Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dK5DtwHlOm.exe

Overview

General Information

Sample name:dK5DtwHlOm.exe
renamed because original name is a hash value
Original sample name:11471fefe1cc0d23ed54aa434ea7c0ccbfef0350457235346936822fbcb39f43.exe
Analysis ID:1554992
MD5:932b9920b8fdecc6e2fd9c0aa298ffbc
SHA1:6a058ce158711c8dd50cd914b49e40d55f0377c0
SHA256:11471fefe1cc0d23ed54aa434ea7c0ccbfef0350457235346936822fbcb39f43
Tags:ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:40%

Compliance

Score:47
Range:0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • dK5DtwHlOm.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\dK5DtwHlOm.exe" MD5: 932B9920B8FDECC6E2FD9C0AA298FFBC)
    • msiexec.exe (PID: 4208 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488655 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 2536 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5796 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6936 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CA MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-13T10:07:21.552340+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449735TCP
2024-11-13T10:07:59.695765+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449743TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

barindex
Uses 32bit PE files
Source: dK5DtwHlOm.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: dK5DtwHlOm.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: dK5DtwHlOm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: wininet.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: dK5DtwHlOm.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B02380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00B02380
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009FAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_009FAB80
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00AE4DA0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B03220 FindFirstFileW,FindClose,0_2_00B03220
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE5370 FindFirstFileW,GetLastError,FindClose,0_2_00AE5370
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AC8230 FindFirstFileW,FindNextFileW,FindClose,0_2_00AC8230
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00B0C530
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B208D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00B208D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0C930 FindFirstFileW,FindClose,0_2_00B0C930
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,0_2_00AE4A10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AECF00 FindFirstFileW,FindClose,FindClose,0_2_00AECF00
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AFF260 FindFirstFileW,FindClose,0_2_00AFF260
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0F8A0 FindFirstFileW,FindClose,0_2_00B0F8A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_00B0B500
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49735
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49743
Source: dK5DtwHlOm.exeString found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: dK5DtwHlOm.exe, 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmp, dK5DtwHlOm.exe, 00000000.00000000.1675013179.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: shi9909.tmp.0.drString found in binary or memory: http://.css
Source: shi9909.tmp.0.drString found in binary or memory: http://.jpg
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi9909.tmp.0.drString found in binary or memory: http://html4/loose.dtd
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://t2.symcb.com0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: https://www.advancedinstaller.com
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B22390 NtdllDefWindowProc_W,0_2_00B22390
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AA2620 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,0_2_00AA2620
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A88100 NtdllDefWindowProc_W,0_2_00A88100
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A40110 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00A40110
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F2330 NtdllDefWindowProc_W,0_2_009F2330
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009FC750 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_009FC750
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F8840 NtdllDefWindowProc_W,0_2_009F8840
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F89B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_009F89B0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009EEBF0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_009EEBF0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A40C9E GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00A40C9E
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A40C28 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00A40C28
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A40D5D GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00A40D5D
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009EF1A0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_009EF1A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009EF7D0 NtdllDefWindowProc_W,0_2_009EF7D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A0D760 NtdllDefWindowProc_W,0_2_00A0D760
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F1740 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_009F1740
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A018D0 NtdllDefWindowProc_W,0_2_00A018D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F1D70 NtdllDefWindowProc_W,0_2_009F1D70
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b9aaf.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9D2F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DCC.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E0C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E2C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9D2F.tmpJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B1C1200_2_00B1C120
