DeleteObject.GDI32(?), ref: 0048AD4E
                                                                                      • SetTextColor.GDI32(?,?), ref: 0048AD54
                                                                                      • SetBkColor.GDI32(?,?), ref: 0048AD5E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$Exception@8FocusLongMessageRoundSendSolidThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 1165068691-0
                                                                                      • Opcode ID: ca33d3042f408dd9160401dbc04af8b562fa4e5f3182410edd60d99307db504b
                                                                                      • Instruction ID: a0d8ef5a968e449155e436a7069eb707e167a0f70bd7a905c438ca864edfdcef
                                                                                      • Opcode Fuzzy Hash: ca33d3042f408dd9160401dbc04af8b562fa4e5f3182410edd60d99307db504b
                                                                                      • Instruction Fuzzy Hash: 6C617471900218BFEF11DFA4DC48EAE7B79EF08320F244926F911AB2A1D7B59D50DB54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 004027D9, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                                                                      • GetStockObject.GDI32(00000011), ref: 004029CA
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                                                                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                        • Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                        • Part of subcall function 00402344: GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      • SetTimer.USER32(00000000,00000000,00000028,Function_00001256), ref: 004029FC
                                                                                        • Part of subcall function 0048B00F: DestroyWindow.USER32(?), ref: 0048B04A
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetWindowRect.USER32(?,?), ref: 0043C39C
                                                                                      • GetClientRect.USER32(?,?), ref: 0043C3A9
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 0043C3B1
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 0043C3C4
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 0043C3E9
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,?), ref: 00402ACF
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,00000000), ref: 00402B17
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,00000006), ref: 0043C46A
                                                                                        • Part of subcall function 00402A5B: LockWindowUpdate.USER32(00000000), ref: 0043C492
                                                                                        • Part of subcall function 00402A5B: InvalidateRect.USER32(00000000,00000000,00000001), ref: 0043C49E
                                                                                        • Part of subcall function 00402A5B: LockWindowUpdate.USER32(FFFFFFFF), ref: 0043C4AE
                                                                                        • Part of subcall function 00402A5B: EnableWindow.USER32(FFFFFFFF,00000001), ref: 0043C4BF
                                                                                        • Part of subcall function 00402A5B: ShowWindow.USER32(FFFFFFFF,?), ref: 0043C4D6
                                                                                        • Part of subcall function 004034C2: _memmove.LIBCMT ref: 0043D28C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$System$MetricsRect$Show$ClientLong$AsyncInfoLockParametersStateUpdate$AdjustCreateCursorDestroyEnableException@8InvalidateMessageObjectScreenSendStockThrowTimer_memmovestd::exception::exception
                                                                                      • String ID: AutoIt v3 GUI$athan
                                                                                      • API String ID: 3027708390-1045250848
                                                                                      • Opcode ID: bb1922fa0d3274e5e5d9c46e7996511c92627301f57afafe0139ac51e934f35e
                                                                                      • Instruction ID: 34a51bb5a318ae1a344add4034b802b2dd09297663e35ec0c622bb09f95dc302
                                                                                      • Opcode Fuzzy Hash: bb1922fa0d3274e5e5d9c46e7996511c92627301f57afafe0139ac51e934f35e
                                                                                      • Instruction Fuzzy Hash: 21B18275600205AFDB14DF68DD89BAE7BB4FB08314F10863AFA15A72D0DB78A851CF58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.69%

                                                                                      Function 00415F88, Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 350UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • GetForegroundWindow.USER32 ref: 00416042
                                                                                        • Part of subcall function 004034C2: _memmove.LIBCMT ref: 0043D28C
                                                                                        • Part of subcall function 0045B1E0: __wcsnicmp.LIBCMT ref: 0045B23F
                                                                                        • Part of subcall function 0045B1E0: __wcsnicmp.LIBCMT ref: 0045B25B
                                                                                        • Part of subcall function 0045B1E0: __wcsnicmp.LIBCMT ref: 0045B283
                                                                                      • EnumChildWindows.USER32(00000000), ref: 004510D1
                                                                                        • Part of subcall function 0045A3E6: CharUpperBuffW.USER32(?,00000001), ref: 0045A470
                                                                                      • IsWindow.USER32(?), ref: 00450FFA
                                                                                      • GetForegroundWindow.USER32 ref: 0045100E
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 004510A2
                                                                                      • EnumWindows.USER32(0045B397,?), ref: 004510D9
                                                                                        • Part of subcall function 00407FAF: _memmove.LIBCMT ref: 00408003
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 004510BD
                                                                                      • GetDesktopWindow.USER32 ref: 004510CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$BuffCharUpper__wcsnicmp_memmove$EnumForegroundWindows$ChildDesktop
                                                                                      • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE$%I
                                                                                      • API String ID: 1617993030-1162635239
                                                                                      • Opcode ID: 7afad609ab36abd7c166971e199184ce53bd6c78a1c8726f8686002e5627edb1
                                                                                      • Instruction ID: b47751c77230b49a93ab5999e00c69dfd5d66f05824f9e1bf1f711ef4991895b
                                                                                      • Opcode Fuzzy Hash: 7afad609ab36abd7c166971e199184ce53bd6c78a1c8726f8686002e5627edb1
                                                                                      • Instruction Fuzzy Hash: 6CD10C31104602EFCB14EF11C441A9ABBA0BF54349F104A2FF855576A3CB7CE99ECB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0045B1E0, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                      APIs
                                                                                      • __wcsnicmp.LIBCMT ref: 0045B23F
                                                                                        • Part of subcall function 00423A0B: __wcsnicmp_l.LIBCMT ref: 00423AB4
                                                                                      • __wcsnicmp.LIBCMT ref: 0045B25B
                                                                                      • __wcsnicmp.LIBCMT ref: 0045B283
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wcsnicmp$_memmove$__wcsicmp_l__wcsnicmp_l
                                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                      • API String ID: 4253603199-1810252412
                                                                                      • Opcode ID: 0b693f046f3cbb4e9986c71513b34e1c2095760d41905b3713bfb5f333990725
                                                                                      • Instruction ID: 0a4734ff45ec4583e3e81acf795fc21f567cbd392f16838e952200b8ee8254f0
                                                                                      • Opcode Fuzzy Hash: 0b693f046f3cbb4e9986c71513b34e1c2095760d41905b3713bfb5f333990725
                                                                                      • Instruction Fuzzy Hash: B5318B30A04205A6DB14EA62CD43BEE77A4DF24756F60006FB941720D2EF6D6E09C9AE
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 0048C8EE, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 0048C917
                                                                                        • Part of subcall function 0048ADF1: ClientToScreen.USER32(?,?), ref: 0048AE1A
                                                                                        • Part of subcall function 0048ADF1: GetWindowRect.USER32(?,?), ref: 0048AE90
                                                                                        • Part of subcall function 0048ADF1: PtInRect.USER32(?,?,?), ref: 0048AEA0
                                                                                        • Part of subcall function 0048ADF1: MessageBeep.USER32(00000000), ref: 0048AF11
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C980
                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C98B
                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C9AE
                                                                                      • _wcscat.LIBCMT ref: 0048C9DE
                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C9F5
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0048CA0E
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA25
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA47
                                                                                      • DragFinish.SHELL32(?), ref: 0048CA4E
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 0048CB41
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$Drag$Query$FileRectWindow$BeepClientFinishLongPointProcScreen_memmove_wcscat
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                      • API String ID: 2215142556-3440237614
                                                                                      • Opcode ID: 94eb9f17866416fc7e10bf29e2b941fb84a0329db1260e751546af4c74d11337
                                                                                      • Instruction ID: 9d54b60ae23129ec17e3264f3c4c669362dbaaf1ee08fbcc713ae4d442fb7e93
                                                                                      • Opcode Fuzzy Hash: 94eb9f17866416fc7e10bf29e2b941fb84a0329db1260e751546af4c74d11337
                                                                                      • Instruction Fuzzy Hash: B6617F71108301AFC701EF65DC85D9FBBF8EF88714F500A2EF591A21A1DB749A49CB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048BAB8, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 198windowlibraryUNIQUE
                                                                                      APIs
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048BB6E
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00486D80,?), ref: 0048BBCA
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048BC03
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048BC46
                                                                                      • FreeLibrary.KERNEL32(?), ref: 0048BC89
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048BC7D
                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048BC99
                                                                                      • DestroyIcon.USER32(?), ref: 0048BCA8
                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BCC5
                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BCD1
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Image$IconLibraryMessageSend_wcscpy$DestroyExtractFree__i64tow__itow__wcsicmp_l
                                                                                      • String ID: .dll$.exe$.icl
                                                                                      • API String ID: 4220660294-1154884017
                                                                                      • Opcode ID: 6f4018506f42393adc083cbdf86df128419452e7279bc71467a7f069fee2e887
                                                                                      • Instruction ID: 5a3b5a0298842a06514a7b2b5c33ff8de858cebeb355adee2c65811140294771
                                                                                      • Opcode Fuzzy Hash: 6f4018506f42393adc083cbdf86df128419452e7279bc71467a7f069fee2e887
                                                                                      • Instruction Fuzzy Hash: 3461EF71600219BEEB14EF64CC45BBF77A8EB08711F10492FF815D61C0DBB8A994DBA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048BCED, Relevance: 22.6, APIs: 15, Instructions: 130filememorywindowCOMMON
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0048BD10
                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0048BD27
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0048BD32
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0048BD3F
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0048BD48
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0048BD57
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0048BD60
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0048BD67
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0048BD78
                                                                                      • #418.OLEAUT32(?,00000000,00000000,00492CAC,?), ref: 0048BD91
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 0048BDA1
                                                                                      • GetObjectW.GDI32(?,00000018,000000FF), ref: 0048BDC5
                                                                                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0048BDF0
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048BE18
                                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0048BE2E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                                                      • String ID:
                                                                                      • API String ID: 2779716855-0
                                                                                      • Opcode ID: 2ef3c73d0ecf62ea383054c8459600fe69dcae0fa81eb6f10a909750517e530a
                                                                                      • Instruction ID: 591bd05ee601cdb4eeeaba152367ddfaf644c5d0e7d28595dd03dcf49ad8e52e
                                                                                      • Opcode Fuzzy Hash: 2ef3c73d0ecf62ea383054c8459600fe69dcae0fa81eb6f10a909750517e530a
                                                                                      • Instruction Fuzzy Hash: 36413675600208BFDB21AF65DC88EAFBBB8FB89711F204869F905DB260D7359D05CB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.12%

                                                                                      Function 00467FA4, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 378COMMON
                                                                                      APIs
                                                                                      • #8.OLEAUT32(00000000,00000000,?,?,?,?,?,?,0000002A,00000000,0048F910), ref: 00467FE9
                                                                                      • #10.OLEAUT32(00000000,?,?,?,?,?,?,0000002A,00000000,0048F910), ref: 00467FF2
                                                                                      • #9.OLEAUT32(00000000,?,?,?,?,?,0000002A,00000000,0048F910), ref: 00467FFE
                                                                                      • #185.OLEAUT32(?,?,?,?,0000002A,00000000,0048F910), ref: 004680EC
                                                                                      • #220.OLEAUT32(?,?,?,?,?,00000029,00000000,Default), ref: 00468148
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • #8.OLEAUT32(?,?,00000000,00000000), ref: 004681F9
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • #6.OLEAUT32(00000016,00000016), ref: 0046828D
                                                                                      • #9.OLEAUT32(?), ref: 004682E7
                                                                                      • #9.OLEAUT32(?), ref: 004682F6
                                                                                      • #8.OLEAUT32(00000000,00000000,?,00000000,00000000), ref: 00468334
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 00467804: #8.OLEAUT32(00000000,?,?,00000016,00000016,?,004799E9,?,?), ref: 00467844
                                                                                        • Part of subcall function 00467804: #10.OLEAUT32(00000000,?,?,004799E9,?,?), ref: 0046784D
                                                                                        • Part of subcall function 00467804: #9.OLEAUT32(00000000,?,004799E9,?,?), ref: 00467859
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$#185#220Exception@8Throwstd::exception::exception
                                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                      • API String ID: 468446875-3931177956
                                                                                      • Opcode ID: 0a78f8544e829205d4617bc1d2a12d163966e155d0a9664df5021d7ae6b6d03c
                                                                                      • Instruction ID: 2682ed8c0086b85f7f7a5589b892ebf4bccd9fa06ddd6521cb48c12ef20c28d5
                                                                                      • Opcode Fuzzy Hash: 0a78f8544e829205d4617bc1d2a12d163966e155d0a9664df5021d7ae6b6d03c
                                                                                      • Instruction Fuzzy Hash: 30D1E330600515DBCB109F66C844B6AB7B4BF04704F158A6FE405AB2C1EF7DAC49EB6B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.97%

                                                                                      Function 0048C49C, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C4EC
                                                                                      • GetFocus.USER32 ref: 0048C4FC
                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 0048C507
                                                                                        • Part of subcall function 00487F4C: GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00487FBA
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • _memset.LIBCMT ref: 0048C632
                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C65D
                                                                                      • GetMenuItemCount.USER32(?), ref: 0048C67D
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0048C690
                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C6C4
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C70C
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C744
                                                                                        • Part of subcall function 0048B60B: IsWindow.USER32(00BD7938), ref: 0048B6A5
                                                                                        • Part of subcall function 0048B60B: IsWindowEnabled.USER32(00BD7938), ref: 0048B6B1
                                                                                        • Part of subcall function 0048B60B: SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B795
                                                                                        • Part of subcall function 0048B60B: SendMessageW.USER32(00BD7938,000000B0,?,?), ref: 0048B7CC
                                                                                        • Part of subcall function 0048B60B: IsDlgButtonChecked.USER32(?,?), ref: 0048B809
                                                                                        • Part of subcall function 0048B60B: GetWindowLongW.USER32(00BD7938,000000EC), ref: 0048B82B
                                                                                        • Part of subcall function 0048B60B: SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B843
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • DefDlgProcW.USER32(?,00000111,?,?), ref: 0048C779
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Window$InfoMessage$LongSend$ButtonCheckCheckedCountCtrlEnabledException@8FocusPostProcRadioThrow_memsetstd::exception::exception
                                                                                      • String ID: 0
                                                                                      • API String ID: 1009432489-4108050209
                                                                                      • Opcode ID: 6e4babffeceb8185fb6d284ceddc02dc4617a901228f81de5884e36d82c1771c
                                                                                      • Instruction ID: 044de7e4dd35a86088de80346c1f5ac2e8e2e031d82544e17b68ab28cbecaa44
                                                                                      • Opcode Fuzzy Hash: 6e4babffeceb8185fb6d284ceddc02dc4617a901228f81de5884e36d82c1771c
                                                                                      • Instruction Fuzzy Hash: A1818E70608311AFDB10EF15C984A6FBBE8FB88314F104D2EF995A3291D774D905CBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 00406BEC, Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                      APIs
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406D0D
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 004059CD: _wcscpy.LIBCMT ref: 00405A05
                                                                                        • Part of subcall function 0040702C: __wcsnicmp.LIBCMT ref: 0040709D
                                                                                        • Part of subcall function 0042387D: _iswctype.LIBCMT ref: 00423885
                                                                                        • Part of subcall function 00405DCF: CloseHandle.KERNEL32(?), ref: 00405DEF
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00406E5A
                                                                                        • Part of subcall function 0045FCB1: GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E6C9,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045FCD2
                                                                                        • Part of subcall function 0045FCB1: LoadStringW.USER32(00000000,?,0043E6C9,00000010), ref: 0045FCD9
                                                                                        • Part of subcall function 0045FCB1: _wprintf.LIBCMT ref: 0045FD0C
                                                                                        • Part of subcall function 0045FCB1: MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045FD9D
                                                                                        • Part of subcall function 00420B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406C6C,?,00008000), ref: 00420BB7
                                                                                        • Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,?,004072BA,?,?,?,?,0040108C), ref: 004048CE
                                                                                        • Part of subcall function 00405C4E: SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000), ref: 00405CF6
                                                                                        • Part of subcall function 00404FAA: FreeLibrary.KERNEL32(?,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404FDE
                                                                                        • Part of subcall function 0040766F: _memmove.LIBCMT ref: 0040774A
                                                                                      • _free.LIBCMT ref: 0043EBE2
                                                                                        • Part of subcall function 0045FC4D: _memmove.LIBCMT ref: 0045FC88
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FB81
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FBA2
                                                                                        • Part of subcall function 0045FB6E: __wcsnicmp.LIBCMT ref: 0045FBBC
                                                                                        • Part of subcall function 00406999: _wcscmp.LIBCMT ref: 004069AC
                                                                                        • Part of subcall function 0046F835: _memmove.LIBCMT ref: 0046F880
                                                                                      • _free.LIBCMT ref: 0043EB9C
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                        • Part of subcall function 0045FB07: _wcscpy.LIBCMT ref: 0045FB48
                                                                                        • Part of subcall function 0045FB07: _wcscat.LIBCMT ref: 0045FB51
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406A91
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406AA9
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406AC1
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406AD9
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406AF1
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406B09
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406B21
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406B35
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406B76
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406B8A
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406B9E
                                                                                        • Part of subcall function 00406A3C: __wcsnicmp.LIBCMT ref: 00406BB2
                                                                                        • Part of subcall function 00404F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wcsnicmp$_memmove$CurrentDirectory$FreeHandleLibraryLoad_free_wcscpy$CloseErrorException@8FileFullHeapLastMessageModuleNamePathPointerStringThrow_iswctype_wcscat_wcscmp_wprintfstd::exception::exception
                                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                      • API String ID: 2446333622-1018226102
                                                                                      • Opcode ID: 355b1d916c433aeffe1f2f205a05650c4ee4ade670bc33693f804ee041f9fd3d
                                                                                      • Instruction ID: 1e1e50465060d2d049cdecd8729963b67a53d0d5fc41c37d224936f91734444f
                                                                                      • Opcode Fuzzy Hash: 355b1d916c433aeffe1f2f205a05650c4ee4ade670bc33693f804ee041f9fd3d
                                                                                      • Instruction Fuzzy Hash: DB0272705083419FC714EF25C8419AFBBE5AF98318F14492EF486A72A1DB38D949CB5B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 5.06%

                                                                                      Function 004045DF, Relevance: 19.7, APIs: 13, Instructions: 217windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 004045F9
                                                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 0043D750
                                                                                      • GetMenuItemCount.USER32(004C6890), ref: 0043D7CD
                                                                                        • Part of subcall function 004626F9: _memset.LIBCMT ref: 00462747
                                                                                        • Part of subcall function 004626F9: GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462792
                                                                                        • Part of subcall function 004626F9: IsMenu.USER32(00000000), ref: 004627B2
                                                                                        • Part of subcall function 004626F9: CreatePopupMenu.USER32 ref: 004627E6
                                                                                        • Part of subcall function 004626F9: GetMenuItemCount.USER32(000000FF), ref: 00462844
                                                                                        • Part of subcall function 004626F9: InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462875
                                                                                      • DeleteMenu.USER32(004C6890,00000005,00000000), ref: 0043D85D
                                                                                      • DeleteMenu.USER32(004C6890,00000004,00000000), ref: 0043D865
                                                                                      • DeleteMenu.USER32(004C6890,00000006,00000000), ref: 0043D86D
                                                                                      • DeleteMenu.USER32(004C6890,00000003,00000000), ref: 0043D875
                                                                                      • GetMenuItemCount.USER32(004C6890), ref: 0043D87D
                                                                                      • SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 0043D8B7
                                                                                      • GetCursorPos.USER32(?), ref: 0043D8C1
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0043D8CA
                                                                                      • TrackPopupMenuEx.USER32(004C6890,00000000,?,00000000,00000000,00000000), ref: 0043D8DD
                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0043D8E9
                                                                                        • Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
                                                                                        • Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 0040410D: LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$Delete$CountInfo_memset$Popup$CreateCursorForegroundIconInsertLoadMessageNotifyPostShell_StringTrackWindow_wcscpy
                                                                                      • String ID:
                                                                                      • API String ID: 3665929494-0
                                                                                      • Opcode ID: e597ca9b44f071e22430df5e07161a6b1da801a0e098349f580a2e7d56667eca
                                                                                      • Instruction ID: 2639a210842817a24e8eb206f5a4e9758f878a2c8cdeb628821b1e41afb81110
                                                                                      • Opcode Fuzzy Hash: e597ca9b44f071e22430df5e07161a6b1da801a0e098349f580a2e7d56667eca
                                                                                      • Instruction Fuzzy Hash: 14713970A40205BEEB209F15EC45FABBF65FF49368F200227F625662D1C7B96C10DB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.48%