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009FAB800_2_009FAB80
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AF8C400_2_00AF8C40
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B215C00_2_00B215C0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00ABC1500_2_00ABC150
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A062B00_2_00A062B0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A044A00_2_00A044A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009FE5400_2_009FE540
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B867E00_2_00B867E0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F8DF00_2_009F8DF0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B8EF3A0_2_00B8EF3A
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009E30100_2_009E3010
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AC34600_2_00AC3460
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A156800_2_00A15680
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B7F7DC0_2_00B7F7DC
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A038900_2_00A03890
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B919A00_2_00B919A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A079D00_2_00A079D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A3FAD00_2_00A3FAD0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B99D650_2_00B99D65
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009E3E250_2_009E3E25
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 009E9120 appears 38 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 009E87D0 appears 404 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 00ADF720 appears 61 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 009E70D0 appears 36 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 009E7160 appears 50 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 00A13BA0 appears 90 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: String function: 009E9990 appears 60 times
Source: dK5DtwHlOm.exe, 00000000.00000000.1675223362.0000000000C88000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameInstaller.exe6 vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1677250230.000000000120F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDecoder.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exeBinary or memory string: OriginalFileNameInstaller.exe6 vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exeBinary or memory string: OriginalFilenameDecoder.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi9909.tmp.0.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: clean8.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE3200 FormatMessageW,GetLastError,0_2_00AE3200
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0DAE0 GetDiskFreeSpaceExW,0_2_00B0DAE0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B27B10 CoCreateInstance,0_2_00B27B10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A7AD00 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_00A7AD00
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile created: C:\Users\user\AppData\Roaming\Restricted editor saversJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile created: C:\Users\user\AppData\Local\Temp\shi9909.tmpJump to behavior
Source: dK5DtwHlOm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile read: C:\Users\user\Desktop\dK5DtwHlOm.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\dK5DtwHlOm.exe "C:\Users\user\Desktop\dK5DtwHlOm.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 C
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488655 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CA
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488655 " AI_EUIMSI=""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CAJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: dK5DtwHlOm.exeStatic PE information: certificate valid
Source: dK5DtwHlOm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: dK5DtwHlOm.exeStatic file information: File size 51730672 > 1048576
Source: dK5DtwHlOm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x217a00
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dK5DtwHlOm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dK5DtwHlOm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: dK5DtwHlOm.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: dK5DtwHlOm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dK5DtwHlOm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dK5DtwHlOm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dK5DtwHlOm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dK5DtwHlOm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: shi9909.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B20560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B20560
Source: shi9909.tmp.0.drStatic PE information: section name: .wpp_sf
Source: shi9909.tmp.0.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_011DBF88 push ds; retf 0009h0_3_011DBF8A
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_011CC9A2 pushad ; iretd 0_3_011CCEA9
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_011D31C6 push esp; iretd 0_3_011D321C
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_011D32BB push edx; retf 0_3_011D32BC
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_011D12A8 push eax; iretd 0_3_011D12A9
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_0120E16B push es; ret 0_3_0120E16E
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_01206351 push es; ret 0_3_01206772
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_0120D1A8 push eax; iretd 0_3_0120D1B5
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_01206785 push es; retf 0_3_01206786
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_01206787 push es; iretd 0_3_01206792
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_0120CDE0 push eax; iretd 0_3_0120CDE1
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_3_0120DEDC push es; retf 0_3_0120DFC6
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A860EB push ecx; mov dword ptr [esp], 3F800000h0_2_00A862BE
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B7771E push ecx; ret 0_2_00B77731
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F3B2B push esi; ret 0_2_009F3B2D
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009F5CB0 push ecx; mov dword ptr [esp], ecx0_2_009F5CB1
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AC3D60 push ecx; mov dword ptr [esp], 3F800000h0_2_00AC3E96
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile created: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E0C.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile created: C:\Users\user\AppData\Local\Temp\MSI99D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DCC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9D2F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E2C.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9977.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile created: C:\Users\user\AppData\Local\Temp\shi9909.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E0C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DCC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9D2F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E2C.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9E0C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9DCC.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI99D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9D2F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9E2C.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9977.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi9909.tmpJump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-65912
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile Volume queried: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile Volume queried: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B02380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00B02380
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_009FAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_009FAB80
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00AE4DA0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B03220 FindFirstFileW,FindClose,0_2_00B03220
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE5370 FindFirstFileW,GetLastError,FindClose,0_2_00AE5370
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AC8230 FindFirstFileW,FindNextFileW,FindClose,0_2_00AC8230
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00B0C530
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B208D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00B208D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0C930 FindFirstFileW,FindClose,0_2_00B0C930
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AE4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,0_2_00AE4A10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AECF00 FindFirstFileW,FindClose,FindClose,0_2_00AECF00
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00AFF260 FindFirstFileW,FindClose,0_2_00AFF260
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0F8A0 FindFirstFileW,FindClose,0_2_00B0F8A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_00B0B500
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B7411D VirtualQuery,GetSystemInfo,0_2_00B7411D
Source: MSI9E2C.tmp.1.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B76437 IsDebuggerPresent,OutputDebugStringW,0_2_00B76437
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B20560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B20560
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B7674C mov esi, dword ptr fs:[00000030h]0_2_00B7674C
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B98A0E mov eax, dword ptr fs:[00000030h]0_2_00B98A0E
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B8D840 mov ecx, dword ptr fs:[00000030h]0_2_00B8D840
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B767B8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00B767B8
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00A12530 __set_se_translator,SetUnhandledExceptionFilter,0_2_00A12530
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B771E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B771E8
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B7BEA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B7BEA3
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\restricted editor savers\editpro ai 1.131.2\install\9629e8b\installer.msi" ai_setupexepath=c:\users\user\desktop\dk5dtwhlom.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488655 " ai_euimsi=""
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\restricted editor savers\editpro ai 1.131.2\install\9629e8b\installer.msi" ai_setupexepath=c:\users\user\desktop\dk5dtwhlom.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488655 " ai_euimsi=""Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B0FD20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_00B0FD20
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,0_2_00B04F10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: EnumSystemLocalesW,0_2_00B90DD9
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00B94D50
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: EnumSystemLocalesW,0_2_00B94FF2
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,0_2_00B94F4B
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: EnumSystemLocalesW,0_2_00B950D8
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: EnumSystemLocalesW,0_2_00B9503D
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00B95163
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,0_2_00B953B6
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,0_2_00B91356
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00B954DF
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetLocaleInfoW,0_2_00B955E5
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B956B4
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B1C8F0 CreateNamedPipeW,CreateFileW,0_2_00B1C8F0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B763AD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_00B763AD
Source: C:\Users\user\Desktop\dK5DtwHlOm.exeCode function: 0_2_00B1B490 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,0_2_00B1B490