                                                                                      Function 0045E558, Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 404COMMON
                                                                                      APIs
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E9D0
                                                                                        • Part of subcall function 0045F2CC: #10.OLEAUT32(?,?,?,?,?,0045E5CC,?,?,?,?,?,?,?,?,?,?), ref: 0045F2D9
                                                                                        • Part of subcall function 0045F2CC: #12.OLEAUT32(?,?,00000000,?,?,?,0045E5CC,?,?,?,?,?,?,?,?), ref: 0045F322
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E643
                                                                                        • Part of subcall function 0045F583: #9.OLEAUT32(?,?,?,?,?,?,0045E5F6,?,?,?,?,?,?,?,?,?), ref: 0045F595
                                                                                        • Part of subcall function 0045F279: #7.OLEAUT32(?,?,?,?,?,0045E61E,?,?,?,?,?,?,?,?,?), ref: 0045F286
                                                                                        • Part of subcall function 0045F279: lstrcpyW.KERNEL32(00000000,?), ref: 0045F2B7
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E621
                                                                                        • Part of subcall function 0045F3DD: #8.OLEAUT32(?,?,?), ref: 0045F3F7
                                                                                        • Part of subcall function 0045F3DD: #9.OLEAUT32(00000013,?,?), ref: 0045F469
                                                                                        • Part of subcall function 0045F3DD: #9.OLEAUT32(00000000,?,?), ref: 0045F4C4
                                                                                        • Part of subcall function 0045F3DD: _memmove.LIBCMT ref: 0045F4EE
                                                                                        • Part of subcall function 0045F3DD: #9.OLEAUT32(?,?,?), ref: 0045F53B
                                                                                        • Part of subcall function 0045F3DD: #12.OLEAUT32(?,?,00000000,00000013,?,?), ref: 0045F569
                                                                                        • Part of subcall function 0045E187: #9.OLEAUT32(?,?,?,?,?,0045E6A4,?,?,?,?,?,?,?,?), ref: 0045E198
                                                                                        • Part of subcall function 0045F0F4: CLSIDFromString.OLE32(?,00000000), ref: 0045F116
                                                                                        • Part of subcall function 0045F0F4: #8.OLEAUT32(00000008,00000000,?,?), ref: 0045F127
                                                                                        • Part of subcall function 0045F0F4: #9.OLEAUT32(00000008), ref: 0045F176
                                                                                        • Part of subcall function 0045F20E: _memmove.LIBCMT ref: 0045F233
                                                                                        • Part of subcall function 0045F1C7: #7.OLEAUT32(?,00000000,?,?,?,0045E71C,?,?,?,?,?,?,?,?,?,?), ref: 0045F1D4
                                                                                        • Part of subcall function 0045F1C7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000,?,0045E71C,?,?,?,?,?,?), ref: 0045F1FF
                                                                                        • Part of subcall function 0045F244: #8.OLEAUT32(00000000,00000000,?,?,0045E72B,?,?,?,?,?,?,?,?,?,?), ref: 0045F254
                                                                                        • Part of subcall function 0045F244: #10.OLEAUT32(00000000,?,?,0045E72B,?,?,?,?,?,?,?,?,?,?), ref: 0045F25F
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E75F
                                                                                      • #8.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E7C2
                                                                                      • #146.OLEAUT32(00000008,?,?,00000015,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E828
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E83A
                                                                                      • #10.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?), ref: 0045E8A6
                                                                                        • Part of subcall function 0045F34A: #11.OLEAUT32(?,?,00000000,?,00000000,?,0045E915,?,?,?,?,?,?,?,?), ref: 0045F374
                                                                                        • Part of subcall function 0045F34A: #9.OLEAUT32(?,?,0045E915,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045F38B
                                                                                        • Part of subcall function 0045F34A: #9.OLEAUT32(?,00000000,?,00000000,?,0045E915,?,?,?,?,?,?,?,?,?,?), ref: 0045F3C1
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045E931
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,?,?,?), ref: 0045E94A
                                                                                        • Part of subcall function 0045DFDC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 0045E01F
                                                                                        • Part of subcall function 0045DFDC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E045
                                                                                        • Part of subcall function 0045DFDC: #2.OLEAUT32(00000000), ref: 0045E048
                                                                                        • Part of subcall function 0045DFDC: #2.OLEAUT32(?,00000000,?,00000000), ref: 0045E066
                                                                                        • Part of subcall function 0045DFDC: #6.OLEAUT32(?), ref: 0045E06F
                                                                                        • Part of subcall function 0045DFDC: StringFromGUID2.OLE32(?,?,00000028), ref: 0045E094
                                                                                        • Part of subcall function 0045DFDC: #2.OLEAUT32(?), ref: 0045E0A2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$FromString_memmove$#146Exception@8Throwlstrcpystd::exception::exception
                                                                                      • String ID: $@
                                                                                      • API String ID: 1954046481-3337466569
                                                                                      • Opcode ID: dd4399f0ae6af411d1303c1880c68a7317eae0cc99e5ad3642dcfdb93d537894
                                                                                      • Instruction ID: 2367215a764623180a7b7ccf3c946de02fa337b23223ba35a6fad57feaa93611
                                                                                      • Opcode Fuzzy Hash: dd4399f0ae6af411d1303c1880c68a7317eae0cc99e5ad3642dcfdb93d537894
                                                                                      • Instruction Fuzzy Hash: E5E1EFB5504311ABD724DF1AC884A2BBBE4FF88755F40482EF985D7362C238E949CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 7.75%

                                                                                      Function 0046A0B5, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 157windowUNIQUE
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,%I), ref: 0046A0FC
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
                                                                                      • MessageBoxW.USER32(?,?,00011010,?), ref: 0046A27F
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • _wprintf.LIBCMT ref: 0046A246
                                                                                      • _wprintf.LIBCMT ref: 0046A264
                                                                                        • Part of subcall function 00423ECA: __stbuf.LIBCMT ref: 00423F1A
                                                                                        • Part of subcall function 00423ECA: __ftbuf.LIBCMT ref: 00423F47
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$LoadString_wprintf$Message__ftbuf__stbuf
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%I
                                                                                      • API String ID: 3548575722-1791166345
                                                                                      • Opcode ID: 283c65b10acbc9e3ea08904c3a64b0f1d6e2d46486382073d7cdbef1976017cc
                                                                                      • Instruction ID: 5eca713841166c9be329d5f9fa950bc6c7814f67f077d1cebb18d641bd9ae8df
                                                                                      • Opcode Fuzzy Hash: 283c65b10acbc9e3ea08904c3a64b0f1d6e2d46486382073d7cdbef1976017cc
                                                                                      • Instruction Fuzzy Hash: 70516171940509AACF15EBA1CD42EEEB779AF04304F1041AAF50572191EB396F58CFAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00469EA3, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 151windowUNIQUE
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00469EEA
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00469F0B
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • _wprintf.LIBCMT ref: 0046A024
                                                                                      • _wprintf.LIBCMT ref: 0046A042
                                                                                        • Part of subcall function 00423ECA: __stbuf.LIBCMT ref: 00423F1A
                                                                                        • Part of subcall function 00423ECA: __ftbuf.LIBCMT ref: 00423F47
                                                                                      • MessageBoxW.USER32(?,?,00011010,?), ref: 0046A05D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$LoadString_wprintf$Message__ftbuf__stbuf
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 3548575722-3080491070
                                                                                      • Opcode ID: 5da25fc7b66a9eb9b6242e597a6d6382651ec39f2b65f9cad663c5771dcfbff7
                                                                                      • Instruction ID: 76274d9797fa1b0a96375c9153502d123c4c41548c028f67242602cb02bcdabd
                                                                                      • Opcode Fuzzy Hash: 5da25fc7b66a9eb9b6242e597a6d6382651ec39f2b65f9cad663c5771dcfbff7
                                                                                      • Instruction Fuzzy Hash: CE515371900609AADF15EBE1CD42EEEB779AF08304F10016BB50572191EB396F59CFAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048772A, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                        • Part of subcall function 0048BCED: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0048BD10
                                                                                        • Part of subcall function 0048BCED: GetFileSize.KERNEL32(00000000,00000000), ref: 0048BD27
                                                                                        • Part of subcall function 0048BCED: GlobalAlloc.KERNEL32(00000002,00000000), ref: 0048BD32
                                                                                        • Part of subcall function 0048BCED: CloseHandle.KERNEL32(00000000), ref: 0048BD3F
                                                                                        • Part of subcall function 0048BCED: GlobalLock.KERNEL32(00000000), ref: 0048BD48
                                                                                        • Part of subcall function 0048BCED: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0048BD57
                                                                                        • Part of subcall function 0048BCED: GlobalUnlock.KERNEL32(00000000), ref: 0048BD60
                                                                                        • Part of subcall function 0048BCED: CloseHandle.KERNEL32(00000000), ref: 0048BD67
                                                                                        • Part of subcall function 0048BCED: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0048BD78
                                                                                        • Part of subcall function 0048BCED: #418.OLEAUT32(?,00000000,00000000,00492CAC,?), ref: 0048BD91
                                                                                        • Part of subcall function 0048BCED: GlobalFree.KERNEL32(00000000), ref: 0048BDA1
                                                                                        • Part of subcall function 0048BCED: GetObjectW.GDI32(?,00000018,000000FF), ref: 0048BDC5
                                                                                        • Part of subcall function 0048BCED: CopyImage.USER32(?,00000000,?,?,00002000), ref: 0048BDF0
                                                                                        • Part of subcall function 0048BCED: DeleteObject.GDI32(00000000), ref: 0048BE18
                                                                                        • Part of subcall function 0048BCED: SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0048BE2E
                                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000), ref: 004877CD
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004877D4
                                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004877E7
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004877EF
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 004877FA
                                                                                      • DeleteDC.GDI32(00000000), ref: 00487803
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0048780D
                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00487821
                                                                                      • DestroyWindow.USER32(?), ref: 0048782D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Global$CreateObject$FileMessageSend$CloseDeleteHandle$#418AllocAttributesCompatibleCopyDestroyFreeImageLayeredLockLongMovePixelReadSelectShowSizeStockStreamUnlock
                                                                                      • String ID: athan$static
                                                                                      • API String ID: 406645659-3227529370
                                                                                      • Opcode ID: 80c3bdd7a0d63ebeaa4556a6b8c79307fca78e479194d2b0b8ea9a7529ca2377
                                                                                      • Instruction ID: 789ec3a4cb580d3187b1e0f25c444e25d791e636f2d83489152635d906d596f6
                                                                                      • Opcode Fuzzy Hash: 80c3bdd7a0d63ebeaa4556a6b8c79307fca78e479194d2b0b8ea9a7529ca2377
                                                                                      • Instruction Fuzzy Hash: DD316E31105115AFDF11AF64DC08FDF3B69EF49324F210A29FA15A61A0D739E815DBA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.12%

                                                                                      Function 004648F3, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73UNIQUE
                                                                                      APIs
                                                                                      • #115.WSOCK32(00000101,?), ref: 0046490E
                                                                                      • #57.WSOCK32(?,00000100), ref: 00464928
                                                                                      • #52.WSOCK32(?), ref: 00464935
                                                                                      • _wcscpy.LIBCMT ref: 0046495D
                                                                                      • _memmove.LIBCMT ref: 00464970
                                                                                      • #11.WSOCK32(?), ref: 0046497B
                                                                                      • _strcat.LIBCMT ref: 00464989
                                                                                        • Part of subcall function 0046573E: _strlen.LIBCMT ref: 00465756
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00466870), ref: 00465769
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00466870), ref: 0046579D
                                                                                      • _wcscpy.LIBCMT ref: 004649A0
                                                                                      • #116.WSOCK32 ref: 004649AE
                                                                                      • _wcscpy.LIBCMT ref: 004649BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcscpy$ByteCharMultiWide$#115#116_memmove_strcat_strlen
                                                                                      • String ID: 0.0.0.0
                                                                                      • API String ID: 860691916-3771769585
                                                                                      • Opcode ID: ebd3510c7347cce57e77ad78f705b66a6a72045763e94f2935d5d1112d065572
                                                                                      • Instruction ID: a415c47feca9f18ccc9aca6889e14e15c95de93dcf3fd0710918b8717f4bba87
                                                                                      • Opcode Fuzzy Hash: ebd3510c7347cce57e77ad78f705b66a6a72045763e94f2935d5d1112d065572
                                                                                      • Instruction Fuzzy Hash: FE110571A04124ABDB20AB34AD06EDF77ACDF40714F1001BBF40492191FFB89AC9976A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0040201B, Relevance: 18.2, APIs: 12, Instructions: 170windowtimeCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00401B9A
                                                                                      • DestroyWindow.USER32(?), ref: 004020D3
                                                                                      • KillTimer.USER32(-00000001), ref: 0040216E
                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0043BEF6
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 0043BF27
                                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 0043BF3E
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004016CB,00000000), ref: 0043BF5A
                                                                                      • DeleteObject.GDI32(00000000), ref: 0043BF6C
                                                                                      • DestroyIcon.USER32(?), ref: 0043BF7E
                                                                                      • DeleteObject.GDI32(00000000), ref: 0043BF90
                                                                                      • DestroyWindow.USER32(00000000), ref: 0043BFA2
                                                                                      • DestroyIcon.USER32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 0043BFB4
                                                                                      • DestroyIcon.USER32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 0043BFC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Destroy$IconImageList_$DeleteObjectWindow$AcceleratorInvalidateKillRectTableTimer
                                                                                      • String ID:
                                                                                      • API String ID: 2960459417-0
                                                                                      • Opcode ID: 78cac20c66e0e6767138dba4ab7aa47be9ee332057a729cfcb45c06255a83930
                                                                                      • Instruction ID: 62d4407ef01395a22b5ebf1233624f5b0999fc02156c59d6ff76a6043205edb2
                                                                                      • Opcode Fuzzy Hash: 78cac20c66e0e6767138dba4ab7aa47be9ee332057a729cfcb45c06255a83930
                                                                                      • Instruction Fuzzy Hash: 55616B34101610DFD725AF14CE48B2A77F1FF44315F11993EE642A6AE0C7B9A881DF99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.27%

                                                                                      Function 004021A5, Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • GetSysColor.USER32(0000000F), ref: 004021D3
                                                                                      • GetSysColor.USER32(00000008), ref: 00402231
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                      • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                      • GetWindowDC.USER32(?), ref: 0043C0D3
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043C0E0
                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0043C0F9
                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0043C112
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0043C132
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043C13D
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0043C159
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ColorPixel$Window$BrushCreateLongModeObjectReleaseSolidStockText
                                                                                      • String ID:
                                                                                      • API String ID: 2304791953-0
                                                                                      • Opcode ID: cdac9cb2508351c8145c21bbd88bb5245f40cba3cfb8a0d4cbe4db6e4b3f4d31
                                                                                      • Instruction ID: 47503e6e8c25a14c6d04473920290e3c3a9e3a2f6008e0ea463bb1cae73e411f
                                                                                      • Opcode Fuzzy Hash: cdac9cb2508351c8145c21bbd88bb5245f40cba3cfb8a0d4cbe4db6e4b3f4d31
                                                                                      • Instruction Fuzzy Hash: FD41D731000140AFDF215FA8DC8CBBA3765EB46331F1446BAFD65AA2E2C7758C86DB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 004873C1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 004873D9
                                                                                      • CreateMenu.USER32 ref: 004873F4
                                                                                      • SetMenu.USER32(?,00000000), ref: 00487403
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487490
                                                                                      • IsMenu.USER32(?), ref: 004874A6
                                                                                      • CreatePopupMenu.USER32 ref: 004874B0
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004874DD
                                                                                      • DrawMenuBar.USER32 ref: 004874E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                      • String ID: 0$F
                                                                                      • API String ID: 176399719-3044882817
                                                                                      • Opcode ID: c25b011170b029855e58234153c04d5ad6438b2c3f951a4d7e3730a877261e10
                                                                                      • Instruction ID: 469fb1be4590f9541f2c80e88f17ef0f5a107e94f682755a56fb5537772b2935
                                                                                      • Opcode Fuzzy Hash: c25b011170b029855e58234153c04d5ad6438b2c3f951a4d7e3730a877261e10
                                                                                      • Instruction Fuzzy Hash: 08415874A01205EFDB10EF64D898E9EBBB9FF49300F24482AED55A7361D734A914CF68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 4.65%

                                                                                      Function 00427040, Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      • _memset.LIBCMT ref: 0042707B
                                                                                        • Part of subcall function 00433F0C: __lock.LIBCMT ref: 00433F23
                                                                                        • Part of subcall function 00433F0C: __tzset_nolock.LIBCMT ref: 00433F36
                                                                                      • __gmtime64_s.LIBCMT ref: 00427114
                                                                                      • __gmtime64_s.LIBCMT ref: 0042714A
                                                                                      • __gmtime64_s.LIBCMT ref: 00427167
                                                                                        • Part of subcall function 00433CE1: _memset.LIBCMT ref: 00433D11
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433D64
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433E60
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433EB5
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433ECF
                                                                                        • Part of subcall function 00433CE1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00433EF0
                                                                                        • Part of subcall function 00433F5C: __lock.LIBCMT ref: 00433F6E
                                                                                        • Part of subcall function 00433F5C: __isindst_nolock.LIBCMT ref: 00433F7B
                                                                                      • __allrem.LIBCMT ref: 004271BD
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004271D9
                                                                                      • __allrem.LIBCMT ref: 004271F0
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042720E
                                                                                      • __allrem.LIBCMT ref: 00427225
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427243
                                                                                      • __invoke_watson.LIBCMT ref: 004272B4
                                                                                        • Part of subcall function 00429006: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00429008
                                                                                        • Part of subcall function 00429006: __call_reportfault.LIBCMT ref: 00429021
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__gmtime64_s$__lock_memset$FeaturePresentProcessor__call_reportfault__getptd_noexit__invoke_watson__isindst_nolock__tzset_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 3881391381-0
                                                                                      • Opcode ID: f449d8c0ffc7a299f8ac5c355c84109bbbb1ac945fd94324ebc384d93c6e9658
                                                                                      • Instruction ID: 3a5766166ad995f9d080cadeea3a970d97efeda9365c881e9167125cd7ba6949
                                                                                      • Opcode Fuzzy Hash: f449d8c0ffc7a299f8ac5c355c84109bbbb1ac945fd94324ebc384d93c6e9658
                                                                                      • Instruction Fuzzy Hash: F3711972B04726EBD7149E79DC82B6BB3A4AF14324F54426FF514E6381E778E9008B98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 00462A16, Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00462A31
                                                                                      • GetMenuItemInfoW.USER32(004C6890,000000FF,00000000,00000030), ref: 00462A92
                                                                                      • SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 00462AC8
                                                                                        • Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
                                                                                        • Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 0040410D: LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                      • Sleep.KERNEL32(000001F4), ref: 00462ADA
                                                                                      • GetMenuItemCount.USER32(?), ref: 00462B1E
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00462B3A
                                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00462B64
                                                                                      • GetMenuItemID.USER32(?,?), ref: 00462BA9
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462BEF
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C03
                                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C24
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$_memset$CheckCountIconLoadNotifyRadioShell_SleepString_wcscpy
                                                                                      • String ID:
                                                                                      • API String ID: 1765048189-0
                                                                                      • Opcode ID: 0db34e4f82c13017aa7dadbfd465409a1cb67985b1d4a80d7e657ddb00fdb038
                                                                                      • Instruction ID: 18a65889ef34665f5b2b5336e4e6eed4a99801a903535dc72d9624464193ca63
                                                                                      • Opcode Fuzzy Hash: 0db34e4f82c13017aa7dadbfd465409a1cb67985b1d4a80d7e657ddb00fdb038
                                                                                      • Instruction Fuzzy Hash: 6461D4B0900649BFDB21CF54CE88DBF7BB8EB41704F14446EE841A7251E7B9AD05DB2A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 00487192, Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00487214
                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00487217
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0048723B
                                                                                      • _memset.LIBCMT ref: 0048724C
                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0048725E
                                                                                        • Part of subcall function 0048AF23: _wcspbrk.LIBCMT ref: 0048AF30
                                                                                        • Part of subcall function 0048AF23: _wcsncpy.LIBCMT ref: 0048AF64
                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004872D6
                                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00487320
                                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 0048733F
                                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0048735A
                                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 0048736E
                                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 0048738B
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ClientRectScreenWindow$InvalidateLong_memset_wcsncpy_wcspbrk
                                                                                      • String ID:
                                                                                      • API String ID: 3849892166-0
                                                                                      • Opcode ID: 1f254a2dd634fbf8d682cb823299d5faa4870696f922a999c8bea393425f8b4a
                                                                                      • Instruction ID: 98a04bc020cc1dfb4f2f33dd24e3f33540f585986abfb0e63cd4152109fcc849
                                                                                      • Opcode Fuzzy Hash: 1f254a2dd634fbf8d682cb823299d5faa4870696f922a999c8bea393425f8b4a
                                                                                      • Instruction Fuzzy Hash: 57618E75900208AFDB10EFA4CC91EEE77F8AF09704F24456AFA14A73A1C774A945DB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 0045710E, Relevance: 16.6, APIs: 11, Instructions: 123COMMON
                                                                                      APIs
                                                                                      • #41.OLEAUT32(0000000C,?,?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4), ref: 00457135
                                                                                      • #37.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 0045718E
                                                                                      • #8.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 004571A0
                                                                                      • #23.OLEAUT32(?,?,?,?,?,?,?,?,00456EC6), ref: 004571C0
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457264
                                                                                        • Part of subcall function 00409E9C: #9.OLEAUT32(?,?,?,?,?,00469D81,?,00000001,-004C5E88,?,00455CCE,?,?,?,0040FAE1,00000000), ref: 0043FE11
                                                                                        • Part of subcall function 004570DC: #9.OLEAUT32(?,00000000,?,00000016,00479753,?,00000016,?,00000016), ref: 00457101
                                                                                      • #10.OLEAUT32(?,?,00000002,?,?,?,?,?,?,?,00456EC6), ref: 00457213
                                                                                      • #24.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00456EC6), ref: 00457227
                                                                                      • #9.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 0045723C
                                                                                      • #39.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457249
                                                                                      • #38.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457252
                                                                                      • #38.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 0045726F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b23c1a385547e4fe92da69b3c9963987276d6a870cfb840cf5260315eec4c18b
                                                                                      • Instruction ID: ee6ff97d49ab8f9c2dd167b55ca35aa0841007d9f21f2d6d7be11d351e1905ac
                                                                                      • Opcode Fuzzy Hash: b23c1a385547e4fe92da69b3c9963987276d6a870cfb840cf5260315eec4c18b
                                                                                      • Instruction Fuzzy Hash: 61416031A00119AFCB00DFA9D8449AEBBB9FF18755F00847EF955E7362CB34A949CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 00479428, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263UNIQUE
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0047947C
                                                                                      • #8.OLEAUT32(?), ref: 0047954D
                                                                                      • #8.OLEAUT32(?,?,?,?), ref: 0047964E
                                                                                      • #9.OLEAUT32(?), ref: 00479658
                                                                                        • Part of subcall function 00467804: #8.OLEAUT32(00000000,?,?,00000016,00000016,?,004799E9,?,?), ref: 00467844
                                                                                        • Part of subcall function 00467804: #10.OLEAUT32(00000000,?,?,004799E9,?,?), ref: 0046784D
                                                                                        • Part of subcall function 00467804: #9.OLEAUT32(00000000,?,004799E9,?,?), ref: 00467859
                                                                                      • #9.OLEAUT32(?,?), ref: 004796B5
                                                                                        • Part of subcall function 004796DB: GetLastError.KERNEL32(?,00000000,?,0048FB84,?,00000016,?,00000016), ref: 004798A5
                                                                                        • Part of subcall function 004796DB: #8.OLEAUT32(?,?,?,?), ref: 00479999
                                                                                        • Part of subcall function 004796DB: #9.OLEAUT32(?,0048FB84,00000000,?,?,?,?,?), ref: 00479A43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast_memset
                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                                                      • API String ID: 533350023-1765764032
                                                                                      • Opcode ID: c876955a294aa8d86eb8db64ea30777345f3c0a1fb8a500add95116d5b305f7c
                                                                                      • Instruction ID: fcebb0c40d61f867c18811628665e3ff882c4d71f35d8502a0dec60dd81a9e36
                                                                                      • Opcode Fuzzy Hash: c876955a294aa8d86eb8db64ea30777345f3c0a1fb8a500add95116d5b305f7c
                                                                                      • Instruction Fuzzy Hash: 2791AD71A00215ABCF24DFA5C844FEFBBB8EF45714F10851AE519AB280D778AD05CFA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048D74C, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0048D78A
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0048D7AA
                                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0048D9E5
                                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048DA03
                                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048DA24
                                                                                      • ShowWindow.USER32(00000003,00000000), ref: 0048DA43
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0048DA68
                                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048DA8B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                      • String ID:
                                                                                      • API String ID: 1211466189-3916222277
                                                                                      • Opcode ID: eb70e67288782093014809172296cca956549343a8f45a5b87efe570699ce815
                                                                                      • Instruction ID: eb940e76658434b7ad8eeabe1703afeb33935e81992f953b53c46158808d9c3e
                                                                                      • Opcode Fuzzy Hash: eb70e67288782093014809172296cca956549343a8f45a5b87efe570699ce815
                                                                                      • Instruction Fuzzy Hash: C9B19B71901215EBDF18EF68C9857BE7BB1FF48700F18847AEC48AB295D738A950CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 12.89%

                                                                                      Function 004162F2, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      • ERCP, xrefs: 00416313
                                                                                      • internal error: opcode not recognized, xrefs: 0041647D
                                                                                      • argument is not a compiled regular expression, xrefs: 00451160
                                                                                      • argument not compiled in 16 bit mode, xrefs: 00451150
                                                                                      • internal error: missing capturing bracket, xrefs: 00451158
                                                                                      • failed to get memory, xrefs: 00416488
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memset$_memmove
                                                                                      • String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                                                                      • API String ID: 2532777613-264027815
                                                                                      • Opcode ID: 5050f1d5a739bef3a8333c6a539d66c1edae72094ea9907375e2dc5b1e6d177f
                                                                                      • Instruction ID: 5033df5f12e9d93d71518abbe4fce8200a660ff7c3ad8cb2f73575c85904d8e6
                                                                                      • Opcode Fuzzy Hash: 5050f1d5a739bef3a8333c6a539d66c1edae72094ea9907375e2dc5b1e6d177f
                                                                                      • Instruction Fuzzy Hash: 9551C0719007199BCB24CF65C881BEBBBF4EF08314F20856FE94AC6251E778D985CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0045FCB1, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 75windowUNIQUE
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E6C9,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045FCD2
                                                                                      • LoadStringW.USER32(00000000,?,0043E6C9,00000010), ref: 0045FCD9
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • _wprintf.LIBCMT ref: 0045FD0C
                                                                                        • Part of subcall function 00423ECA: __stbuf.LIBCMT ref: 00423F1A
                                                                                        • Part of subcall function 00423ECA: __ftbuf.LIBCMT ref: 00423F47
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045FD9D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$HandleLoadMessageModuleString__ftbuf__stbuf_wprintf
                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                      • API String ID: 1008278035-4153970271
                                                                                      • Opcode ID: 2711c1099e1e3cfdeec11ef3c532a81f9540f66b70c73c00a421ef3ad6350e31
                                                                                      • Instruction ID: 81f1730f4d526a642bfcee5cc6fe39c4b389179dc46090657c4ca9c9ceb2fa3a
                                                                                      • Opcode Fuzzy Hash: 2711c1099e1e3cfdeec11ef3c532a81f9540f66b70c73c00a421ef3ad6350e31
                                                                                      • Instruction Fuzzy Hash: 5121503290021EABCF12EFA0CC46EEE7735BF18705F04046BF505660E2D679AA5CDB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00467C1A, Relevance: 15.3, APIs: 10, Instructions: 292UNIQUE
                                                                                      APIs
                                                                                      • #77.OLEAUT32(00000000,?,00000002,?,00000000,00000000,?,?,?,?,?,0046782E,?,?,00000016,00000016), ref: 00467CF6
                                                                                      • #23.OLEAUT32(?,?,?,?,?,?,?,0046782E,?,?), ref: 00467D21
                                                                                        • Part of subcall function 0046794E: _memset.LIBCMT ref: 00467983
                                                                                      • _memmove.LIBCMT ref: 00467D3D
                                                                                      • #24.OLEAUT32(?,?,?,?,?,?,?,?,?,0046782E,?,?), ref: 00467D46
                                                                                      • #23.OLEAUT32(00000000,?,?,?,?,?,?,0046782E,?,?,00000016,00000016), ref: 00467D7B
                                                                                      • _memmove.LIBCMT ref: 00467DD7
                                                                                      • #23.OLEAUT32(00000000,?,00000002,?,00000000,00000000,?,?,?,?,?,0046782E,?,?,00000016,00000016), ref: 00467E1A
                                                                                      • #23.OLEAUT32(00000000,?,00000002,?,00000000,00000000,?,?,?,?,?,0046782E,?,?,00000016,00000016), ref: 00467E8F
                                                                                      • #23.OLEAUT32(00000000,0046782E,00000002,?,00000000,00000000,?,?,?,?,?,0046782E,?,?,00000016,00000016), ref: 00467F06
                                                                                      • #24.OLEAUT32(00000000,?,?,?,?,?,0046782E,?,?), ref: 00467F63
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 00467804: #8.OLEAUT32(00000000,?,?,00000016,00000016,?,004799E9,?,?), ref: 00467844
                                                                                        • Part of subcall function 00467804: #10.OLEAUT32(00000000,?,?,004799E9,?,?), ref: 0046784D
                                                                                        • Part of subcall function 00467804: #9.OLEAUT32(00000000,?,004799E9,?,?), ref: 00467859
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Exception@8Throw_memsetstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 111500385-0
                                                                                      • Opcode ID: 987899574f0da1b615fe03902764485af2dd16721cb896bd8fb240e969628c57
                                                                                      • Instruction ID: 84cb7d45f9d8793474644a93194044f32f7eba6a2b7a870eb07e14d75927cafd
                                                                                      • Opcode Fuzzy Hash: 987899574f0da1b615fe03902764485af2dd16721cb896bd8fb240e969628c57
                                                                                      • Instruction Fuzzy Hash: F2B19071A0421A9FDB10DF94C484BBEB7B4FF08329F24446AE500E7391E7799D45CB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0043BFF2, Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000008), ref: 00402231
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                      • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                      • GetClientRect.USER32(?), ref: 0043C00B
                                                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0043C022
                                                                                      • GetWindowDC.USER32(?), ref: 0043C02E
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0043C03D
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043C04F
                                                                                      • GetSysColor.USER32(00000005), ref: 0043C06D
                                                                                      • GetWindowDC.USER32(?), ref: 0043C0D3
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043C0E0
                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0043C0F9
                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0043C112
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0043C132
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043C13D
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0043C159
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pixel$Color$ReleaseWindow$BrushClientCreateMessageModeObjectRectSendSolidStockText
                                                                                      • String ID:
                                                                                      • API String ID: 2620996928-0
                                                                                      • Opcode ID: 1bf2c63732afe56eb40a90f078efa9d7f02239ddb0671fcfb63c7c23008006c8
                                                                                      • Instruction ID: 802d89892a32490a02705165823103a0381fc92a3b0e4948cdb48aeb982ddee2
                                                                                      • Opcode Fuzzy Hash: 1bf2c63732afe56eb40a90f078efa9d7f02239ddb0671fcfb63c7c23008006c8
                                                                                      • Instruction Fuzzy Hash: E2218C31100200EFDB216FA4EC4CBAE7B71EB08321F10467AFA25A51E2CB310956EF15
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.27%

                                                                                      Function 0040FBBD, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                      APIs
                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0040FC06
                                                                                      • OleUninitialize.OLE32 ref: 0040FCA5
                                                                                        • Part of subcall function 004161FE: VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,00000000,0040FCE7,?), ref: 0045113C
                                                                                        • Part of subcall function 004161FE: CloseHandle.KERNEL32(?), ref: 00451145
                                                                                      • UnregisterHotKey.USER32(?), ref: 0040FDFC
                                                                                      • DestroyWindow.USER32(?), ref: 00444A00
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00444A92
                                                                                        • Part of subcall function 00405DCF: CloseHandle.KERNEL32(?), ref: 00405DEF
                                                                                      • FindClose.KERNEL32(?), ref: 00444A2C
                                                                                      • FreeLibrary.KERNEL32(?), ref: 00444A65
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFree$HandleVirtual$DestroyFindLibrarySendStringUninitializeUnregisterWindow
                                                                                      • String ID: close all
                                                                                      • API String ID: 1721425543-3243417748
                                                                                      • Opcode ID: 2d6be8239382604261f8dbc7b07cd937b76970d41e9ba2928ba090010e962106
                                                                                      • Instruction ID: f79c305bce8c495b879b6b3d36d440b666e908b3516d9d6565214aadf1190029
                                                                                      • Opcode Fuzzy Hash: 2d6be8239382604261f8dbc7b07cd937b76970d41e9ba2928ba090010e962106
                                                                                      • Instruction Fuzzy Hash: 2BA160307012128FDB29EF15C495B6AF764BF44704F5442BEE80A7B692DB38AD1ACF58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.83%

                                                                                      Function 00402E26, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187windowCOMMON
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                                                                                        • Part of subcall function 00488AC0: InvalidateRect.USER32(?,00000000,00000001), ref: 00488B4D
                                                                                        • Part of subcall function 00488AC0: SendMessageW.USER32(?,00001024,00000000,?), ref: 00488B9C
                                                                                        • Part of subcall function 00488AC0: GetWindowLongW.USER32(?,000000F0), ref: 00488BC6
                                                                                        • Part of subcall function 00488AC0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00488BD3
                                                                                        • Part of subcall function 004888B4: InvalidateRect.USER32(?,00000000,00000001), ref: 0048896E
                                                                                        • Part of subcall function 004888B4: SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004889A4
                                                                                        • Part of subcall function 004888B4: ShowWindow.USER32(?,00000000), ref: 004889ED
                                                                                        • Part of subcall function 004888B4: ShowWindow.USER32(?,00000005), ref: 004889F3
                                                                                        • Part of subcall function 004888B4: SetFocus.USER32 ref: 004889F7
                                                                                        • Part of subcall function 004888B4: GetWindowLongW.USER32(?,000000F0), ref: 00488A35
                                                                                        • Part of subcall function 004888B4: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00488A42
                                                                                        • Part of subcall function 004888B4: SendMessageW.USER32(?,00001001,00000000,?), ref: 00488A86
                                                                                        • Part of subcall function 004888B4: SendMessageW.USER32(?,00001026,00000000,?), ref: 00488A93
                                                                                        • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                                                                                        • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                                                                                        • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                                                                                        • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401F74
                                                                                        • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401F8D
                                                                                        • Part of subcall function 00401DB3: GetSystemMetrics.USER32(0000000F), ref: 0043BD81
                                                                                        • Part of subcall function 00486442: DeleteObject.GDI32(00000000), ref: 0048645A
                                                                                        • Part of subcall function 00486442: GetDC.USER32(00000000), ref: 00486462
                                                                                        • Part of subcall function 00486442: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0048646D
                                                                                        • Part of subcall function 00486442: ReleaseDC.USER32(00000000,00000000), ref: 00486479
                                                                                        • Part of subcall function 00486442: CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004864B5
                                                                                        • Part of subcall function 00486442: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004864C6
                                                                                        • Part of subcall function 00486442: MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00486500
                                                                                        • Part of subcall function 00486442: SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00486520
                                                                                      • GetDC.USER32 ref: 0043CF82
                                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CF95
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0043CFA3
                                                                                        • Part of subcall function 00464A71: _wcstok.LIBCMT ref: 00464AD4
                                                                                        • Part of subcall function 00464A71: GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00464AF1
                                                                                        • Part of subcall function 00464A71: _wcstok.LIBCMT ref: 00464B04
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0043CFB8
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043CFC0
                                                                                      • MoveWindow.USER32(?,?,?,?,?,?), ref: 0043D04B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$Rect$Long$ClientObject$InvalidateMoveReleaseSelectShow_wcstok$CapsCreateDeleteDeviceExtentFocusFontMetricsPoint32ScreenSystemText
                                                                                      • String ID: U
                                                                                      • API String ID: 3989468521-3372436214
                                                                                      • Opcode ID: 0969c50ed03cbcb6b15ab821441fe7f6d053487c1f74c0115cd5092b0ee42946
                                                                                      • Instruction ID: 503d644826a268ec800efc68b7bbea7fbba9df6d5383aa92877d77a3c614af5d
                                                                                      • Opcode Fuzzy Hash: 0969c50ed03cbcb6b15ab821441fe7f6d053487c1f74c0115cd5092b0ee42946
                                                                                      • Instruction Fuzzy Hash: B471E130900205DFCF259F64C884AAB3BB6FF48318F14427BED556A2E6C7398842DB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 0048C27C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                        • Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                        • Part of subcall function 00402344: GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 0048C2E4
                                                                                      • ImageList_EndDrag.COMCTL32 ref: 0048C2EA
                                                                                      • ReleaseCapture.USER32 ref: 0048C2F0
                                                                                        • Part of subcall function 0048ADF1: ClientToScreen.USER32(?,?), ref: 0048AE1A
                                                                                        • Part of subcall function 0048ADF1: GetWindowRect.USER32(?,?), ref: 0048AE90
                                                                                        • Part of subcall function 0048ADF1: PtInRect.USER32(?,?,?), ref: 0048AEA0
                                                                                        • Part of subcall function 0048ADF1: MessageBeep.USER32(00000000), ref: 0048AF11
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004880E0
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004880FF
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00488123
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00488134
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000149,00000000,00000000), ref: 00488153
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00488186
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000133C,00000000,?), ref: 004881AC
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004881E7
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 0048822E
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 00488256
                                                                                        • Part of subcall function 0048804A: IsMenu.USER32(?), ref: 0048826F
                                                                                        • Part of subcall function 0048804A: GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882CA
                                                                                        • Part of subcall function 0048804A: GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004882F8
                                                                                        • Part of subcall function 0048804A: GetWindowLongW.USER32(?,000000F0), ref: 0048836C
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004883BB
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00001001,00000000,?), ref: 00488456
                                                                                        • Part of subcall function 0048804A: wsprintfW.USER32 ref: 0048847E
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004884A0
                                                                                        • Part of subcall function 0048804A: GetWindowTextW.USER32(?,00000000,00000001), ref: 004884C8
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004884EA
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048850A
                                                                                        • Part of subcall function 0048804A: GetWindowTextW.USER32(?,00000000,00000001), ref: 00488531
                                                                                        • Part of subcall function 0048804A: GetWindowLongW.USER32(?,000000EC), ref: 004885AB
                                                                                        • Part of subcall function 0048804A: _memset.LIBCMT ref: 004885BD
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00001053,000000FF,?), ref: 004885EC
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,?), ref: 00488625
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00488676
                                                                                        • Part of subcall function 0048804A: CharNextW.USER32(00000000), ref: 004886B1
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 004886E1
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 004886FC
                                                                                        • Part of subcall function 0048804A: _memset.LIBCMT ref: 00488709
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,0000104B,00000000,?), ref: 0048872A
                                                                                        • Part of subcall function 0048804A: SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0048873F
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 0048C39A
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0048C3AD
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • DefDlgProcW.USER32(?,00000202,?), ref: 0048C48F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$Window$Long$MenuText$AsyncClientDragImageInfoItemList_RectScreenState_memset$BeepCaptureCharCursorLeaveNextProcRelease_memmovewsprintf
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                      • API String ID: 3004859125-2107944366
                                                                                      • Opcode ID: 117dcdd94416484c18a05dca1cad4d1878e10aaafb5c61bd83af7fa7027f6da8
                                                                                      • Instruction ID: dc367e10a39d425f30cb391b84f58576d3d09b44280b1156dac04409bcc5156d
                                                                                      • Opcode Fuzzy Hash: 117dcdd94416484c18a05dca1cad4d1878e10aaafb5c61bd83af7fa7027f6da8
                                                                                      • Instruction Fuzzy Hash: 7451A170204304AFD700EF24C895F6E77E5FB88314F00892EF555972E1DB78A948DB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00409997, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 146COMMON
                                                                                      APIs
                                                                                      • __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00423700: _xtow@16.LIBCMT ref: 00423721
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      • _wcscpy.LIBCMT ref: 0043F9B1
                                                                                      • _wcscpy.LIBCMT ref: 0043F9DD
                                                                                      • __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 004236D0: @x64tow@20.LIBCMT ref: 004236F6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcscpy$@x64tow@20Exception@8Throw__i64tow__itow_memmove_xtow@16std::exception::exception
                                                                                      • String ID: %.15g$0x%p$False$True
                                                                                      • API String ID: 1760017398-2263619337
                                                                                      • Opcode ID: c38d9b48d0b7250c6676f86ab8e62d6128b56f7fb310e640c55886818ba1baeb
                                                                                      • Instruction ID: cdd8dc89b9c74c658104cf0a760322e4f13a95bb5b846f9aebd24ca3b9163d03
                                                                                      • Opcode Fuzzy Hash: c38d9b48d0b7250c6676f86ab8e62d6128b56f7fb310e640c55886818ba1baeb
                                                                                      • Instruction Fuzzy Hash: DE41D5B1A04219AADB24DF35D841F7773E8EF48304F20447FE549E63D2EA799D428B1A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.18%

                                                                                      Function 00486FEF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00487093
                                                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 004870A7
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004870C1
                                                                                        • Part of subcall function 0048AF23: _wcspbrk.LIBCMT ref: 0048AF30
                                                                                        • Part of subcall function 0048AF23: _wcsncpy.LIBCMT ref: 0048AF64
                                                                                      • _wcscat.LIBCMT ref: 0048711C
                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00487133
                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00487161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock_wcscat_wcsncpy_wcspbrk
                                                                                      • String ID: -----$SysListView32
                                                                                      • API String ID: 241103563-3975388722
                                                                                      • Opcode ID: 9b1a26a8c0c70ab52fe23d707f0f6cb833f8e13d4260bc8a5faa59c67bdc6ff6
                                                                                      • Instruction ID: 4fbf2f6a0a360f59c4a706c2668b2d14797c234da93993d2b1a3b4800614f543
                                                                                      • Opcode Fuzzy Hash: 9b1a26a8c0c70ab52fe23d707f0f6cb833f8e13d4260bc8a5faa59c67bdc6ff6
                                                                                      • Instruction Fuzzy Hash: 0F41C471A04308AFDB21AF64CC95BEF77A8EF08354F20082BF544E7292D679DD848B58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.48%

                                                                                      Function 004888B4, Relevance: 13.7, APIs: 9, Instructions: 170windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 0048A71E: DeleteObject.GDI32(00000000), ref: 0048A757
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0048896E
                                                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004889A4
                                                                                      • ShowWindow.USER32(?,00000000), ref: 004889ED
                                                                                      • ShowWindow.USER32(?,00000005), ref: 004889F3
                                                                                      • SetFocus.USER32 ref: 004889F7
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00488A35
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00488A42
                                                                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 00488A86
                                                                                      • SendMessageW.USER32(?,00001026,00000000,?), ref: 00488A93
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageRectSend$ClientInvalidateLongScreenShow$BrushCreateDeleteFocusObjectSolid
                                                                                      • String ID:
                                                                                      • API String ID: 3433424984-0
                                                                                      • Opcode ID: 9ee29c6a714b648f10e23144f1ce0a6863bdfe809778bfe024b975fa15a7e1a7
                                                                                      • Instruction ID: c6b024f5472ab695e497d5b95dd9337e811c75869fcd45f43dd79c229618c00e
                                                                                      • Opcode Fuzzy Hash: 9ee29c6a714b648f10e23144f1ce0a6863bdfe809778bfe024b975fa15a7e1a7
                                                                                      • Instruction Fuzzy Hash: 9651A430600208BADF34BF25CC89B6E7B65BF05314FA0492FF515E62E1DF79A9809B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.14%

                                                                                      Function 00402B72, Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                      APIs
                                                                                      • InvalidateRect.USER32(00000000,00000000,00000001), ref: 0043C626
                                                                                        • Part of subcall function 0048A71E: DeleteObject.GDI32(00000000), ref: 0048A757
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C547
                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C569
                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C581
                                                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C59F
                                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C5C0
                                                                                      • DestroyCursor.USER32(00000000), ref: 0043C5CF
                                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C5EC
                                                                                      • DestroyCursor.USER32(?), ref: 0043C5FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CursorDestroyExtractIconImageLoadMessageSend$BrushCreateDeleteInvalidateLongObjectRectSolidWindow_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 3268869388-0
                                                                                      • Opcode ID: 81afcbf08828746e37249aa2d7169ad2f55defdc0271cb54902766973fdc60bd
                                                                                      • Instruction ID: ed5008150b57a45f5131e2346d738f4917d6b36040872bb3e781a27093426637
                                                                                      • Opcode Fuzzy Hash: 81afcbf08828746e37249aa2d7169ad2f55defdc0271cb54902766973fdc60bd
                                                                                      • Instruction Fuzzy Hash: B3516D74600205AFDB24DF25CD89FAA37B5EB58710F10452EF902A72D0DBB8ED91DB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.83%