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Peripheral Device Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync25
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554992 Sample: dK5DtwHlOm.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 8 5 msiexec.exe 3 7 2->5         started        8 dK5DtwHlOm.exe 38 2->8         started        file3 16 C:\Windows\Installer\MSI9E2C.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI9E0C.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI9DCC.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI9D2F.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shi9909.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSI99D6.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSI9977.tmp, PE32 8->30 dropped 14 msiexec.exe 3 8->14         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dK5DtwHlOm.exe0%ReversingLabs
dK5DtwHlOm.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI9977.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9977.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI99D6.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shi9909.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dll0%ReversingLabs
C:\Windows\Installer\MSI9D2F.tmp0%ReversingLabs
C:\Windows\Installer\MSI9DCC.tmp0%ReversingLabs
C:\Windows\Installer\MSI9E0C.tmp0%ReversingLabs
C:\Windows\Installer\MSI9E2C.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdshi9909.tmp.0.drfalse
    		high
    https://www.advancedinstaller.comdK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drfalse
      		high
      https://www.thawte.com/cps0/dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drfalse
        		high
        http://.cssshi9909.tmp.0.drfalse
          		high
          http://.jpgshi9909.tmp.0.drfalse
            		high
            https://www.thawte.com/repository0WdK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.drfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1554992
              Start date and time:2024-11-13 10:06:11 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 23s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:dK5DtwHlOm.exe
              renamed because original name is a hash value
              Original Sample Name:11471fefe1cc0d23ed54aa434ea7c0ccbfef0350457235346936822fbcb39f43.exe
              Detection:CLEAN
              Classification:clean8.winEXE@8/13@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 56%
              • Number of executed functions: 69
              • Number of non-executed functions: 177
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\MSI9977.tmpfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                0n25lfPJxD.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                  SecuriteInfo.com.BackDoor.Siggen2.4873.19832.17135.msiGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.BackDoor.Siggen2.4873.19471.19549.msiGet hashmaliciousUnknownBrowse
                      zoQOIWTCDJ.msiGet hashmaliciousUnknownBrowse
                        EjhVO5YaYI.msiGet hashmaliciousUnknownBrowse
                          QuickBooks JAWANI.msiGet hashmaliciousUnknownBrowse
                            QuickBooks Setup.msiGet hashmaliciousUnknownBrowse
                              QuickBooks Setup.msi.zipGet hashmaliciousUnknownBrowse
                                Honeygain_install.exeGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\MSI9977.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:6144:3SGhsSlnJc5xR+yGjNUaPkp8u84XLyJ+8zLCAONOmXNfnZRAF3U+Hj1:3SGXc5Seas8uDELCeGNPZh+Hj1
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Joe Sandbox View:
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: 0n25lfPJxD.exe, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.BackDoor.Siggen2.4873.19832.17135.msi, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.BackDoor.Siggen2.4873.19471.19549.msi, Detection: malicious, Browse
                                  • Filename: zoQOIWTCDJ.msi, Detection: malicious, Browse
                                  • Filename: EjhVO5YaYI.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks JAWANI.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks Setup.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks Setup.msi.zip, Detection: malicious, Browse
                                  • Filename: Honeygain_install.exe, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\MSI99D6.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):934880
                                  Entropy (8bit):6.463468533833365
                                  Encrypted:false
                                  SSDEEP:24576:FmCzCf7c4yQ8xtgIZROly4aNXVW+hv+Ahi:8Rc4yQ8xtoly4aNXVW+hv+Ahi
                                  MD5:B15DBF4B35CD1460BA283795E24878C8
                                  SHA1:327812BE4BFDCE7A87CB00FAB432ECC0D8C38C1E
                                  SHA-256:0AC07DB6140408E9586D46727EB32AF8F8048CAD535ECA9052B6EF1149E63147
                                  SHA-512:95EDC60C9658E0E8631604459969A406414902F297B7A14F2BE6D3BC18878636167D202530D4EE3B4D7AF189A9139A2183929250920196C48C08EDA3D6DFDCA4
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:bu.[.&.[.&.[.&7).'.[.&7).'Q[.&.#.'.[.&.#.'.[.&.#.'.[.&7).'.[.&7).'.[.&.[.&.Z.&d".'.[.&d".'.[.&d".&.[.&.[.&.[.&d".'.[.&Rich.[.&................PE..L....8b.........."!................ ........................................p......$.....@.........................0|..t....|.......`...............*.......p.......,..p...................@-.......+..@............................................text............................... ..`.rdata..T...........................@..@.data...T............x..............@....rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\MSIb9e58.LOG