                                                                                      Function 00479E38, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352UNIQUE
                                                                                      APIs
                                                                                      • #9.OLEAUT32(?,?,00000000,00000000), ref: 0047A1C0
                                                                                        • Part of subcall function 004570DC: #9.OLEAUT32(?,00000000,?,00000016,00479753,?,00000016,?,00000016), ref: 00457101
                                                                                        • Part of subcall function 00457096: #8.OLEAUT32(00000004,00000004,00479F87,0000002A,?,00000016), ref: 0045709A
                                                                                      • #9.OLEAUT32(-00000010,0000002A,?,00000016), ref: 0047A000
                                                                                      • #2.OLEAUT32(0048F910), ref: 0047A023
                                                                                      • #8.OLEAUT32(?,0000002A,?,00000016), ref: 0047A078
                                                                                      • _memset.LIBCMT ref: 0047A085
                                                                                        • Part of subcall function 00467804: #8.OLEAUT32(00000000,?,?,00000016,00000016,?,004799E9,?,?), ref: 00467844
                                                                                        • Part of subcall function 00467804: #10.OLEAUT32(00000000,?,?,004799E9,?,?), ref: 0046784D
                                                                                        • Part of subcall function 00467804: #9.OLEAUT32(00000000,?,004799E9,?,?), ref: 00467859
                                                                                        • Part of subcall function 004576C5: #6.OLEAUT32(?), ref: 00457818
                                                                                        • Part of subcall function 004576C5: lstrcmpiW.KERNEL32(?,?), ref: 004578F2
                                                                                        • Part of subcall function 004576C5: SysFreeString.OLEAUT32(?), ref: 004578FF
                                                                                        • Part of subcall function 004576C5: SysFreeString.OLEAUT32(?), ref: 0045791F
                                                                                        • Part of subcall function 004796DB: GetLastError.KERNEL32(?,00000000,?,0048FB84,?,00000016,?,00000016), ref: 004798A5
                                                                                        • Part of subcall function 004796DB: #8.OLEAUT32(?,?,?,?), ref: 00479999
                                                                                        • Part of subcall function 004796DB: #9.OLEAUT32(?,0048FB84,00000000,?,?,?,?,?), ref: 00479A43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeString$ErrorLast_memsetlstrcmpi
                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                      • API String ID: 1596996103-572801152
                                                                                      • Opcode ID: 0707723bdbe81558296e901379cfcb5167d55349716ceae756385836d7a8d264
                                                                                      • Instruction ID: d1c791fb0e6f22c0c68d958e545617c08fe4ee677592400c8048375e82c93b3c
                                                                                      • Opcode Fuzzy Hash: 0707723bdbe81558296e901379cfcb5167d55349716ceae756385836d7a8d264
                                                                                      • Instruction Fuzzy Hash: E1C1A071A0020A9FDF10CF68C884BEEB7B5FB88314F54846AE909EB381E7789D55CB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00463226, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 004632C5
                                                                                      • ExtractIconExW.SHELL32(?,004C6A2C,00000000,004C6A30,00000001), ref: 004632DA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icon$ExtractLoad__wcsicmp_l
                                                                                      • String ID: blank$info$question$stop$warning
                                                                                      • API String ID: 3534929142-404129466
                                                                                      • Opcode ID: d886dfcc7b9600bb694fe280844c03d1f8326af8c4b092221694f6b45d5f8357
                                                                                      • Instruction ID: bd39f8208ce013f69ee2957a59db9678c91d00ade58264490e67fb22ecbd3877
                                                                                      • Opcode Fuzzy Hash: d886dfcc7b9600bb694fe280844c03d1f8326af8c4b092221694f6b45d5f8357
                                                                                      • Instruction Fuzzy Hash: F41138313083967AA7015E55EC62DABB3ACDF19766F2000ABF40056281F67D5B1106BF
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.23%

                                                                                      Function 00464534, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowUNIQUE
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046454E
                                                                                      • LoadStringW.USER32(00000000), ref: 00464555
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046456B
                                                                                      • LoadStringW.USER32(00000000), ref: 00464572
                                                                                      • _wprintf.LIBCMT ref: 00464598
                                                                                        • Part of subcall function 00423ECA: __stbuf.LIBCMT ref: 00423F1A
                                                                                        • Part of subcall function 00423ECA: __ftbuf.LIBCMT ref: 00423F47
                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004645B6
                                                                                      Strings
                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00464593
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message__ftbuf__stbuf_wprintf
                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                      • API String ID: 504489916-3128320259
                                                                                      • Opcode ID: e4756bb536cb20b9c27427d85844968495559994f5e01966d8a5248d7e98c329
                                                                                      • Instruction ID: 26d6b9379a34e5b6735d9e290e406bfe10dd0a5cb8e1345d55a1fd9b07754018
                                                                                      • Opcode Fuzzy Hash: e4756bb536cb20b9c27427d85844968495559994f5e01966d8a5248d7e98c329
                                                                                      • Instruction Fuzzy Hash: 2F0167F2500208BFE750A790DD89EEB776CEB08301F5009BABB45E2051E6789E894B79
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004203A2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45keyboardUNIQUE
                                                                                      APIs
                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 004203D3
                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 004203DB
                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004203E6
                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004203F1
                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 004203F9
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00420401
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual
                                                                                      • String ID: Lj w
                                                                                      • API String ID: 4278518827-3995317842
                                                                                      • Opcode ID: 0892b48b5c633f5601cc9ff2b3f9abbce8860175636cc0ddc78c40c876bf933f
                                                                                      • Instruction ID: d0aff5fa41d626ddf17322be72bdae961d38541aa35c503e85926df042f77401
                                                                                      • Opcode Fuzzy Hash: 0892b48b5c633f5601cc9ff2b3f9abbce8860175636cc0ddc78c40c876bf933f
                                                                                      • Instruction Fuzzy Hash: 8701A7B0A42B5A7DE3009F6A8C84B53FEA8FF05394F00411BA15C47A42C7F5AC64CBE9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004674D2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 33synchronizationthreadUNIQUE
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 004674E5
                                                                                      • EnterCriticalSection.KERNEL32(?,?,0043D343), ref: 004674F6
                                                                                      • TerminateThread.KERNEL32(?,000001F6,?,0043D343), ref: 00467503
                                                                                      • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00467510
                                                                                        • Part of subcall function 00466ED7: CloseHandle.KERNEL32(?), ref: 00466EE1
                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467523
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,0043D343), ref: 0046752A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                      • String ID: %I
                                                                                      • API String ID: 3495660284-63094095
                                                                                      • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                      • Instruction ID: 9734b5ccd6540a82fb48e8287cb809d44fcf662c2da7f217d7ce71899fdcd72b
                                                                                      • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                      • Instruction Fuzzy Hash: 9EF0823A140A12EBDB111B64FC8C9EF773AFF45312B5009BAF203914B0EB7A5815CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00402A5B, Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,?), ref: 00402ACF
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00402B17
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048B9CC
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(00000000,00000000), ref: 0048B9F0
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048BA50
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(00000000,00000004), ref: 0048BA62
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(00000000,00000001), ref: 0048BA86
                                                                                        • Part of subcall function 0048B958: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000006), ref: 0043C46A
                                                                                      • LockWindowUpdate.USER32(00000000), ref: 0043C492
                                                                                      • InvalidateRect.USER32(00000000,00000000,00000001), ref: 0043C49E
                                                                                      • LockWindowUpdate.USER32(FFFFFFFF), ref: 0043C4AE
                                                                                      • EnableWindow.USER32(FFFFFFFF,00000001), ref: 0043C4BF
                                                                                      • ShowWindow.USER32(FFFFFFFF,?), ref: 0043C4D6
                                                                                        • Part of subcall function 00404A35: GetForegroundWindow.USER32 ref: 00404A3D
                                                                                        • Part of subcall function 00404A35: FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043DA8E
                                                                                        • Part of subcall function 00404A35: IsIconic.USER32(?), ref: 0043DA97
                                                                                        • Part of subcall function 00404A35: ShowWindow.USER32(?,00000009), ref: 0043DAA4
                                                                                        • Part of subcall function 00404A35: SetForegroundWindow.USER32(?), ref: 0043DAAE
                                                                                        • Part of subcall function 00404A35: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043DAC4
                                                                                        • Part of subcall function 00404A35: GetCurrentThreadId.KERNEL32 ref: 0043DACB
                                                                                        • Part of subcall function 00404A35: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043DAD7
                                                                                        • Part of subcall function 00404A35: AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAE8
                                                                                        • Part of subcall function 00404A35: AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAF0
                                                                                        • Part of subcall function 00404A35: AttachThreadInput.USER32(00000000,?,00000001), ref: 0043DAF8
                                                                                        • Part of subcall function 00404A35: SetForegroundWindow.USER32(?), ref: 0043DAFB
                                                                                        • Part of subcall function 00404A35: MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB10
                                                                                        • Part of subcall function 00404A35: keybd_event.USER32(00000012,00000000), ref: 0043DB1B
                                                                                        • Part of subcall function 00404A35: MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB25
                                                                                        • Part of subcall function 00404A35: keybd_event.USER32(00000012,00000000), ref: 0043DB2A
                                                                                        • Part of subcall function 00404A35: MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB33
                                                                                        • Part of subcall function 00404A35: keybd_event.USER32(00000012,00000000), ref: 0043DB38
                                                                                        • Part of subcall function 00404A35: MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB42
                                                                                        • Part of subcall function 00404A35: keybd_event.USER32(00000012,00000000), ref: 0043DB47
                                                                                        • Part of subcall function 00404A35: SetForegroundWindow.USER32(?), ref: 0043DB4A
                                                                                        • Part of subcall function 00404A35: AttachThreadInput.USER32(?,?,00000000), ref: 0043DB71
                                                                                        • Part of subcall function 00404A35: AttachThreadInput.USER32(?,00000000,00000000), ref: 0043DB79
                                                                                        • Part of subcall function 00404A35: AttachThreadInput.USER32(00000000,?,00000000), ref: 0043DB81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Thread$Show$AttachInput$ForegroundVirtualkeybd_event$Enable$LockProcessUpdate$CurrentFindIconicInvalidateLongMessageRectSend
                                                                                      • String ID:
                                                                                      • API String ID: 3989600621-0
                                                                                      • Opcode ID: bc4373d98514daa640d36f0e0be472c50093ea83126dee7f945f78502fdb4aa5
                                                                                      • Instruction ID: 8b6c8ed304f0763f3ef54d0254f4868818f2511668e6adff05f7a0ccbdd179e1
                                                                                      • Opcode Fuzzy Hash: bc4373d98514daa640d36f0e0be472c50093ea83126dee7f945f78502fdb4aa5
                                                                                      • Instruction Fuzzy Hash: 7E41DC307046809ADB754B288EDC67B7B91AB95314F14883FE046B66E0CABDA846DB1D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.43%

                                                                                      Function 00486442, Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048645A
                                                                                      • GetDC.USER32(00000000), ref: 00486462
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0048646D
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00486479
                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004864B5
                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004864C6
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00486500
                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00486520
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientMessageRectScreenSendWindow$CapsCreateDeleteDeviceFontInvalidateMoveObjectRelease
                                                                                      • String ID:
                                                                                      • API String ID: 3380433687-0
                                                                                      • Opcode ID: 8b88619763fd6254d6488ec5cab92517c73cd71dc51d716d7c88cefd0b034ed1
                                                                                      • Instruction ID: 5c1cc6793609d5e6e0acb9b007d1b286434c541ad31a2caf87ecf1e2a9c9b5d4
                                                                                      • Opcode Fuzzy Hash: 8b88619763fd6254d6488ec5cab92517c73cd71dc51d716d7c88cefd0b034ed1
                                                                                      • Instruction Fuzzy Hash: D4319F72201214BFEB109F50DC4AFEB3FA9EF09765F040069FE08AA295D6759C41CB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.16%

                                                                                      Function 00423469, Relevance: 12.1, APIs: 8, Instructions: 91UNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 00423477
                                                                                        • Part of subcall function 00429E4B: __mtinitlocknum.LIBCMT ref: 00429E5D
                                                                                        • Part of subcall function 00429E4B: EnterCriticalSection.KERNEL32(?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00429E76
                                                                                      • RtlDecodePointer.NTDLL(004BBB70), ref: 004234B6
                                                                                      • RtlDecodePointer.NTDLL ref: 004234C7
                                                                                      • EncodePointer.KERNEL32(00000000,?,00423310,000000FF,?,00429E6E,00000011,?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?), ref: 004234E0
                                                                                      • RtlDecodePointer.NTDLL(-00000004), ref: 004234F0
                                                                                      • EncodePointer.KERNEL32(00000000,?,00423310,000000FF,?,00429E6E,00000011,?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?), ref: 004234F6
                                                                                      • RtlDecodePointer.NTDLL ref: 0042350C
                                                                                      • RtlDecodePointer.NTDLL ref: 00423517
                                                                                        • Part of subcall function 00429FB5: LeaveCriticalSection.KERNEL32(?,00429D1B,0000000D,00429CD6), ref: 00429FC2
                                                                                        • Part of subcall function 004232DF: ___crtCorExitProcess.LIBCMT ref: 004232E5
                                                                                        • Part of subcall function 004232DF: ExitProcess.KERNEL32 ref: 004232EE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$Decode$CriticalEncodeExitProcessSection$EnterLeave___crt__lock__mtinitlocknum
                                                                                      • String ID:
                                                                                      • API String ID: 3532926286-0
                                                                                      • Opcode ID: 3eb54479496a14f96af1a539c1c71f4a2dd7fdd1fba2ad2f8c082ffa494553fc
                                                                                      • Instruction ID: 8c72c2951835608107e4db8e866895b11fbebaeedbe16d100f1f63f8c378f011
                                                                                      • Opcode Fuzzy Hash: 3eb54479496a14f96af1a539c1c71f4a2dd7fdd1fba2ad2f8c082ffa494553fc
                                                                                      • Instruction Fuzzy Hash: 20317231A04329AEDF50AF65E84579D7AB1BB48315F94447FE408A6291DFBD0A84CB1C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00401424, Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                        • Part of subcall function 004013B0: EndPath.GDI32(?), ref: 004013BF
                                                                                        • Part of subcall function 004013B0: StrokeAndFillPath.GDI32(?), ref: 004013DB
                                                                                        • Part of subcall function 004013B0: SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                                        • Part of subcall function 004013B0: DeleteObject.GDI32 ref: 00401401
                                                                                        • Part of subcall function 004013B0: StrokePath.GDI32(?), ref: 0040141C
                                                                                      • MoveToEx.GDI32(?,000000FE,?,00000000), ref: 0043B8CD
                                                                                      • AngleArc.GDI32(?,000000FE,?,?,-00000010,-00000010), ref: 0043B90E
                                                                                      • LineTo.GDI32(?,000000FE,?), ref: 0043B919
                                                                                      • CloseFigure.GDI32(?), ref: 0043B920
                                                                                      • Ellipse.GDI32(?,000000FE,?,?,00000000), ref: 0043B967
                                                                                      • Rectangle.GDI32(?,000000FE,?,00000000,00000000), ref: 0043B9C2
                                                                                      • SetPixel.GDI32(?,000000FE,?,?), ref: 0043B9FE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$Path$Select$DeleteStroke$AngleBeginCloseCreateEllipseFigureFillLineMovePixelRectangle
                                                                                      • String ID:
                                                                                      • API String ID: 304495578-0
                                                                                      • Opcode ID: f0a8001532de9112e9a68fc3d0de63e40e79399ac015fb4f5a0f866fb1fca3e0
                                                                                      • Instruction ID: 504086b8ac0d12f7a80c9a28070c24604f60f8592932f63d6c8978218f7d0df9
                                                                                      • Opcode Fuzzy Hash: f0a8001532de9112e9a68fc3d0de63e40e79399ac015fb4f5a0f866fb1fca3e0
                                                                                      • Instruction Fuzzy Hash: CF718170900109EFCB04DF94CC84EBFBB74FF85314F10816AF915AA2A1C738AA11CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.14%

                                                                                      Function 0048B60B, Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                      APIs
                                                                                      • IsWindow.USER32(00BD7938), ref: 0048B6A5
                                                                                      • IsWindowEnabled.USER32(00BD7938), ref: 0048B6B1
                                                                                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                        • Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                        • Part of subcall function 00402344: GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B795
                                                                                      • SendMessageW.USER32(00BD7938,000000B0,?,?), ref: 0048B7CC
                                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0048B809
                                                                                      • GetWindowLongW.USER32(00BD7938,000000EC), ref: 0048B82B
                                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B843
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048B9CC
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(00000000,00000000), ref: 0048B9F0
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(004C67B0,00000000), ref: 0048BA50
                                                                                        • Part of subcall function 0048B958: ShowWindow.USER32(00000000,00000004), ref: 0048BA62
                                                                                        • Part of subcall function 0048B958: EnableWindow.USER32(00000000,00000001), ref: 0048BA86
                                                                                        • Part of subcall function 0048B958: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$Show$AsyncEnableLongState$ButtonCheckedClientCursorEnabledScreen
                                                                                      • String ID:
                                                                                      • API String ID: 393453039-0
                                                                                      • Opcode ID: 84af26136d8c29eb5394fcac6202117ecf921a8f23c00558381dcf7e1411423a
                                                                                      • Instruction ID: a7d0881697c90ebb8ac62a69b5506f8dd5c31139f9226510073890e22dad6404
                                                                                      • Opcode Fuzzy Hash: 84af26136d8c29eb5394fcac6202117ecf921a8f23c00558381dcf7e1411423a
                                                                                      • Instruction Fuzzy Hash: 3A719034600304AFDB20AF64C894FAE7BB9FF49300F15486EE945A7361D739A841DB9D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.43%

                                                                                      Function 0046589F, Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcsncpy$LocalTime
                                                                                      • String ID:
                                                                                      • API String ID: 2945705084-0
                                                                                      • Opcode ID: 7a73a9d8b045da8df5336bb66c02e39a5d5c0cabf30c4969930a264d4c6a1f2d
                                                                                      • Instruction ID: 239261fae8d9192360add67fc14eaad88e6f5f5f9fe45dd7678ebb12787c5eaa
                                                                                      • Opcode Fuzzy Hash: 7a73a9d8b045da8df5336bb66c02e39a5d5c0cabf30c4969930a264d4c6a1f2d
                                                                                      • Instruction Fuzzy Hash: 514193A5D2012476CB10EBB598869CFB3A89F45710F90885BE518E3111F638E754C7AE
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.47%

                                                                                      Function 00487500, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00487519
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004875C0
                                                                                      • IsMenu.USER32(?), ref: 004875D8
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00487620
                                                                                      • DrawMenuBar.USER32 ref: 00487633
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 3866635326-4108050209
                                                                                      • Opcode ID: edeaa6d0161f0f44574b9eae0ef1f6fd71eb3f1ff2b29b23cea93bbffdc13975
                                                                                      • Instruction ID: 244ebd32b8f97b81259969125f729c00c6f494ffb7d64cbbbf547a27778ec249
                                                                                      • Opcode Fuzzy Hash: edeaa6d0161f0f44574b9eae0ef1f6fd71eb3f1ff2b29b23cea93bbffdc13975
                                                                                      • Instruction Fuzzy Hash: 29414775A05608EFDB10EF58D894E9EBBB8FB04320F14882AE915A7390D734ED51CFA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 0045DFDC, Relevance: 10.6, APIs: 7, Instructions: 96COMMON
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 0045E01F
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E045
                                                                                      • #2.OLEAUT32(00000000), ref: 0045E048
                                                                                      • #2.OLEAUT32(?,00000000,?,00000000), ref: 0045E066
                                                                                      • #6.OLEAUT32(?), ref: 0045E06F
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0045E094
                                                                                      • #2.OLEAUT32(?), ref: 0045E0A2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$Exception@8FromStringThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 3545288400-0
                                                                                      • Opcode ID: af460b2bfc03720ca398b6ffa2b4e5f1af1e65bd73a91500510b5d50cf2b39cb
                                                                                      • Instruction ID: 76de9d1de624e2530b4d2fb0faa612057c709ef15b4b14118b0da445987e5ca9
                                                                                      • Opcode Fuzzy Hash: af460b2bfc03720ca398b6ffa2b4e5f1af1e65bd73a91500510b5d50cf2b39cb
                                                                                      • Instruction Fuzzy Hash: 0121D33260022DAF9B109FA9DC48DBF73ECEF08761B14843AFD14DB291D6B49D498768
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.93%

                                                                                      Function 0045E0B5, Relevance: 10.6, APIs: 7, Instructions: 91COMMON
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000008), ref: 0045E0FA
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E120
                                                                                      • #2.OLEAUT32(00000000), ref: 0045E123
                                                                                      • #2.OLEAUT32(?,?,00000008), ref: 0045E144
                                                                                      • #6.OLEAUT32(?), ref: 0045E14D
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0045E167
                                                                                      • #2.OLEAUT32(?), ref: 0045E175
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$Exception@8FromStringThrowstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 3545288400-0
                                                                                      • Opcode ID: 59cdd7dab105c60b17e77c3d1b717de4bc98b19c03b579669a9f6d2ca5b990ba
                                                                                      • Instruction ID: 67c9d3dc381654df01c0c22ef12326e1a14a94d41d6a64db7bb41e680024eb02
                                                                                      • Opcode Fuzzy Hash: 59cdd7dab105c60b17e77c3d1b717de4bc98b19c03b579669a9f6d2ca5b990ba
                                                                                      • Instruction Fuzzy Hash: E721D671200518BF9B14AFA9DC88CAB73ECEB09761B10813AFD54CB2A1DB74DD458B68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.93%

                                                                                      Function 0045FB6E, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                      APIs
                                                                                      • __wcsnicmp.LIBCMT ref: 0045FB81
                                                                                        • Part of subcall function 00423A0B: __wcsnicmp_l.LIBCMT ref: 00423AB4
                                                                                      • __wcsnicmp.LIBCMT ref: 0045FBA2
                                                                                      • __wcsnicmp.LIBCMT ref: 0045FBBC
                                                                                        • Part of subcall function 0041FEC6: _wcscpy.LIBCMT ref: 0041FEE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wcsnicmp$__wcsnicmp_l_wcscpy
                                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                      • API String ID: 194375947-2734436370
                                                                                      • Opcode ID: 0e925c03f4af0fe31e00a2424debd37a6ffe6a5a1180d0815f1f539b658e43cf
                                                                                      • Instruction ID: 566f03899e7f3434533f03e94b1724d4296a521f6068b5759495cbded75bf72e
                                                                                      • Opcode Fuzzy Hash: 0e925c03f4af0fe31e00a2424debd37a6ffe6a5a1180d0815f1f539b658e43cf
                                                                                      • Instruction Fuzzy Hash: 17214B32200264A6D231A621ED12FA77398AF51305F50403BFD8587683E75CAD8E929F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.48%

                                                                                      Function 0048783C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004878A1
                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004878AE
                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004878B9
                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004878C8
                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004878D4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock
                                                                                      • String ID: Msctls_Progress32
                                                                                      • API String ID: 269107984-3636473452
                                                                                      • Opcode ID: f7bc9240e14bc4aef0fe5bbffa24766386ea0ca3a5f7e24fad0349575530a0aa
                                                                                      • Instruction ID: 92253c4dff29aad24290472b4db2c2572747c1f81b0a32cfc704e08449bf8f20
                                                                                      • Opcode Fuzzy Hash: f7bc9240e14bc4aef0fe5bbffa24766386ea0ca3a5f7e24fad0349575530a0aa
                                                                                      • Instruction Fuzzy Hash: 281104B2540219BFEF15AF60CC85EEB7F6DEF08798F114115FA04A2090CB769C21DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00429D26, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                      APIs
                                                                                      • __init_pointers.LIBCMT ref: 00429D26
                                                                                        • Part of subcall function 004233C7: RtlEncodePointer.NTDLL(00000000), ref: 004233CA
                                                                                        • Part of subcall function 004233C7: __initp_misc_winsig.LIBCMT ref: 004233E5
                                                                                        • Part of subcall function 004233C7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0042A0E0
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042A0F4
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042A107
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042A11A
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042A12D
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0042A140
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0042A153
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0042A166
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0042A179
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0042A18C
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0042A19F
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0042A1B2
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0042A1C5
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0042A1D8
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0042A1EB
                                                                                        • Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0042A1FE
                                                                                      • __mtinitlocks.LIBCMT ref: 00429D2B
                                                                                      • __mtterm.LIBCMT ref: 00429D34
                                                                                        • Part of subcall function 00429D9C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00429D39,00427F0D,004BBD38,00000014), ref: 00429E96
                                                                                        • Part of subcall function 00429D9C: _free.LIBCMT ref: 00429E9D
                                                                                        • Part of subcall function 00429D9C: DeleteCriticalSection.KERNEL32(0BL,?,?,00429D39,00427F0D,004BBD38,00000014), ref: 00429EBF
                                                                                      • __calloc_crt.LIBCMT ref: 00429D59
                                                                                        • Part of subcall function 00428A15: __calloc_impl.LIBCMT ref: 00428A24
                                                                                      • __mtterm.LIBCMT ref: 00429D93
                                                                                        • Part of subcall function 0042A026: TlsSetValue.KERNEL32(?,?,?,00429C40,00000000,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 0042A040
                                                                                      • __initptd.LIBCMT ref: 00429D7B
                                                                                        • Part of subcall function 00429C73: __lock.LIBCMT ref: 00429CB7
                                                                                        • Part of subcall function 00429C73: __lock.LIBCMT ref: 00429CD8
                                                                                        • Part of subcall function 00429C73: ___addlocaleref.LIBCMT ref: 00429CF6
                                                                                      • GetCurrentThreadId.KERNEL32(00427F0D,004BBD38,00000014), ref: 00429D82
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CriticalDeleteSection__lock__mtterm$CurrentEncodeHandleModulePointerThreadValue___addlocaleref__calloc_crt__calloc_impl__init_pointers__initp_misc_winsig__initptd__mtinitlocks_free
                                                                                      • String ID:
                                                                                      • API String ID: 335892217-0
                                                                                      • Opcode ID: 0032ce98d80b6da20572b252ff7a2ec3726a0071997436604a018428a97a3cd4
                                                                                      • Instruction ID: 3a4ad7869198ffd9109903b6ff0dd43e1d919ab51d7ec4b7e1e30be07ee80a48
                                                                                      • Opcode Fuzzy Hash: 0032ce98d80b6da20572b252ff7a2ec3726a0071997436604a018428a97a3cd4
                                                                                      • Instruction Fuzzy Hash: EEF06D727297316AF6347B7ABC0668A2694DF01738FA04A2FF458D51E2EF1C8C41559C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.97%

                                                                                      Function 004241CA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004241E3
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004241EA
                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004241F6
                                                                                      • DecodePointer.KERNEL32(00000001), ref: 00424213
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoInitialize$combase.dll
                                                                                      • API String ID: 3489934621-340411864
                                                                                      • Opcode ID: 5bccab6494b523de4f89304bf15fd68300b1f9e2fdfa0f03ecf7e752e13a8ef8
                                                                                      • Instruction ID: 554aba7e706935eef98d5f48fecafe8f14f9d0301701379c1545929dc36dfa4f
                                                                                      • Opcode Fuzzy Hash: 5bccab6494b523de4f89304bf15fd68300b1f9e2fdfa0f03ecf7e752e13a8ef8
                                                                                      • Instruction Fuzzy Hash: 8EE09AB0690300AEEF911F70ED4DF083A95ABA0B02F644839B851D10A0DBF940A89B0C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042429E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderUNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004241B8), ref: 004242B8
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004242BF
                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004242CA
                                                                                      • DecodePointer.KERNEL32(004241B8), ref: 004242E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoUninitialize$combase.dll
                                                                                      • API String ID: 3489934621-2819208100
                                                                                      • Opcode ID: 38a029e66ea7d27f7a9163d1d7d860f5c65e6d37c153c2e42146312fef8db417
                                                                                      • Instruction ID: 15b1a5aa7e18a967cd8893ea7d93c869ab9a07ceb3ae99f86fd7b01cca389b21
                                                                                      • Opcode Fuzzy Hash: 38a029e66ea7d27f7a9163d1d7d860f5c65e6d37c153c2e42146312fef8db417
                                                                                      • Instruction Fuzzy Hash: 71E04F78681300EFDB409B21FE0CF493AA4F750742F140539F041D11A0CFB84644CB1C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00401DB3, Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?,?), ref: 00401DDC
                                                                                      • GetWindowRect.USER32(?,?), ref: 00401E1D
                                                                                      • ScreenToClient.USER32(?,?), ref: 00401E45
                                                                                      • GetClientRect.USER32(?,?), ref: 00401F74
                                                                                      • GetWindowRect.USER32(?,?), ref: 00401F8D
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0043BD81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                      • String ID:
                                                                                      • API String ID: 3220332590-0
                                                                                      • Opcode ID: d137a9c50dddbd1c864f695680de21518bce5053a59fcecd0cad3697e154db73
                                                                                      • Instruction ID: ed51bef88b18f13e8c67287d0da0124a028b815528b7051244985eeafb7c58ca
                                                                                      • Opcode Fuzzy Hash: d137a9c50dddbd1c864f695680de21518bce5053a59fcecd0cad3697e154db73
                                                                                      • Instruction Fuzzy Hash: 6BB14E7990024ADBDF10CFA8C5807EEB7B1FF08310F14952AED59AB361DB34A951CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0046675A, Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00465B29: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,?,004667E1,00000000,00000000), ref: 00465B55
                                                                                        • Part of subcall function 00465B29: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,004667E1,00000000,00000000,00000000,?), ref: 00465B7C
                                                                                      • _memmove.LIBCMT ref: 004667E8
                                                                                        • Part of subcall function 004079AB: _memmove.LIBCMT ref: 004079F9
                                                                                      • _memmove.LIBCMT ref: 0046685B
                                                                                        • Part of subcall function 0046573E: _strlen.LIBCMT ref: 00465756
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00466870), ref: 00465769
                                                                                        • Part of subcall function 0046573E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00466870), ref: 0046579D
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 004668AD
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                      • _memmove.LIBCMT ref: 00466942
                                                                                      • _memmove.LIBCMT ref: 0046695B
                                                                                      • _memmove.LIBCMT ref: 00466977
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$ByteCharMultiWide$_wcscpy$Exception@8Throw__i64tow__itow_strlenstd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 305090657-0
                                                                                      • Opcode ID: 322fe69d82f4268864c5f2193f02a8dbd5e3296036215b5cbfbf802dc769ace7
                                                                                      • Instruction ID: 6f91ede795408b0bfae053ebd451bddb5c2729c6fb0f0f0f08a4ed72ad27e223
                                                                                      • Opcode Fuzzy Hash: 322fe69d82f4268864c5f2193f02a8dbd5e3296036215b5cbfbf802dc769ace7
                                                                                      • Instruction Fuzzy Hash: C9619F7060025A9BDF11EF66C881EFE37A4AF0430CF45452EF8556B2D2EB38AD05CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.36%

                                                                                      Function 0045F3DD, Relevance: 9.2, APIs: 6, Instructions: 159UNIQUE
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID:
                                                                                      • API String ID: 4104443479-0
                                                                                      • Opcode ID: e0e4c2a5e8745864faa56e5889f7aed8dc9d36647b4b934b0d9476528ef57ffe
                                                                                      • Instruction ID: 2e2eaad49763833bbcfc7c68f572f088d5f8d2798b4c1c5c41ffca29e6c5e6c5
                                                                                      • Opcode Fuzzy Hash: e0e4c2a5e8745864faa56e5889f7aed8dc9d36647b4b934b0d9476528ef57ffe
                                                                                      • Instruction Fuzzy Hash: E6517BB5A00209EFCB10CF58D880AAAB7B8FF4C354B15856AED59DB301E734E915CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004626F9, Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00462747
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462792
                                                                                      • IsMenu.USER32(00000000), ref: 004627B2
                                                                                      • CreatePopupMenu.USER32 ref: 004627E6
                                                                                        • Part of subcall function 00462C42: _memset.LIBCMT ref: 00462CAF
                                                                                        • Part of subcall function 00462C42: GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00462CCB
                                                                                        • Part of subcall function 00462C42: DeleteMenu.USER32(?,00000007,00000000), ref: 00462D11
                                                                                        • Part of subcall function 00462C42: DeleteMenu.USER32(?,00000000,00000000), ref: 00462D5A
                                                                                      • GetMenuItemCount.USER32(000000FF), ref: 00462844
                                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462875
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DeleteInfo_memset$CountCreateInsertPopup
                                                                                      • String ID:
                                                                                      • API String ID: 1721661707-0
                                                                                      • Opcode ID: 26be2bb6517104d0e06652614555473398c1a5c4668b3e74760e83b0a7226d5a
                                                                                      • Instruction ID: ae907cd3f2aa1f5fb6f168798142b7ed047680f4cd9d897be70698fd7a4ddbb7
                                                                                      • Opcode Fuzzy Hash: 26be2bb6517104d0e06652614555473398c1a5c4668b3e74760e83b0a7226d5a
                                                                                      • Instruction Fuzzy Hash: FD51B270A00705FFDF14DF68CE88AAEBBF4AF44314F10462EE4119B291E7B88904CB56
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.20%

                                                                                      Function 00401765, Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • BeginPaint.USER32(?,?), ref: 0040179A
                                                                                      • GetWindowRect.USER32(?,?), ref: 004017FE
                                                                                      • ScreenToClient.USER32(?,?), ref: 0040181B
                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
                                                                                      • EndPaint.USER32(?,?), ref: 00401876
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0043BACB
                                                                                        • Part of subcall function 004013B0: EndPath.GDI32(?), ref: 004013BF
                                                                                        • Part of subcall function 004013B0: StrokeAndFillPath.GDI32(?), ref: 004013DB
                                                                                        • Part of subcall function 004013B0: SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                                        • Part of subcall function 004013B0: DeleteObject.GDI32 ref: 00401401
                                                                                        • Part of subcall function 004013B0: StrokePath.GDI32(?), ref: 0040141C
                                                                                        • Part of subcall function 00401424: MoveToEx.GDI32(?,000000FE,?,00000000), ref: 0043B8CD
                                                                                        • Part of subcall function 00401424: AngleArc.GDI32(?,000000FE,?,?,-00000010,-00000010), ref: 0043B90E
                                                                                        • Part of subcall function 00401424: LineTo.GDI32(?,000000FE,?), ref: 0043B919
                                                                                        • Part of subcall function 00401424: CloseFigure.GDI32(?), ref: 0043B920
                                                                                        • Part of subcall function 00401424: Ellipse.GDI32(?,000000FE,?,?,00000000), ref: 0043B967
                                                                                        • Part of subcall function 00401424: Rectangle.GDI32(?,000000FE,?,00000000,00000000), ref: 0043B9C2
                                                                                        • Part of subcall function 00401424: SetPixel.GDI32(?,000000FE,?,?), ref: 0043B9FE
                                                                                        • Part of subcall function 0040152E: BeginPath.GDI32(00000000), ref: 0040154C
                                                                                        • Part of subcall function 0040152E: PolyDraw.GDI32(00000000,00000002,?,?), ref: 004015C3
                                                                                        • Part of subcall function 0040152E: PolyDraw.GDI32(00000000,00000002,00000810,?), ref: 00401602
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectPath$BeginSelect$DeleteDrawPaintPolyRectangleStrokeWindow$AngleClientCloseCreateEllipseFigureFillLineLongMovePixelRectScreenViewport
                                                                                      • String ID:
                                                                                      • API String ID: 248873171-0
                                                                                      • Opcode ID: 56be482601004f4b1705778519a4c5320a5bfaca86b85f6e7b93d582801014dc
                                                                                      • Instruction ID: f496b0d24a919446a821901bb08c967343d20a2d6e91284dadc4af8012d8984c
                                                                                      • Opcode Fuzzy Hash: 56be482601004f4b1705778519a4c5320a5bfaca86b85f6e7b93d582801014dc
                                                                                      • Instruction Fuzzy Hash: F8418C71100200AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C7359946DB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.16%

                                                                                      Function 0048B958, Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                      APIs
                                                                                      • ShowWindow.USER32(004C67B0,00000000), ref: 0048B9CC
                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 0048B9F0
                                                                                      • ShowWindow.USER32(004C67B0,00000000), ref: 0048BA50
                                                                                      • ShowWindow.USER32(00000000,00000004), ref: 0048BA62
                                                                                      • EnableWindow.USER32(00000000,00000001), ref: 0048BA86
                                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 642888154-0
                                                                                      • Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                                      • Instruction ID: 4bbfffa5aca34bc284a6f875752b5b7a56a0dd7a11c68d007de5de2d50af2dcc
                                                                                      • Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                                      • Instruction Fuzzy Hash: 6E416470600241EFDB25DF14C489B9A7BE0FF05314F1846BAEE589F3A2C735A84ADB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0045BC53, Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00457631: CLSIDFromProgID.OLE32 ref: 0045766F
                                                                                        • Part of subcall function 00457631: ProgIDFromCLSID.OLE32(?,00000000), ref: 0045768A
                                                                                        • Part of subcall function 00457631: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 00457698
                                                                                        • Part of subcall function 00457631: CoTaskMemFree.OLE32(00000000), ref: 004576A8
                                                                                        • Part of subcall function 00457631: CLSIDFromString.OLE32(?,?), ref: 004576B4
                                                                                      • GetDC.USER32(00000000), ref: 0045BC78
                                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0045BC89
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045BC90
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0045BC98
                                                                                      • MulDiv.KERNEL32(000009EC,0045B928,00000000), ref: 0045BCAF
                                                                                      • MulDiv.KERNEL32(000009EC,016A52EC,?), ref: 0045BCC1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: From$CapsDeviceProg$FreeReleaseStringTasklstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 2627017686-0
                                                                                      • Opcode ID: 27d5f6c0d5386ce97d9d35851ba942d0fe3d4e9262dd3fedd2d873a9d9f17fda
                                                                                      • Instruction ID: 7f9c1bc2a87cc2331d83c7cbd88c6f2eb8871b90a119ce95a65b068cf2fd8a08
                                                                                      • Opcode Fuzzy Hash: 27d5f6c0d5386ce97d9d35851ba942d0fe3d4e9262dd3fedd2d873a9d9f17fda
                                                                                      • Instruction Fuzzy Hash: CD018871E407097BDB105FB55C49E5EBFA8DB44761F10407AFE04A7391DA308C15CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.12%

                                                                                      Function 0048C19A, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0048C1C4
                                                                                      • LineTo.GDI32(00000000,00000003,?), ref: 0048C1D8
                                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C1E6
                                                                                      • LineTo.GDI32(00000000,00000000,?), ref: 0048C1F6
                                                                                      • EndPath.GDI32(00000000), ref: 0048C206
                                                                                      • StrokePath.GDI32(00000000), ref: 0048C216
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                      • String ID:
                                                                                      • API String ID: 372113273-0
                                                                                      • Opcode ID: 50c0785a0f867adaeafbee75c91b230cbac4e515806904eb16af30bcadf3702c
                                                                                      • Instruction ID: 89b87adcafcd02c20156ebc744166949cd87f219d271a2b64e3a0db778f8eb43
                                                                                      • Opcode Fuzzy Hash: 50c0785a0f867adaeafbee75c91b230cbac4e515806904eb16af30bcadf3702c
                                                                                      • Instruction Fuzzy Hash: E5111B7640010CBFDB11AF90DC88EAA7FADEB04394F048476BE185A1A1C7719E55DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00462C42, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00462CAF
                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00462CCB
                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00462D11
                                                                                      • DeleteMenu.USER32(?,00000000,00000000), ref: 00462D5A
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Delete$InfoItem_memmove_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 2152430080-4108050209
                                                                                      • Opcode ID: f198ced482b16800fe01b2f039e7944b992b1629c250c68e53310c846a39f2ef
                                                                                      • Instruction ID: 0ba1456fd131f45ac79e83895ae1ccd7d82afcfcc3e6ebc7136bcd4d9a7bd99d
                                                                                      • Opcode Fuzzy Hash: f198ced482b16800fe01b2f039e7944b992b1629c250c68e53310c846a39f2ef
                                                                                      • Instruction Fuzzy Hash: F8419130204702AFD720DF25C944B5BB7E4AF85324F14462EF96597291E7B8E904CBAB
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.85%

                                                                                      Function 0040410D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowUNIQUE
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                        • Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66
                                                                                      • _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040463E: _wcsncpy.LIBCMT ref: 00404652
                                                                                      • _wcscpy.LIBCMT ref: 004041E1
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$IconLoadNotifyShell_String_memset_wcscpy_wcsncpy
                                                                                      • String ID: Line:
                                                                                      • API String ID: 3448885215-1585850449
                                                                                      • Opcode ID: 4dabcb287aa0014f2b865201e2cf0eafda2d30f8a4c5563cc53a3e2912b2ce29
                                                                                      • Instruction ID: 58a74a7614972f0f445e6137c0dd90b430b5bf5ec00f8e3566b7ff54c1cdf52a
                                                                                      • Opcode Fuzzy Hash: 4dabcb287aa0014f2b865201e2cf0eafda2d30f8a4c5563cc53a3e2912b2ce29
                                                                                      • Instruction Fuzzy Hash: 8B31C171408304AAD761EB60DC45FDB73E8AF44304F10497FB184A21D1EB78A649C79F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00486656, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowlibraryCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004866D0
                                                                                      • LoadLibraryW.KERNEL32(?), ref: 004866D7
                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004866EC
                                                                                      • DestroyWindow.USER32(?), ref: 004866F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$CreateDestroyLibraryLoadObjectShowStock
                                                                                      • String ID: SysAnimate32
                                                                                      • API String ID: 2125232845-1011021900
                                                                                      • Opcode ID: 6ff0cea8df7c8dbd966367875cc0fa59ce0a78d58aa6e2900808d1d81c72dfb1
                                                                                      • Instruction ID: 107bb2381c9b110c9a3b8e0dc5be6575e68445ddc2201bb672f8ab0b69eab8f0
                                                                                      • Opcode Fuzzy Hash: 6ff0cea8df7c8dbd966367875cc0fa59ce0a78d58aa6e2900808d1d81c72dfb1
                                                                                      • Instruction Fuzzy Hash: 6E21D471100205BFEF506F64EC80EBF37ADEF55328F114A2AF910A2290E779CC419769
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00401D35, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                      • GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                      • ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateMessageObjectSendShowStock
                                                                                      • String ID: athan
                                                                                      • API String ID: 1358664141-369431050
                                                                                      • Opcode ID: 6ef78ac23a4bd727a3300ca9299958f8ec95875dc6640e3e56f2f55486011c29
                                                                                      • Instruction ID: bcc18056a9f9bf7612c1f1802b6de8f9928d6a82d4ed00d2f4876380ead3997e
                                                                                      • Opcode Fuzzy Hash: 6ef78ac23a4bd727a3300ca9299958f8ec95875dc6640e3e56f2f55486011c29
                                                                                      • Instruction Fuzzy Hash: 0D11A172501108BFEF018F90DC44EEB7B69FF48354F440126FA0462160C739EC60DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 004241C9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderUNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004241E3
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004241EA
                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004241F6
                                                                                      • DecodePointer.KERNEL32(00000001), ref: 00424213
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoInitialize$combase.dll
                                                                                      • API String ID: 3489934621-340411864
                                                                                      • Opcode ID: dd13c08ab37e80bf1927b8ff06d098bbfda6e910d72f62f948d3123e59d291c0
                                                                                      • Instruction ID: 4a732e24270c1dda5bee5a6c288e9bc2dfac411a4ff9226b3ae07dfd94810194
                                                                                      • Opcode Fuzzy Hash: dd13c08ab37e80bf1927b8ff06d098bbfda6e910d72f62f948d3123e59d291c0
                                                                                      • Instruction Fuzzy Hash: 5EE01770391300AAEF612BB1ED0DF193994ABA0B43FA08979B551E40E0DBE944999B1C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042564D, Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                      APIs
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      • _memset.LIBCMT ref: 004256AB
                                                                                      • _memcpy_s.LIBCMT ref: 0042571D
                                                                                        • Part of subcall function 00430F18: _memmove.LIBCMT ref: 00430F51
                                                                                        • Part of subcall function 00430F18: _memset.LIBCMT ref: 00430F63
                                                                                      • __read_nolock.LIBCMT ref: 0042577B
                                                                                        • Part of subcall function 004310AB: __malloc_crt.LIBCMT ref: 00431194
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 004311C5
                                                                                        • Part of subcall function 004310AB: GetConsoleMode.KERNEL32(00000080,?), ref: 004312A7
                                                                                        • Part of subcall function 004310AB: ReadConsoleW.KERNEL32(0048FB24,?,004385D3,?,00000000), ref: 004312D3
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,?,?,?,?,0048FB24,00000001,00000000,?,?,?,?,?,?,004385D3,0048FB24), ref: 004312DD
                                                                                        • Part of subcall function 004310AB: __dosmaperr.LIBCMT ref: 004312E4
                                                                                        • Part of subcall function 004310AB: ReadFile.KERNEL32(0048FB24,?,004385D3,?,00000000), ref: 00431317
                                                                                        • Part of subcall function 004310AB: ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 004313DD
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,0048FB24,00000001,00000000,?,?,?,?,?,?,004385D3,0048FB24,00000080,00000003), ref: 004313E7
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 00431452
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 00431561
                                                                                        • Part of subcall function 004310AB: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004385D3,004385D2,0048FB24,?,?,?,?,?,?,0048FB24,00000001,00000000), ref: 00431580
                                                                                        • Part of subcall function 004310AB: _free.LIBCMT ref: 004315B3
                                                                                        • Part of subcall function 004310AB: ReadFile.KERNEL32(00000080,00000080,00000002,?,00000000), ref: 004316E6
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,0048FB24,00000001,00000000), ref: 004316F0
                                                                                        • Part of subcall function 004310AB: __lseeki64_nolock.LIBCMT ref: 0043178A
                                                                                        • Part of subcall function 004310AB: GetLastError.KERNEL32(?,0048FB24,00000001,00000000,?,?,?,?,?,?,004385D3,0048FB24,00000080,00000003), ref: 004317E3
                                                                                      • __filbuf.LIBCMT ref: 0042579E
                                                                                        • Part of subcall function 00430DF7: __getbuf.LIBCMT ref: 00430E47
                                                                                        • Part of subcall function 00430DF7: __read.LIBCMT ref: 00430E62
                                                                                      • _memset.LIBCMT ref: 004257E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastRead__lseeki64_nolock$File_memset$Console$ByteCharModeMultiWide__dosmaperr__filbuf__getbuf__getptd_noexit__malloc_crt__read__read_nolock_free_memcpy_s_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 1189629394-0
                                                                                      • Opcode ID: 81411999657e3e763d812df863fa8787a6ab3c9ff8487da223325fcefd1e7ca8
                                                                                      • Instruction ID: 8f486d84be92ee44d8014861303fa160b6b430e9f344387c801a4323594451c0
                                                                                      • Opcode Fuzzy Hash: 81411999657e3e763d812df863fa8787a6ab3c9ff8487da223325fcefd1e7ca8
                                                                                      • Instruction Fuzzy Hash: B951D930B00B25DBDB248F79E88466F77B1AF40324FA4832FF829962D0D7789D518B49
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 3.75%

                                                                                      Function 00402344, Relevance: 7.6, APIs: 5, Instructions: 112keyboardCOMMON
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 00402357
                                                                                      • ScreenToClient.USER32(004C67B0,?), ref: 00402374
                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0043C23A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3539004672-0
                                                                                      • Opcode ID: 669a1d0f0a37f564f98ec4bcb4af65858afb5dfd9ac0662bba3cfdd4afaff2d9
                                                                                      • Instruction ID: 29238042452bc89b72d7561f0c30562a95ff63530a210d1cf57cdef7deabd6e5
                                                                                      • Opcode Fuzzy Hash: 669a1d0f0a37f564f98ec4bcb4af65858afb5dfd9ac0662bba3cfdd4afaff2d9
                                                                                      • Instruction Fuzzy Hash: 44418E31904119FBDF159F69C888AEEBB74FB09324F20436BF828A22D0C7785954DF99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00437D18, Relevance: 7.6, APIs: 5, Instructions: 97UNIQUE
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00437D3F
                                                                                      • _memset.LIBCMT ref: 00437D6A
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,?,00000000,?,?), ref: 00437DC7
                                                                                      • GetLastError.KERNEL32(?,?,00000000,?,?), ref: 00437DE3
                                                                                      • _memset.LIBCMT ref: 00437DF9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Locale_memset$ByteCharErrorLastMultiUpdateUpdate::_Wide__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 2656132383-0
                                                                                      • Opcode ID: f7145d940963119eb4f3d3996d8c164b153efdf4daa21afa6075cccfb0881fbb
                                                                                      • Instruction ID: 7f5ea619eb6b50689dbdfc7df0438fc3b478966e5d337f657cdc4e691c036bc5
                                                                                      • Opcode Fuzzy Hash: f7145d940963119eb4f3d3996d8c164b153efdf4daa21afa6075cccfb0881fbb
                                                                                      • Instruction Fuzzy Hash: 9F31D3B1604261AECB319F55D845ABF3B64AF5A724F00116FF8944A391DB3C8D00CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042BBB7, Relevance: 7.6, APIs: 5, Instructions: 89UNIQUE
                                                                                      APIs
                                                                                      • _write_string.LIBCMT ref: 0042BBCC
                                                                                      • _write_multi_char.LIBCMT ref: 0042BBF0
                                                                                      • _write_string.LIBCMT ref: 0042BCD3
                                                                                      • _write_multi_char.LIBCMT ref: 0042BCFC
                                                                                      • _free.LIBCMT ref: 0042BD0F
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                        • Part of subcall function 00436415: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043644B
                                                                                        • Part of subcall function 00436415: __isleadbyte_l.LIBCMT ref: 00436479
                                                                                        • Part of subcall function 00436415: MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,00000000,?,?,?), ref: 004364A7
                                                                                        • Part of subcall function 00436415: MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,00000000,?,?,?), ref: 004364DD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharLocaleMultiWide_write_multi_char_write_string$ErrorFreeHeapLastUpdateUpdate::___isleadbyte_l_free
                                                                                      • String ID:
                                                                                      • API String ID: 4012235191-0
                                                                                      • Opcode ID: 43fcaa2311595ee26eb0551792b4987f89219f237874e847750a236ea191ab6b
                                                                                      • Instruction ID: d95ab6f4c365c9705e0be0c3272b6b49070594f36854d8a2ef7646f9e92171a5
                                                                                      • Opcode Fuzzy Hash: 43fcaa2311595ee26eb0551792b4987f89219f237874e847750a236ea191ab6b
                                                                                      • Instruction Fuzzy Hash: 8731EAF1F101299ADF619B55DC41BEAB7B8EB08304F8444DEF708A2252E7359E948F9C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0043196E, Relevance: 7.6, APIs: 5, Instructions: 69UNIQUELIBRARYCODE
                                                                                      APIs
                                                                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004319A8
                                                                                      • SetFilePointerEx.KERNEL32(00000000,?,?,?,?), ref: 004319BC
                                                                                      • GetLastError.KERNEL32(?,?), ref: 004319C2
                                                                                      • __dosmaperr.LIBCMT ref: 004319C9
                                                                                      • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004319E2
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FilePointer$ErrorLast__dosmaperr__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 3275556073-0
                                                                                      • Opcode ID: 5020ea8c7c08a2c1d974e05f6122347255403b42e583d755c53856760baf4a0f
                                                                                      • Instruction ID: 42343e62d8a757b4a28060c1c9b42eb39466e64cca7891ad5fd8ae8a4149cba5
                                                                                      • Opcode Fuzzy Hash: 5020ea8c7c08a2c1d974e05f6122347255403b42e583d755c53856760baf4a0f
                                                                                      • Instruction Fuzzy Hash: 65113D72611228BFDB115BA89C40FBE3778AF45724F50025BF520A71E1DB78D800C759
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004012F3, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                      APIs
                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                      • BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                      • DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$CreateSelect$BeginBrushDeletePathSolid
                                                                                      • String ID:
                                                                                      • API String ID: 1512498296-0
                                                                                      • Opcode ID: d4d4c8074a2dddb84468a25ad0c171745cbd4a4b28271cbc8231a5ff8f861484
                                                                                      • Instruction ID: 01809ca1199762821c7ccc43aba1927c018ed3358b57c1522327ad2857708082
                                                                                      • Opcode Fuzzy Hash: d4d4c8074a2dddb84468a25ad0c171745cbd4a4b28271cbc8231a5ff8f861484
                                                                                      • Instruction Fuzzy Hash: 9B213070801304EFEB11AF65DC04B6A7BB8FB00321F55863BF810A62F0D7799995DBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00457631, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 0045810E: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,00457651,-C0000018,00000001,?,0045758C,80070057,?,?,?,0045799D), ref: 0045811B
                                                                                      • CLSIDFromProgID.OLE32 ref: 0045766F
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 0045768A
                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 00457698
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 004576A8
                                                                                      • CLSIDFromString.OLE32(?,?), ref: 004576B4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 450394209-0
                                                                                      • Opcode ID: bc25b6519a94f10dbb251a0eebce8836490a121c9ede26846711f318317bd882
                                                                                      • Instruction ID: 7358ad2804b9dc9911c054a84f83c2ad3ef792169d9fc978e4c4218005fc1a73
                                                                                      • Opcode Fuzzy Hash: bc25b6519a94f10dbb251a0eebce8836490a121c9ede26846711f318317bd882
                                                                                      • Instruction Fuzzy Hash: 4B11E572604618BBDB105F69EC04B9E7BACEB04762F144439FD08D2212E779DE4487A8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 004654E6, Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,%I,?), ref: 00465502
                                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,%I,?), ref: 00465510
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,%I,?), ref: 00465518
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,%I,?), ref: 00465522
                                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,%I,?), ref: 0046555E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                      • String ID:
                                                                                      • API String ID: 2833360925-0
                                                                                      • Opcode ID: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
                                                                                      • Instruction ID: 904bb0919bfdc2718e962a82bb6b112c9c46cd464800c0dd09bb372580e459e7
                                                                                      • Opcode Fuzzy Hash: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
                                                                                      • Instruction Fuzzy Hash: 1A016131D00A19EBCF00DFE8E84D6EDBB78FB09711F04046AE502F2154EB345954C7AA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.22%

                                                                                      Function 004013B0, Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                      • String ID:
                                                                                      • API String ID: 2625713937-0
                                                                                      • Opcode ID: 61c54fb263eb1c5a127bc7e68abcd113e5aa2c7f8e8059b9e487d898b006b3c2
                                                                                      • Instruction ID: f812cb0b4e4429ed7f7e618ed03f07a0aa621b4c15f073e4694ef7f498b4602e
                                                                                      • Opcode Fuzzy Hash: 61c54fb263eb1c5a127bc7e68abcd113e5aa2c7f8e8059b9e487d898b006b3c2
                                                                                      • Instruction Fuzzy Hash: 67F01930001208EFDB516F26EC4CB593BA4AB41326F15C639E829941F1C7358999DF28
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 0045B7B6, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comUNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                        • Part of subcall function 0045BC53: GetDC.USER32(00000000), ref: 0045BC78
                                                                                        • Part of subcall function 0045BC53: GetDeviceCaps.GDI32(00000000,00000058), ref: 0045BC89
                                                                                        • Part of subcall function 0045BC53: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045BC90
                                                                                        • Part of subcall function 0045BC53: ReleaseDC.USER32(00000000,00000000), ref: 0045BC98
                                                                                        • Part of subcall function 0045BC53: MulDiv.KERNEL32(000009EC,0045B928,00000000), ref: 0045BCAF
                                                                                        • Part of subcall function 0045BC53: MulDiv.KERNEL32(000009EC,016A52EC,?), ref: 0045BCC1
                                                                                      • OleSetContainedObject.OLE32(0000000C,00000001), ref: 0045B981
                                                                                        • Part of subcall function 0045BCCD: OleSetContainedObject.OLE32(?,00000000), ref: 0045BD3F
                                                                                        • Part of subcall function 0045BCCD: IsWindow.USER32(?), ref: 0045BD9C
                                                                                        • Part of subcall function 0045BCCD: DestroyWindow.USER32(?), ref: 0045BDA9
                                                                                        • Part of subcall function 004796DB: GetLastError.KERNEL32(?,00000000,?,0048FB84,?,00000016,?,00000016), ref: 004798A5
                                                                                        • Part of subcall function 004796DB: #8.OLEAUT32(?,?,?,?), ref: 00479999
                                                                                        • Part of subcall function 004796DB: #9.OLEAUT32(?,0048FB84,00000000,?,?,?,?,?), ref: 00479A43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsContainedDeviceObjectWindow$DestroyErrorException@8LastReleaseThrowstd::exception::exception
                                                                                      • String ID: AutoIt3GUI$Container$%I
                                                                                      • API String ID: 2766584483-4251005282
                                                                                      • Opcode ID: e3366d33717669e4b2da434cb254173371e57516a3ccaa73b24d99e73dbf7b2a
                                                                                      • Instruction ID: fb3361167640a3393b05a66091946d0b3b2d9ad6d528c81b3883d5ecba530668
                                                                                      • Opcode Fuzzy Hash: e3366d33717669e4b2da434cb254173371e57516a3ccaa73b24d99e73dbf7b2a
                                                                                      • Instruction Fuzzy Hash: 66914B70600601AFDB24DF24C885B6ABBE8FF48711F24856EED49CB392DB74E845CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0042524D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                      APIs
                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 004252DD
                                                                                      • __powhlp.LIBCMT ref: 00425360
                                                                                        • Part of subcall function 00430594: __d_inttype.LIBCMT ref: 00430675
                                                                                        • Part of subcall function 00430357: __87except.LIBCMT ref: 0043037B
                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 004304CE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHandling__start$__87except__d_inttype__powhlp
                                                                                      • String ID: pow
                                                                                      • API String ID: 2541061979-2276729525
                                                                                      • Opcode ID: c0169014571c8a50f035cbb27ee8a623963b058b02fd8f6767b6d6d046ddd236
                                                                                      • Instruction ID: af649323224186c0ce66bda7a16df25405c3c0d3a13ea4765fd3bccd6769ca7e
                                                                                      • Opcode Fuzzy Hash: c0169014571c8a50f035cbb27ee8a623963b058b02fd8f6767b6d6d046ddd236
                                                                                      • Instruction Fuzzy Hash: AC517C21B1C60197C710B724E92137F27949F14350FA0ABABE885823E6EE7C8DD4DA5E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.38%

                                                                                      Function 0042023B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                      APIs
                                                                                      • VkKeyScanW.USER32(?), ref: 00455DD0
                                                                                        • Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6
                                                                                      • VkKeyScanW.USER32(?), ref: 00455D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Scan$__wcsicmp_l
                                                                                      • String ID: #$+
                                                                                      • API String ID: 18157523-2552117581
                                                                                      • Opcode ID: c3f588f036a4ba9b4624d39f9a59db0ee5a6d78b8ef0bc49354610b206d9ee0f
                                                                                      • Instruction ID: 37aff8002e02ada0918aa30981c6d68896c3d675e4df38188cf454e749cffd85
                                                                                      • Opcode Fuzzy Hash: c3f588f036a4ba9b4624d39f9a59db0ee5a6d78b8ef0bc49354610b206d9ee0f
                                                                                      • Instruction Fuzzy Hash: EB513232200215CBCB14DF28D4986FA7BB0EF55310F548067EC80AB3A2D7389C4ACB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 00413297, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00407E8C: _memmove.LIBCMT ref: 00407ED5
                                                                                        • Part of subcall function 00456665: _memmove.LIBCMT ref: 004566AF
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00B90000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      • _memmove.LIBCMT ref: 004133D7
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      • _memmove.LIBCMT ref: 00413470
                                                                                      • _free.LIBCMT ref: 00413496
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      • _memmove.LIBCMT ref: 00413549
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$Heap$AllocateErrorException@8FreeLastThrow_freestd::exception::exception
                                                                                      • String ID: OaA
                                                                                      • API String ID: 1824289774-4189730831
                                                                                      • Opcode ID: 713b82e7cd0b98b42f3fde1d67b41e05993e2ef778193e917ca86ddc9c684193
                                                                                      • Instruction ID: b445b8fa1597fd77ac91e8f36571279a65bd22c4855345799867881e3280ac98
                                                                                      • Opcode Fuzzy Hash: 713b82e7cd0b98b42f3fde1d67b41e05993e2ef778193e917ca86ddc9c684193
                                                                                      • Instruction Fuzzy Hash: 58518AB16083519FDB24CF29C440B6BBBE1BF85304F45496EE88987351DB39D941CB8A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00487BB5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00487C4E
                                                                                      • GetWindowLongW.USER32 ref: 00487C6B
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00487C7B
                                                                                        • Part of subcall function 00402327: PostMessageW.USER32(?,00000028,?,00000001), ref: 0043C1C3
                                                                                        • Part of subcall function 00402327: PostMessageW.USER32(?,000000B1,?,?), ref: 0043C1E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Message$LongPost$CreateObjectSendShowStock
                                                                                      • String ID: SysTreeView32
                                                                                      • API String ID: 2301205191-1698111956
                                                                                      • Opcode ID: 5703b4fad22214f619a8c8a93990bb24be334a18c808d745d027c9b0d436b63f
                                                                                      • Instruction ID: 396bf68d4a42e6562a5606780666b8eb1b1202c22cd254422b80c8fe13e0d72b
                                                                                      • Opcode Fuzzy Hash: 5703b4fad22214f619a8c8a93990bb24be334a18c808d745d027c9b0d436b63f
                                                                                      • Instruction Fuzzy Hash: D631D231204205ABDB11AF34CC45BDB77A9FF44328F204B2AF875A32E0C739E8559B58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.18%

                                                                                      Function 00487648, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004876D0
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004876E4
                                                                                        • Part of subcall function 0046589F: GetLocalTime.KERNEL32(?,00000200,?), ref: 004658AC
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004658E1
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465913
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465946
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465988
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004659C2
                                                                                        • Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004659F1
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487708
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcsncpy$MessageSendWindow$CreateLocalObjectShowStockTime
                                                                                      • String ID: SysMonthCal32
                                                                                      • API String ID: 3258503128-1439706946
                                                                                      • Opcode ID: 8df40860f00383b0d6c3c964195447c3cde1b00ce37527eab5e6f159fde48afd
                                                                                      • Instruction ID: 1307edf48a77a6559d14c6dee31d15e92fea33bca7a193078042eb65218a36c2
                                                                                      • Opcode Fuzzy Hash: 8df40860f00383b0d6c3c964195447c3cde1b00ce37527eab5e6f159fde48afd
                                                                                      • Instruction Fuzzy Hash: B421AD32600218ABDF119E94CC52FEF3B69EF48764F210615FA156B1D0DAB9E8548BA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.16%

                                                                                      Function 00487E02, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                        • Part of subcall function 00423F79: __wtof_l.LIBCMT ref: 00423F81
                                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00487EB9
                                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00487EC7
                                                                                      • DestroyWindow.USER32(00000000), ref: 00487ECE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$CreateDestroyObjectShowStock__wtof_l
                                                                                      • String ID: msctls_updown32
                                                                                      • API String ID: 3130516392-2298589950
                                                                                      • Opcode ID: 4bf1fa20f404e7782d750a44167e3a69d9818834325eee9861cc63593fdc3cf7
                                                                                      • Instruction ID: 1485368da0f86edf0b0b6d6e13098a0258c00c1e58360c3b6b4c0cf3e96c5d84
                                                                                      • Opcode Fuzzy Hash: 4bf1fa20f404e7782d750a44167e3a69d9818834325eee9861cc63593fdc3cf7
                                                                                      • Instruction Fuzzy Hash: 07216DB5604208AFDB10EF18DC91D7B37ADEF4A398B15486AF9109B391CB75EC118B78
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00486F1F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486FAA
                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486FBA
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00486FDF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$CreateMoveObjectShowStock
                                                                                      • String ID: Listbox
                                                                                      • API String ID: 3566057971-2633736733
                                                                                      • Opcode ID: 5b1aa1dd4bda49325bd9272afdb14f4a71a8921d49aef0d9818b46d4ce5469eb
                                                                                      • Instruction ID: fd605c54c2ac3b50964ebfebf07f6eca260989f51fe9dc9a3e12500301207b21
                                                                                      • Opcode Fuzzy Hash: 5b1aa1dd4bda49325bd9272afdb14f4a71a8921d49aef0d9818b46d4ce5469eb
                                                                                      • Instruction Fuzzy Hash: 9A21F232610118BFDF51AF54DC84FAF37AAEF89754F128525FB049B290CA75DC1187A4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 00473CDD, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00407E0B: _memmove.LIBCMT ref: 0043F1BA
                                                                                      • __snwprintf.LIBCMT ref: 00473D5A
                                                                                        • Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$__snwprintf
                                                                                      • String ID: , $$AUTOITCALLVARIABLE%d$%I
                                                                                      • API String ID: 1095647463-3751216540
                                                                                      • Opcode ID: 73122cb26abe992498e4bf822292f764f54f11a9123fada09ab1a14b240aa1b0
                                                                                      • Instruction ID: 991e62ca2d85527952959e0cb6d74c1b8c3b79d2a13ecd2fa9961f4cfe28b1de
                                                                                      • Opcode Fuzzy Hash: 73122cb26abe992498e4bf822292f764f54f11a9123fada09ab1a14b240aa1b0
                                                                                      • Instruction Fuzzy Hash: DE218671600219AACF10EF65CC81AED7764BF44704F5044AFF409A7281D738EE55DBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0048797D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004879E1
                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004879F6
                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487A03
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock
                                                                                      • String ID: msctls_trackbar32
                                                                                      • API String ID: 269107984-1010561917
                                                                                      • Opcode ID: f9de2675f9dbbe1aac8b53f7c0ec9e088f0411dbf2a2d6fcc0aa0f3bf777801e
                                                                                      • Instruction ID: 0de93e4c80c6f3c9c16b6b4dc0969efecf6b6414ad0caf4bffc16717d87381f0
                                                                                      • Opcode Fuzzy Hash: f9de2675f9dbbe1aac8b53f7c0ec9e088f0411dbf2a2d6fcc0aa0f3bf777801e
                                                                                      • Instruction Fuzzy Hash: 9F113A72244208BEEF24AF60CC15FDF37ADEF89764F21491AFA01A61D0D675D811CB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00424D3F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60UNIQUE
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 00424D49
                                                                                        • Part of subcall function 00429E4B: __mtinitlocknum.LIBCMT ref: 00429E5D
                                                                                        • Part of subcall function 00429E4B: EnterCriticalSection.KERNEL32(?,?,0042345E,00000008,00422E99,004BBB50,0000000C,00422F8B,?,?,00401014,0043B7A9), ref: 00429E76
                                                                                        • Part of subcall function 00426E8D: __lock.LIBCMT ref: 00426E9C
                                                                                        • Part of subcall function 00426E8D: EnterCriticalSection.KERNEL32(?,?,00423F0C,00000001,-00000020,004BBB90,0000000C,0046A269,"%s" (%d) : ==> %s:,?,?,?), ref: 00426EB5
                                                                                      • __fflush_nolock.LIBCMT ref: 00424D9C
                                                                                      • __fflush_nolock.LIBCMT ref: 00424DB8
                                                                                        • Part of subcall function 00424C27: __flush.LIBCMT ref: 00424C3C
                                                                                        • Part of subcall function 00424C27: __commit.LIBCMT ref: 00424C5B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalEnterSection__fflush_nolock__lock$__commit__flush__mtinitlocknum
                                                                                      • String ID: @RL
                                                                                      • API String ID: 1390624775-2017224383
                                                                                      • Opcode ID: 923140d8e0922b17943ebdf1c831f994aa8c217c156d5b3504315581c5dc9c21
                                                                                      • Instruction ID: 251d2091940ea0a0d9e79db47615ebe748db69126ac2d1bf54aaf532e9e62895
                                                                                      • Opcode Fuzzy Hash: 923140d8e0922b17943ebdf1c831f994aa8c217c156d5b3504315581c5dc9c21
                                                                                      • Instruction Fuzzy Hash: EB11B735A202344AC710DF69E44569DB7A0EF85738FA5435FE860A72E2C77C8D418B4C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0047C304, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0047C312
                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,00441D88,?), ref: 0047C324
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                      • API String ID: 2574300362-1816364905
                                                                                      • Opcode ID: 8f6b8fbc5ae0276c8692dd60ba773bbd6744e56ae64103a06af9cbd1890bf6c2
                                                                                      • Instruction ID: 448837d343b809a7a747f76761528a7c57238ea74050f81ad14c4a4b07cc8ac9
                                                                                      • Opcode Fuzzy Hash: 8f6b8fbc5ae0276c8692dd60ba773bbd6744e56ae64103a06af9cbd1890bf6c2
                                                                                      • Instruction Fuzzy Hash: FFE08C70200303CFCB205F25C848B8B76D4EB08714B90C83FE899C2310E778D880CBA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00404C95, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00404CA3
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00000000), ref: 00404CB5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                      • API String ID: 2574300362-192647395
                                                                                      • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                                      • Instruction ID: 04ac41d75f1c9d427c50c0ff68074fa7ac0788071283bd8ed0c5af36185ae805
                                                                                      • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                                      • Instruction Fuzzy Hash: 77D01270510723CFD720AF31D91874A76D5AF45751F218C3F9885D6690D678D8C4C758
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00404D61, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00404D6F
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404D81
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 2574300362-3689287502
                                                                                      • Opcode ID: fc980e23cb8f5420eddcc0b614f2834b55be2bd1e6444ffbd0018dc10b9e249f
                                                                                      • Instruction ID: 138340c1bb7cbddbf6dc8479dd470e83836704d62684dbb944a4f44490343f19
                                                                                      • Opcode Fuzzy Hash: fc980e23cb8f5420eddcc0b614f2834b55be2bd1e6444ffbd0018dc10b9e249f
                                                                                      • Instruction Fuzzy Hash: FED01770610713CFD720AF31D80875A76E8AF55762B218D3FD886E6690E678D8C4CB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00404D94, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderUNIQUE
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00404DA2
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404DB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 2574300362-1355242751
                                                                                      • Opcode ID: 5f018ec53565a5f854ca009f39446564a5e562c2ecce425f19b837535b5d9e77
                                                                                      • Instruction ID: c07e40ce446ef711e38c2592c227d3dcacdcaf999f73730374c34c972243728b
                                                                                      • Opcode Fuzzy Hash: 5f018ec53565a5f854ca009f39446564a5e562c2ecce425f19b837535b5d9e77
                                                                                      • Instruction Fuzzy Hash: FCD08270600312CFCB20AF30C808B8A72E4AF04350B208C3FD882E2290E778D8808BA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 004576C5, Relevance: 6.3, APIs: 4, Instructions: 334stringUNIQUE
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeString$lstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3563800057-0
                                                                                      • Opcode ID: 243eb1bb77c329aa80634928938631c45a4dd5376c5b101ad48a1cfc64343361
                                                                                      • Instruction ID: 84902a8fcdc76aa46939935bd970338d8b2f52d4cee566ed92c109812de06c3e
                                                                                      • Opcode Fuzzy Hash: 243eb1bb77c329aa80634928938631c45a4dd5376c5b101ad48a1cfc64343361
                                                                                      • Instruction Fuzzy Hash: E8C19E74A04216EFDB14CF94D884EAEB7B5FF48311B1085AAE805EB352D734ED85CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00456DF3, Relevance: 6.2, APIs: 4, Instructions: 202COMMON
                                                                                      APIs
                                                                                      • #8.OLEAUT32(?,00000016,?,00000001,?,?,?,?,?,?,?,?,?,004570F4,?,00000016), ref: 00456E04
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 0045710E: #41.OLEAUT32(0000000C,?,?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4), ref: 00457135
                                                                                        • Part of subcall function 0045710E: #37.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 0045718E
                                                                                        • Part of subcall function 0045710E: #8.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 004571A0
                                                                                        • Part of subcall function 0045710E: #23.OLEAUT32(?,?,?,?,?,?,?,?,00456EC6), ref: 004571C0
                                                                                        • Part of subcall function 0045710E: #10.OLEAUT32(?,?,00000002,?,?,?,?,?,?,?,00456EC6), ref: 00457213
                                                                                        • Part of subcall function 0045710E: #24.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00456EC6), ref: 00457227
                                                                                        • Part of subcall function 0045710E: #9.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 0045723C
                                                                                        • Part of subcall function 0045710E: #39.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457249
                                                                                        • Part of subcall function 0045710E: #38.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457252
                                                                                        • Part of subcall function 0045710E: #9.OLEAUT32(?,?,?,?,?,?,?,00456EC6), ref: 00457264
                                                                                        • Part of subcall function 0045710E: #38.OLEAUT32(?,?,?,?,?,?,?,00456EC6,?,?,?,?,?,004570F4,?,00000016), ref: 0045726F
                                                                                        • Part of subcall function 004570C0: #9.OLEAUT32(?,?,?,00456EFF,00000000,?,?,?,?,?,004570F4,?,00000016,00479753,?,00000016), ref: 004570C7
                                                                                        • Part of subcall function 004570C0: #10.OLEAUT32(?,?,?,?,?,00456EFF,00000000,?,?,?,?,?,004570F4,?,00000016,00479753), ref: 004570D1
                                                                                      • #9.OLEAUT32(?,00000000,?,?,?,?,?,004570F4,?,00000016,00479753,?,00000016,?,00000016), ref: 00456F03
                                                                                      • #10.OLEAUT32(?,?,?,?,?,?,?,004570F4,?,00000016,00479753,?,00000016,?,00000016), ref: 00456EDC
                                                                                        • Part of subcall function 00457280: #411.OLEAUT32(00000011,00000000,00000000,?,?,?,?,004570F4,?,00000016,00479753,?,00000016,?,00000016), ref: 00457294
                                                                                        • Part of subcall function 00457280: _memmove.LIBCMT ref: 004572C7
                                                                                      • #2.OLEAUT32(00000000,?,?,?,?,004570F4,?,00000016,00479753,?,00000016,?,00000016), ref: 00456EAD
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcscpy$#411Exception@8Throw__i64tow__itow_memmovestd::exception::exception
                                                                                      • String ID:
                                                                                      • API String ID: 3091166584-0
                                                                                      • Opcode ID: c98d0e5605fb69cc7b0004eb2b62af69383f92385c78f36b8f80d39d728c9823
                                                                                      • Instruction ID: 493451d42fa2cf72034c46684ab61465e33aa78788b401b925ba93198380c5c1
                                                                                      • Opcode Fuzzy Hash: c98d0e5605fb69cc7b0004eb2b62af69383f92385c78f36b8f80d39d728c9823
                                                                                      • Instruction Fuzzy Hash: EB510D316047019BDB209F66E881A2EB3E59F48715F60883FED46C72D3DB789849DB0D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 0042B05F, Relevance: 6.1, APIs: 4, Instructions: 127UNIQUE
                                                                                      APIs
                                                                                      • __getbuf.LIBCMT ref: 0042B0F5
                                                                                        • Part of subcall function 00436234: __malloc_crt.LIBCMT ref: 00436244
                                                                                      • __write.LIBCMT ref: 0042B121
                                                                                      • __lseeki64.LIBCMT ref: 0042B165
                                                                                        • Part of subcall function 00431A15: ___lock_fhandle.LIBCMT ref: 00431A80
                                                                                        • Part of subcall function 00431A15: __lseeki64_nolock.LIBCMT ref: 00431AA5
                                                                                      • __write.LIBCMT ref: 0042B18A
                                                                                        • Part of subcall function 0042DAC6: ___lock_fhandle.LIBCMT ref: 0042DB33
                                                                                        • Part of subcall function 0042DAC6: __write_nolock.LIBCMT ref: 0042DB52
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___lock_fhandle__write$__getbuf__getptd_noexit__lseeki64__lseeki64_nolock__malloc_crt__write_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 179495348-0
                                                                                      • Opcode ID: 45ce835627bc0c9716da84b72a0cbf8f714e64de0b1503c5de1162c9c2ea980c
                                                                                      • Instruction ID: 1f74650e41540eb26cca6949c29ac2c1ed8b1604598ed4861c77a303136e931c
                                                                                      • Opcode Fuzzy Hash: 45ce835627bc0c9716da84b72a0cbf8f714e64de0b1503c5de1162c9c2ea980c
                                                                                      • Instruction Fuzzy Hash: BB413371700A214BD3248F29E862A3B77E0DF453A0B54C21FE8BA873D1D73CE8008B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00488AC0, Relevance: 6.1, APIs: 4, Instructions: 109windowCOMMON
                                                                                      APIs
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00488B4D
                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00488B9C
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00488BC6
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00488BD3
                                                                                        • Part of subcall function 0048B57F: GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                        • Part of subcall function 0048B57F: ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                        • Part of subcall function 0048B57F: InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: RectWindow$ClientInvalidateLongScreen$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 914510294-0
                                                                                      • Opcode ID: 1812b031c17629b9ac9058f315acfc07962e7d9e9c168155413f69a060141664
                                                                                      • Instruction ID: 6017366305c22272e93e48bc594278956003a9b2b994b7244c35f7a79524baaf
                                                                                      • Opcode Fuzzy Hash: 1812b031c17629b9ac9058f315acfc07962e7d9e9c168155413f69a060141664
                                                                                      • Instruction Fuzzy Hash: F1319074640204BEEB24BA58CC45FAE3764EB85310FA44D2BFA51D62A1DF38B9409B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 0048ADF1, Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                      APIs
                                                                                      • ClientToScreen.USER32(?,?), ref: 0048AE1A
                                                                                      • GetWindowRect.USER32(?,?), ref: 0048AE90
                                                                                      • PtInRect.USER32(?,?,?), ref: 0048AEA0
                                                                                      • MessageBeep.USER32(00000000), ref: 0048AF11
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1352109105-0
                                                                                      • Opcode ID: 6a18ba18eb21849e9a78bd79b6f84d7a3cce87d2be61423b7a6c01e025f158a7
                                                                                      • Instruction ID: 20aafe120d683b7536ec1c361d9cbfa3becb7b0e8fd9f7a68ee45a873ef900b5
                                                                                      • Opcode Fuzzy Hash: 6a18ba18eb21849e9a78bd79b6f84d7a3cce87d2be61423b7a6c01e025f158a7
                                                                                      • Instruction Fuzzy Hash: 72419A70A001099FEB11EF58C884A6D7BF1FF48340F1889BBEA049B351D7B4A812DF5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00436415, Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043644B
                                                                                      • __isleadbyte_l.LIBCMT ref: 00436479
                                                                                        • Part of subcall function 004237FB: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00423807
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,00000000,?,?,?), ref: 004364A7
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,00000000,?,?,?), ref: 004364DD
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Locale$ByteCharMultiUpdateUpdate::_Wide$__getptd_noexit__isleadbyte_l
                                                                                      • String ID:
                                                                                      • API String ID: 3164516598-0
                                                                                      • Opcode ID: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
                                                                                      • Instruction ID: 00bfbab79281597f36fe53e4f64e7450777474697505dafcb940073344e51601
                                                                                      • Opcode Fuzzy Hash: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
                                                                                      • Instruction Fuzzy Hash: 4A31F030A00257BFDB218F65CC44BAB7BA9FF59310F16802AE8548B290D738E850DB9C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.46%

                                                                                      Function 0048C788, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • GetCursorPos.USER32(?), ref: 0048C7C2
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048C7D7
                                                                                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                      • GetCursorPos.USER32(?), ref: 0048C824
                                                                                      • DefDlgProcW.USER32(?,0000007B,?), ref: 0048C85E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CursorLongWindow$MenuPopupProcTrack
                                                                                      • String ID:
                                                                                      • API String ID: 2780618515-0
                                                                                      • Opcode ID: a5a98a92077e2aaa59aca06ed05bce2560aa70a0f09ba78dbcc783647833ee95
                                                                                      • Instruction ID: 757619bd3f98b372d46f3818d8faf94b3fa09ae1c323e5c89f059bb0ed552e39
                                                                                      • Opcode Fuzzy Hash: a5a98a92077e2aaa59aca06ed05bce2560aa70a0f09ba78dbcc783647833ee95
                                                                                      • Instruction Fuzzy Hash: 00318F35600018AFCB15EF58C898EEF7BB6EB49311F04486AF9058B2A1C7359950DB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 00420BD0, Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                      APIs
                                                                                      • __setmode.LIBCMT ref: 00420BF2
                                                                                        • Part of subcall function 00424744: ___lock_fhandle.LIBCMT ref: 004247D9
                                                                                        • Part of subcall function 00424744: __setmode_nolock.LIBCMT ref: 004247F6
                                                                                        • Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9B1
                                                                                        • Part of subcall function 00409997: _wcscpy.LIBCMT ref: 0043F9DD
                                                                                        • Part of subcall function 00409997: __i64tow.LIBCMT ref: 0043FA0F
                                                                                        • Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467B20,?,?,00000000), ref: 00405B8C
                                                                                        • Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467B20,?,?,00000000,?,?), ref: 00405BB0
                                                                                      • _fprintf.LIBCMT ref: 00420C29
                                                                                        • Part of subcall function 00424B15: __lock_file.LIBCMT ref: 00424B5C
                                                                                        • Part of subcall function 00424B15: __stbuf.LIBCMT ref: 00424BE1
                                                                                        • Part of subcall function 00424B15: __output_l.LIBCMT ref: 00424BF1
                                                                                        • Part of subcall function 00424B15: __ftbuf.LIBCMT ref: 00424BFD
                                                                                      • OutputDebugStringW.KERNEL32(?), ref: 00456331
                                                                                        • Part of subcall function 00424CDA: __lock_file.LIBCMT ref: 00424CFC
                                                                                        • Part of subcall function 00424CDA: __fflush_nolock.LIBCMT ref: 00424D06
                                                                                      • __setmode.LIBCMT ref: 00420C5E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide__lock_file__setmode_wcscpy$DebugOutputString___lock_fhandle__fflush_nolock__ftbuf__i64tow__itow__output_l__setmode_nolock__stbuf_fprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2994725519-0
                                                                                      • Opcode ID: e816074527dd0260311bb413413d9e4cbb1bb9f579dd752bf0b2a17323b24ee0
                                                                                      • Instruction ID: 67bbc7bd6f20af13a6fc8561dd9091ed48981cac713344a594c0177f25e59198
                                                                                      • Opcode Fuzzy Hash: e816074527dd0260311bb413413d9e4cbb1bb9f579dd752bf0b2a17323b24ee0
                                                                                      • Instruction Fuzzy Hash: 2F1157B2B042146ACB0873B6BC429BE7B68DF85324F94012FF104672C2DE3C5D86479D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.48%

                                                                                      Function 00435332, Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00435351
                                                                                        • Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000), ref: 00422FA9
                                                                                        • Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64,00000000,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?), ref: 00422FBB
                                                                                      • HeapReAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,?,00428AB6,?,?,00000000,00000000,?,00422F40,00000000,00000010), ref: 0043536F
                                                                                      • GetLastError.KERNEL32(?,00428AB6,?,?,00000000,00000000,?,00422F40,00000000,00000010,?,?,?,?,?,00422EA5), ref: 004353CA
                                                                                        • Part of subcall function 004235E1: DecodePointer.KERNEL32(?,004259CD,?,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62), ref: 004235EA
                                                                                      • GetLastError.KERNEL32(?,00428AB6,?,?,00000000,00000000,?,00422F40,00000000,00000010,?,?,?,?,?,00422EA5), ref: 004353B2
                                                                                        • Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68
                                                                                        • Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
                                                                                        • Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
                                                                                        • Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00B90000,00000000,00000001,00000000,00000000,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28), ref: 0042598F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHeapLast$AllocAllocateDecodeFreePointer__getptd_noexit_free
                                                                                      • String ID:
                                                                                      • API String ID: 2334374242-0
                                                                                      • Opcode ID: 2533e6da2a6b104497cc3abc21434257f2a231a412eed781c98fc61c91dc778f
                                                                                      • Instruction ID: ca36ded951c5b74dcd14922bdbfcb28a3672708b69dba933c6c60362b96cb12c
                                                                                      • Opcode Fuzzy Hash: 2533e6da2a6b104497cc3abc21434257f2a231a412eed781c98fc61c91dc778f
                                                                                      • Instruction Fuzzy Hash: 7211C132605A25AECB212F71B84565E37A89F183B4F60182FFD049A290DABD8941879D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 1.55%

                                                                                      Function 00404531, Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00404560
                                                                                        • Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
                                                                                        • Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
                                                                                        • Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1
                                                                                        • Part of subcall function 0040410D: LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC
                                                                                      • KillTimer.USER32(?,00000001), ref: 004045B5
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004045C4
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D6CE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_Timer_memset$KillLoadString_wcscpy
                                                                                      • String ID:
                                                                                      • API String ID: 1203397457-0
                                                                                      • Opcode ID: 9017d92aafd25a15b7bd45833115f0549aca239c36473df683567b390838c4b6
                                                                                      • Instruction ID: ee13d0e14117257c6e1bf6a2afa9c18cb2a9610526be340c73f4befcf8864d37
                                                                                      • Opcode Fuzzy Hash: 9017d92aafd25a15b7bd45833115f0549aca239c36473df683567b390838c4b6
                                                                                      • Instruction Fuzzy Hash: 14210AB0904784AFE7328B24DC45BE7BBEC9F45308F0000AFE79E66281C7781A858B59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.04%

                                                                                      Function 00401290, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                        • Part of subcall function 0048A779: LoadCursorW.USER32(00000000,00007F00), ref: 0048A7F1
                                                                                        • Part of subcall function 0048A779: SetCursor.USER32(00000000), ref: 0048A7F8
                                                                                      • GetClientRect.USER32(?,?), ref: 0043B84B
                                                                                      • GetCursorPos.USER32(?), ref: 0043B855
                                                                                      • ScreenToClient.USER32(?,?), ref: 0043B860
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Client$LoadLongProcRectScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3055988096-0
                                                                                      • Opcode ID: 0ece2ee9bdbf1d33a90fc67de420260cd1354e737385e85e7b59386c5e1efca1
                                                                                      • Instruction ID: 88478fa3ad29557ab13713681797212a94603c3b61ccda0d63648654153e7648
                                                                                      • Opcode Fuzzy Hash: 0ece2ee9bdbf1d33a90fc67de420260cd1354e737385e85e7b59386c5e1efca1
                                                                                      • Instruction Fuzzy Hash: 82112B39510019EBCB00EF94D8859AE77B8FB05300F1048AAF901F7291D734AA569BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.23%

                                                                                      Function 00437207, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                      APIs
                                                                                      • __cftof_l.LIBCMT ref: 0043722B
                                                                                        • Part of subcall function 00437912: __fltout2.LIBCMT ref: 0043793B
                                                                                        • Part of subcall function 00437912: __fptostr.LIBCMT ref: 0043799D
                                                                                        • Part of subcall function 00437912: __cftof2_l.LIBCMT ref: 004379BA
                                                                                      • __cftog_l.LIBCMT ref: 00437251
                                                                                        • Part of subcall function 004379D3: __fltout2.LIBCMT ref: 004379FC
                                                                                        • Part of subcall function 004379D3: __fptostr.LIBCMT ref: 00437A5D
                                                                                        • Part of subcall function 004379D3: __cftof2_l.LIBCMT ref: 00437A9E
                                                                                        • Part of subcall function 004379D3: __cftoe2_l.LIBCMT ref: 00437AB9
                                                                                      • __cftoa_l.LIBCMT ref: 0043726A
                                                                                        • Part of subcall function 0043728D: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004372AD
                                                                                        • Part of subcall function 0043728D: _mbstowcs_s.LIBCMT ref: 00437324
                                                                                        • Part of subcall function 0043728D: _strrchr.LIBCMT ref: 0043735F
                                                                                        • Part of subcall function 0043728D: _memset.LIBCMT ref: 004374F6
                                                                                        • Part of subcall function 0043728D: __alldvrm.LIBCMT ref: 00437571
                                                                                        • Part of subcall function 0043728D: __alldvrm.LIBCMT ref: 00437594
                                                                                        • Part of subcall function 0043728D: __alldvrm.LIBCMT ref: 004375B7
                                                                                      • __cftoe_l.LIBCMT ref: 00437283
                                                                                        • Part of subcall function 00437758: __fltout2.LIBCMT ref: 00437785
                                                                                        • Part of subcall function 00437758: __fptostr.LIBCMT ref: 004377ED
                                                                                        • Part of subcall function 00437758: __cftoe2_l.LIBCMT ref: 0043780D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __alldvrm__fltout2__fptostr$Locale__cftoe2_l__cftof2_l$UpdateUpdate::___cftoa_l__cftoe_l__cftof_l__cftog_l_mbstowcs_s_memset_strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 621885885-0
                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                      • Instruction ID: 99b9b692cf18fd2280f287716e5b4489036060bef9d5190ceb0c0b5b499c977f
                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                      • Instruction Fuzzy Hash: 71016DB204418EBBCF225E84CC018EE3F22BF1D354F089656FE9858121C23AC9B1AB85
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.60%

                                                                                      Function 0048B57F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 0048B59E
                                                                                      • ScreenToClient.USER32(?,?), ref: 0048B5B6
                                                                                      • ScreenToClient.USER32(?,?), ref: 0048B5DA
                                                                                      • InvalidateRect.USER32(?,?,?), ref: 0048B5F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 357397906-0
                                                                                      • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                      • Instruction ID: c1ec13a6a315efdf6b243f43d6614c5161e9ce39f19ad1524a172358c11b1c05
                                                                                      • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                      • Instruction Fuzzy Hash: 261146B5D00209EFDB41DF99C444AEEFBB5FF18310F104566E914E3620D735AA558F94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 0048B8EF, Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0048B8FE
                                                                                      • _memset.LIBCMT ref: 0048B90D
                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C7F20,004C7F64), ref: 0048B93C
                                                                                      • CloseHandle.KERNEL32 ref: 0048B94E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 3277943733-0
                                                                                      • Opcode ID: 20938f2380c00bee8b77b7cffb68c01d981cfa171dd9b4496317a146dae37767
                                                                                      • Instruction ID: 82d0d7306074909859a51e75144c9fe9cb012601897826516f2148835353e407
                                                                                      • Opcode Fuzzy Hash: 20938f2380c00bee8b77b7cffb68c01d981cfa171dd9b4496317a146dae37767
                                                                                      • Instruction Fuzzy Hash: DDF05EB26443107BE2506B61AC85FBB3A5CEB08358F00443AFB08D5296D77959008BBC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.28%

                                                                                      Function 0048C00C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0040134D
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                        • Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
                                                                                        • Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                        • Part of subcall function 004012F3: DeleteObject.GDI32(00000000), ref: 0043B8B6
                                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C030
                                                                                      • LineTo.GDI32(00000000,?,?), ref: 0048C03D
                                                                                      • EndPath.GDI32(00000000), ref: 0048C04D
                                                                                      • StrokePath.GDI32(00000000), ref: 0048C05B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                      • String ID:
                                                                                      • API String ID: 2783949968-0
                                                                                      • Opcode ID: b637bd8999dc2f02e3877b06716cb091b1b48c92cefa925fd8f557c2f1659822
                                                                                      • Instruction ID: 674b4468024ad211d301666b20e3bfa7de505a3549e2e29f62cfbf593809ea28
                                                                                      • Opcode Fuzzy Hash: b637bd8999dc2f02e3877b06716cb091b1b48c92cefa925fd8f557c2f1659822
                                                                                      • Instruction Fuzzy Hash: BAF0BE31001219BBDB127F90AC09FCE3F58AF06310F148429FA11210E287794564DBAD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00402218, Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000008), ref: 00402231
                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                      • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                      • GetWindowDC.USER32(?), ref: 0043C0D3
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043C0E0
                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0043C0F9
                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0043C112
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0043C132
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0043C13D
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0043C159
                                                                                        • Part of subcall function 004022D0: CreateSolidBrush.GDI32(?), ref: 0040230B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Pixel$Color$BrushCreateModeObjectReleaseSolidStockTextWindow
                                                                                      • String ID:
                                                                                      • API String ID: 88331326-0
                                                                                      • Opcode ID: 27b2581c254cdff319ff0ea5d8f2be35128cc34943b3abbe395981e759962590
                                                                                      • Instruction ID: 007a7e945b926db1975f0eb4024d1954444be121fda63f18d3fd7a61cce91000
                                                                                      • Opcode Fuzzy Hash: 27b2581c254cdff319ff0ea5d8f2be35128cc34943b3abbe395981e759962590
                                                                                      • Instruction Fuzzy Hash: 58E03932100244EADB215FA8EC4D7DD3B20AB05332F10837AFAA9580E287764994DB15
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.25%

                                                                                      Function 00442187, Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 00442187
                                                                                      • GetDC.USER32(00000000), ref: 00442191
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004421B1
                                                                                      • ReleaseDC.USER32(?), ref: 004421D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 6ccce6c581eecdf91341cc96db6383502fda410d9a8940bdb714612b0f6538cf
                                                                                      • Instruction ID: e80bcdaed25015b38fc075b9af120d0661f73bd954452babf2cca2976e4e6e99
                                                                                      • Opcode Fuzzy Hash: 6ccce6c581eecdf91341cc96db6383502fda410d9a8940bdb714612b0f6538cf
                                                                                      • Instruction Fuzzy Hash: 8BE01A75900204EFDB019FA0C808A9D7BF1EF5C350F108A3AF95AE7260DB7885569F49
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.08%

                                                                                      Function 0044219B, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 0044219B
                                                                                      • GetDC.USER32(00000000), ref: 004421A5
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004421B1
                                                                                      • ReleaseDC.USER32(?), ref: 004421D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 56bdb0173f3b1fd63dc82c5c3953b40893d4d886f94812d9d464ad18ef1fe862
                                                                                      • Instruction ID: 0585887194f83d5896a0f01572a955ee9a0ca529f388d05c95cdd3c21f880870
                                                                                      • Opcode Fuzzy Hash: 56bdb0173f3b1fd63dc82c5c3953b40893d4d886f94812d9d464ad18ef1fe862
                                                                                      • Instruction Fuzzy Hash: 98E01A75900204EFCB019FB0C80869D7BF1EF5C310F108939F95AA7260DB3895569F48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.08%

                                                                                      Function 00425FDC, Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                                                      APIs
                                                                                      • __getptd_noexit.LIBCMT ref: 00425FDD
                                                                                        • Part of subcall function 00429C04: GetLastError.KERNEL32(00000000,?,00428D6D,004259D3,00000000,?,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008), ref: 00429C06
                                                                                        • Part of subcall function 00429C04: __calloc_crt.LIBCMT ref: 00429C27
                                                                                        • Part of subcall function 00429C04: __initptd.LIBCMT ref: 00429C49
                                                                                        • Part of subcall function 00429C04: GetCurrentThreadId.KERNEL32(?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?,?,?,0042345E,00000008,00422E99), ref: 00429C50
                                                                                        • Part of subcall function 00429C04: _free.LIBCMT ref: 00429C5F
                                                                                        • Part of subcall function 00429C04: SetLastError.KERNEL32(00000000,00428A73,?,?,?,00000000,?,00429F15,00000018,004BBE28,00000008,00429E62,?,?,?,0042345E), ref: 00429C68
                                                                                      • CloseHandle.KERNEL32(?), ref: 00425FF1
                                                                                      • __freeptd.LIBCMT ref: 00425FF8
                                                                                        • Part of subcall function 00429BB6: __freefls@4.LIBCMT ref: 00429BE4
                                                                                      • ExitThread.KERNEL32 ref: 00426000
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd_free
                                                                                      • String ID:
                                                                                      • API String ID: 4115800976-0
                                                                                      • Opcode ID: 73f3316d7a9bb026c18791f0f038f5fd20d10d45368c0215e46809877e6d453b
                                                                                      • Instruction ID: e67f4098726512b4bbe0befa71defda7df7d7d7ce1afe63b2ae22e18cfc71986
                                                                                      • Opcode Fuzzy Hash: 73f3316d7a9bb026c18791f0f038f5fd20d10d45368c0215e46809877e6d453b
                                                                                      • Instruction Fuzzy Hash: DAD0A731102E3197C6312731BD0D61F76506F00725F45463EF869856E09F789C02874D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.71%

                                                                                      Function 00406431, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 00405FD2: CharUpperBuffW.USER32(00000040,?), ref: 00406032
                                                                                      • _memmove.LIBCMT ref: 0043E402
                                                                                        • Part of subcall function 00407CB3: _memmove.LIBCMT ref: 00407D13
                                                                                        • Part of subcall function 00407FAF: _memmove.LIBCMT ref: 00408003
                                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 004065A1
                                                                                        • Part of subcall function 0040766F: _memmove.LIBCMT ref: 0040774A
                                                                                        • Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
                                                                                        • Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove$BuffCharUpper$Exception@8Throwstd::exception::exception
                                                                                      • String ID: =
                                                                                      • API String ID: 1823382739-2322244508
                                                                                      • Opcode ID: 484172fb48f354d1aa79a0e7482d4110529b6da5333c8d2966d3f2cb83907663
                                                                                      • Instruction ID: a1c148b18c8c5cc82cb5cc51de2e37c9138689195c45808a8d74da9192abb7e6
                                                                                      • Opcode Fuzzy Hash: 484172fb48f354d1aa79a0e7482d4110529b6da5333c8d2966d3f2cb83907663
                                                                                      • Instruction Fuzzy Hash: 3C51BF71900109AACF14EB99D8819EEB7B4EF58304F11003BE503B72D1DA3D9D96CB5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00448A77, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: OaA
                                                                                      • API String ID: 4104443479-4189730831
                                                                                      • Opcode ID: eac606b9c50b6ed376460228ada23af1934c05934f650784fb345cb0aa555a59
                                                                                      • Instruction ID: d3fee3364ca9afcf12c1e92d5c5d747a73912d83b3585dc8c9cc0e8530f715e4
                                                                                      • Opcode Fuzzy Hash: eac606b9c50b6ed376460228ada23af1934c05934f650784fb345cb0aa555a59
                                                                                      • Instruction Fuzzy Hash: 3C5170B0A00609DFDB24CF69C580AAEBBF1FF45304F14452EE85AE7350EB34A996CB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00412AB7, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(00000000), ref: 00412AC8
                                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412AE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalMemorySleepStatus
                                                                                      • String ID: @
                                                                                      • API String ID: 2783356886-2766056989
                                                                                      • Opcode ID: ccc279901a26315e7cd45af8417bbcff58d98a3fa6d1eabbbbfd4e000cf83f5c
                                                                                      • Instruction ID: 198fa7249bf4a10115936ac5cec7f523fb376c2af7af020f0510a7a60b6fc721
                                                                                      • Opcode Fuzzy Hash: ccc279901a26315e7cd45af8417bbcff58d98a3fa6d1eabbbbfd4e000cf83f5c
                                                                                      • Instruction Fuzzy Hash: 28517A715187449BD320AF15DC85BAFBBE8FFC4314F42486DF2D9510A2DB749828CB2A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.17%

                                                                                      Function 004699BE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089
                                                                                      • _wcscmp.LIBCMT ref: 00469AAE
                                                                                      • _wcscmp.LIBCMT ref: 00469AC1
                                                                                        • Part of subcall function 00405045: _fseek.LIBCMT ref: 0040505D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcscmp$__fread_nolock_fseek
                                                                                      • String ID: FILE
                                                                                      • API String ID: 2908099527-3121273764
                                                                                      • Opcode ID: 913557f42899b454e3398d4417c7e449758ebc8e92cd5274a0a693f87ad72ef3
                                                                                      • Instruction ID: e31db8beb822ec11b54c8bdfd4ea193dbe28da2a1d31aa862f0484787fe8da7c
                                                                                      • Opcode Fuzzy Hash: 913557f42899b454e3398d4417c7e449758ebc8e92cd5274a0a693f87ad72ef3
                                                                                      • Instruction Fuzzy Hash: 1A41B771A006197ADF209AA1DC45FEF77BDDF45714F00007FB904B7181D6B9AE058BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00487CE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98windowCOMMON
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00487DD0
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00487DE5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: '
                                                                                      • API String ID: 3850602802-1997036262
                                                                                      • Opcode ID: a6e7767beffef5c17608ec75d411db67b7e41de5914bc7f61dda87a7675c0521
                                                                                      • Instruction ID: 2698cf77334325e716aa31ef88765766f59d91d88e26f649c61de40c6cf48412
                                                                                      • Opcode Fuzzy Hash: a6e7767beffef5c17608ec75d411db67b7e41de5914bc7f61dda87a7675c0521
                                                                                      • Instruction Fuzzy Hash: 61413774A052099FDB50DF68D890BEEBBF9FF09300F20046AE904AB381D734A941CFA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.21%

                                                                                      Function 00486CD2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00486DC2
                                                                                        • Part of subcall function 0048BAB8: LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048BB6E
                                                                                        • Part of subcall function 0048BAB8: LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00486D80,?), ref: 0048BBCA
                                                                                        • Part of subcall function 0048BAB8: LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048BC03
                                                                                        • Part of subcall function 0048BAB8: LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048BC46
                                                                                        • Part of subcall function 0048BAB8: LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048BC7D
                                                                                        • Part of subcall function 0048BAB8: FreeLibrary.KERNEL32(?), ref: 0048BC89
                                                                                        • Part of subcall function 0048BAB8: ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048BC99
                                                                                        • Part of subcall function 0048BAB8: DestroyIcon.USER32(?), ref: 0048BCA8
                                                                                        • Part of subcall function 0048BAB8: SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BCC5
                                                                                        • Part of subcall function 0048BAB8: SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BCD1
                                                                                      • DestroyWindow.USER32(?), ref: 00486D86
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$ImageWindow$MessageSend$DestroyIconLibrary$CreateExtractFreeMoveObjectShowStock
                                                                                      • String ID: static
                                                                                      • API String ID: 612111110-2160076837
                                                                                      • Opcode ID: d8ddcff03faa2727741983a12372aa8f2857a4cfbe0cd994432ab84fde7901de
                                                                                      • Instruction ID: ac4952246417f6e5eabf139c329a91c40342bfa59b822e976b0221753ab176b8
                                                                                      • Opcode Fuzzy Hash: d8ddcff03faa2727741983a12372aa8f2857a4cfbe0cd994432ab84fde7901de
                                                                                      • Instruction Fuzzy Hash: 22319271200204AEDB10AF64DC40BFF73A8FF48714F11892EF89597190DA35AC51DB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.23%

                                                                                      Function 00486943, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004869D0
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004869DB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$CreateObjectShowStock
                                                                                      • String ID: Combobox
                                                                                      • API String ID: 269107984-2096851135
                                                                                      • Opcode ID: 9cfe375ed6e0b34d9a506390f0cd77aadc23eb3c644841765a6bbab8cb0b8bcc
                                                                                      • Instruction ID: 83f828f06193a85efc0b0adebec9c430e4e02a922dab4690574673653ee6290d
                                                                                      • Opcode Fuzzy Hash: 9cfe375ed6e0b34d9a506390f0cd77aadc23eb3c644841765a6bbab8cb0b8bcc
                                                                                      • Instruction Fuzzy Hash: 9711B6B17002086FEF51AE14CC90EAF376FEB853A4F22452AF9589B3D0D6799C5187A4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 00486E76, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00486EE0
                                                                                      • GetSysColor.USER32(00000012), ref: 00486EFA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendShowStock
                                                                                      • String ID: static
                                                                                      • API String ID: 4111186075-2160076837
                                                                                      • Opcode ID: 0988098f70de8969d8020891a1298de10d45f0d883992417ee74d5f7d9c7d729
                                                                                      • Instruction ID: 29a9b64aecc222300d436bcd3a63065e5534f5b76e47b581503888c6130dc53c
                                                                                      • Opcode Fuzzy Hash: 0988098f70de8969d8020891a1298de10d45f0d883992417ee74d5f7d9c7d729
                                                                                      • Instruction Fuzzy Hash: 39215C72610209AFDB05EFA8DC45EFE7BB8FB08314F014A29FD55D3250D638E8619B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.24%

                                                                                      Function 00486B8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                      APIs
                                                                                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                        • Part of subcall function 00401D35: ShowWindow.USER32(00000000,00000000), ref: 0043BD22
                                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00486C11
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00486C20
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$CreateLengthObjectShowStockText
                                                                                      • String ID: edit
                                                                                      • API String ID: 4181820857-2167791130
                                                                                      • Opcode ID: f4542204d64810384e383f7295c835a29fb97bb368f4e801a5823a9eea2da0d5
                                                                                      • Instruction ID: b0ee5d61ad9eb474c31c7c598f165b0da72494184ac180eda5d14d3501cef6af
                                                                                      • Opcode Fuzzy Hash: f4542204d64810384e383f7295c835a29fb97bb368f4e801a5823a9eea2da0d5
                                                                                      • Instruction Fuzzy Hash: 3B119D71501118ABEB506E649C41AAF3769EF04378F614B2AF960D72E0C739EC919B68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.15%

                                                                                      Function 0048E0E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52UNIQUE
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: .dll$OaA
                                                                                      • API String ID: 4104443479-4235742178
                                                                                      • Opcode ID: d023c89e2568cbe47c7e9be05447d0614d03dd1bdc5753fbcacbf1ef5e56afe8
                                                                                      • Instruction ID: 4a953e2e287933c67df9e601e5b7dd51d2cf1e1eb743514fd817fef83038cb5d
                                                                                      • Opcode Fuzzy Hash: d023c89e2568cbe47c7e9be05447d0614d03dd1bdc5753fbcacbf1ef5e56afe8
                                                                                      • Instruction Fuzzy Hash: 19018071204B019FD7209E2DDD8891AB7F9FB44304B504D3EE146C6B51E7B5F8048B48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0046901B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000001.1841235880.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000001.1840825548.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843462512.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000001.1843477428.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843494026.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000001.1843746294.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_1_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __fread_nolock_memmove
                                                                                      • String ID: EA06
                                                                                      • API String ID: 1988441806-3962188686
                                                                                      • Opcode ID: 0ffa3d434e5b6a956c6ed572106e06fd0ca4870dbeab2ecb47157eb41c369f2b
                                                                                      • Instruction ID: 69ed26fe311b0cc63e55e163675035c3f2ff08f97f20fd5c9232a639071a0922
                                                                                      • Opcode Fuzzy Hash: 0ffa3d434e5b6a956c6ed572106e06fd0ca4870dbeab2ecb47157eb41c369f2b
                                                                                      • Instruction Fuzzy Hash: 50014971904228AEDB28C6A8D816FFE7BFC8B11301F00419FF152D2181E4B8EA188B64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 2.71%

                                                                                      Function 00426DAE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45UNIQUE
                                                                                      APIs
                                                                                      • __calloc_crt.LIBCMT ref: 00426DD0
                                                                                        • Part of subcall function 00428A15: __calloc_impl.LIBCMT ref: 00428A24
                                                                                      • __calloc_crt.LIBCMT ref: 00426DE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: __calloc_crt$__calloc_impl
                                                                                      • String ID: @RL
                                                                                      • API String ID: 4112851154-2017224383
                                                                                      • Opcode ID: f535812a5555e23c147d5a945646e9e24fea3464ae2e50450e7a75ea915a6a25
                                                                                      • Instruction ID: bbd8b9fab33c61190424cec5909bf4a4914ceb41b768b9a47a746c2f3f0f3bb9
                                                                                      • Opcode Fuzzy Hash: f535812a5555e23c147d5a945646e9e24fea3464ae2e50450e7a75ea915a6a25
                                                                                      • Instruction Fuzzy Hash: 87F0C8713142269BF764EF29BC01BB66795EB00724B53807FE504CB2D0EB788841469C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 0043B511, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22UNIQUE
                                                                                      APIs
                                                                                        • Part of subcall function 0043B564: _memset.LIBCMT ref: 0043B571
                                                                                        • Part of subcall function 00420B84: InitializeCriticalSectionAndSpinCount.KERNEL32(004C5158,00000000,004C5144,0043B540,?,?,?,0040100A), ref: 00420B89
                                                                                        • Part of subcall function 00420B84: GetLastError.KERNEL32(?,?,?,0040100A), ref: 004562E7
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B544
                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B553
                                                                                      Strings
                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B54E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString_memset
                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                      • API String ID: 436010757-631824599
                                                                                      • Opcode ID: cfdba6c3f5d1c47e0915195a6a61c30b6b4130fea4c9ebe93c9a57294c91e8a4
                                                                                      • Instruction ID: bbad548b5aabf2add28ed68359945d9081cd17edac9c4c9c4009ad7997521b12
                                                                                      • Opcode Fuzzy Hash: cfdba6c3f5d1c47e0915195a6a61c30b6b4130fea4c9ebe93c9a57294c91e8a4
                                                                                      • Instruction Fuzzy Hash: 7EE06DB02003108BD720DF69E5047467BE0EB14748F00C97EE946C6251D7BCE448CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 100.00%

                                                                                      Function 00441D5F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                      APIs
                                                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00441B9F
                                                                                        • Part of subcall function 0047C304: LoadLibraryA.KERNEL32(kernel32.dll), ref: 0047C312
                                                                                        • Part of subcall function 0047C304: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,00441D88,?), ref: 0047C324
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00441D97
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                      • String ID: WIN_XPe
                                                                                      • API String ID: 582185067-3257408948
                                                                                      • Opcode ID: af0a56820825745426f4d03bb04c2b0f0d3c287a6387f6cce3cf7a492779281f
                                                                                      • Instruction ID: c8091f0db7e28bb6b7c32348aacfe7bcbdcf0e89efc274199b4bea7c31e24fe9
                                                                                      • Opcode Fuzzy Hash: af0a56820825745426f4d03bb04c2b0f0d3c287a6387f6cce3cf7a492779281f
                                                                                      • Instruction Fuzzy Hash: D3F03970800049DFEB15DB91C988AECBBF8EB08300F5044ABE102B21A0E7386F85CF29
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.31%

                                                                                      Function 00441B3E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1883528133.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1883521646.00400000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883613144.00564000.00000004.sdmp
                                                                                      • Associated: 00000004.00000002.1883620679.00565000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883632813.00575000.00000002.sdmp
                                                                                      • Associated: 00000004.00000002.1883692963.005FF000.00000040.sdmp
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_TkAngEQurH.jbxd
                                                                                      Similarity
                                                                                      • API ID: LocalTime
                                                                                      • String ID: %.3d$WIN_XPe
                                                                                      • API String ID: 481472006-2409531811
                                                                                      • Opcode ID: c18ac069e1d6eb3ecd6810b2c64f4779c8ba0f418c5f4b219093c25649736dfb
                                                                                      • Instruction ID: 41f1b97e473b991b9022892c38b55fdedc2d4ba70ca61e7e94cb44e346d53a61
                                                                                      • Opcode Fuzzy Hash: c18ac069e1d6eb3ecd6810b2c64f4779c8ba0f418c5f4b219093c25649736dfb
                                                                                      • Instruction Fuzzy Hash: 78D0EC71804158EADA449A9098449F9737CE708301F6005A3B506A2450F23DABD69B2F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: 0.30%