                                  Download File
                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):278
                                  Entropy (8bit):3.4343194815230804
                                  Encrypted:false
                                  SSDEEP:6:Qg6RvA9cOYrsfc/okjxaaOEqQbr62avKpnKBlv2K84UlUlFFKCH:QbAYsc/7aFEVbr62aInKT86FKw
                                  MD5:FDEDAD9E70B40F84D24BD8E5DCFFAC42
                                  SHA1:1DD871626F2A52BF153C179689D8A181538096FC
                                  SHA-256:1FA3CC4619B7BF7E8D6320B6000F822F17141A76375743C2637FEA3BD85B7AF9
                                  SHA-512:8D6756B21A098C027AAD4D57F85E56D15F7510FD030C0C977D06C1AF7E59D7062FA43A6AE74ACA797959C88A3EDC2CE54F1A1D62FCF625B40E84B62CD04623E3
                                  Malicious:false
                                  Reputation:low
                                  Preview:..E.d.i.t.P.r.o. .A.i. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.3./.1.1./.2.0.2.4. . .0.4.:.0.7.:.1.3. .=.=.=.....

                                  C:\Users\user\AppData\Local\Temp\shi9909.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):5038592
                                  Entropy (8bit):6.043058205786219
                                  Encrypted:false
                                  SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                  MD5:11F7419009AF2874C4B0E4505D185D79
                                  SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                  SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                  SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi

                                  Download File
                                  Process:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A14A8F8E-54FE-43B0-84DE-DDD8EBDB97D1}, Number of Words: 0, Subject: EditPro Ai, Author: Restricted editor savers, Name of Creating Application: EditPro Ai, Template: ;1033, Comments: This installer database contains the logic and data required to install EditPro Ai., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):2493440
                                  Entropy (8bit):6.592310443965914
                                  Encrypted:false
                                  SSDEEP:49152:EHiYW67SAZhAjMApRc4yQ8xtoly4aNXVW+hv+AhilHovZ2V9SH+0Js0NX:RYWsVAEtoTo
                                  MD5:B7B992FF846E5ED1BBF631C29976B617
                                  SHA1:30D40ED73D4E231CA8BF963396C33DF547C4912A
                                  SHA-256:C44780DC3FD4DDF8E8B88C2BCB768B793B3EA2D2D38E57935DEA736B947C62F5
                                  SHA-512:291B75510254D4F87057D8DF52CFBE4BE6ADC36F28F624F947BD20843923C4521CCB3CDB5A18AD75FA664503B0A7DCE467020C259633AD9EB9B68B9809AD3707
                                  Malicious:false
                                  Preview:......................>...................'...................................N.......{.......4...5...6...7...8...9...:...;..."...#...$...%...&...'...(...)...*...+...,...-......./...R...S...T...U...V...W...X...Y...Z...[...............................................................................................................................................................................................................................................................................................................h...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C...9...E...M...G...H...I...J...K...L...E...P.......P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                  C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):211456
                                  Entropy (8bit):6.450220092257771
                                  Encrypted:false
                                  SSDEEP:3072:iltFwoJxZQ4fK70l5DqKtRnBBjGd4uM4h0lntiEnc2xMe4fyyERt:iaU87+3nHy6n0NF5ERt
                                  MD5:899944FB96CCC34CFBD2CCB9134367C5
                                  SHA1:7C46AA3F84BA5DA95CEFF39CD49185672F963538
                                  SHA-256:780D10EDA2B9A0A10BF844A7C8B6B350AA541C5BBD24022FF34F99201F9E9259
                                  SHA-512:2C41181F9AF540B4637F418FC148D41D7C38202FB691B56650085FE5A9BDBA068275FF07E002E1044760754876C62D7B4FC856452AF80A02C5F5A9A7DC75B5E0
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+(..oI..oI..oI..;..eI..;...I...1..JI...1...I...1..yI..;..zI..;..hI..oI...I...0..3I...0..nI...0..nI..oIe.nI...0..nI..RichoI..................PE..L.....8b.........."!.....f................................................................@.................................\...<....... .......................@ ......p...............................@...............t............................text....d.......f.................. ..`.rdata...............j..............@..@.data...dV... ......................@....rsrc... ...........................@..@.reloc..@ ......."..................@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\holder0.aiph

                                  Download File
                                  Process:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):162294897
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:52CCD73381770B6FA1E0E33B65F6ED65
                                  SHA1:027C58D8C3CCCCE2BE80841F4383AB1C66253006
                                  SHA-256:8632EB84E2DCFE49FEDA48252BA8DB0AEEEC46CDD31DC4B28829A6D49C57D1CA
                                  SHA-512:BDDBEA4786FA1D4BBAD47446C5D9577E00251ABF0CA882BDA5166178C248BD223645235FB95C6114A560DC45DD3D8FCCE0355C4DA459E94DC367A074C6EFA1B4
                                  Malicious:false
                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\5b9aaf.msi

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A14A8F8E-54FE-43B0-84DE-DDD8EBDB97D1}, Number of Words: 0, Subject: EditPro Ai, Author: Restricted editor savers, Name of Creating Application: EditPro Ai, Template: ;1033, Comments: This installer database contains the logic and data required to install EditPro Ai., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):2493440
                                  Entropy (8bit):6.592310443965914
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:B7B992FF846E5ED1BBF631C29976B617
                                  SHA1:30D40ED73D4E231CA8BF963396C33DF547C4912A
                                  SHA-256:C44780DC3FD4DDF8E8B88C2BCB768B793B3EA2D2D38E57935DEA736B947C62F5
                                  SHA-512:291B75510254D4F87057D8DF52CFBE4BE6ADC36F28F624F947BD20843923C4521CCB3CDB5A18AD75FA664503B0A7DCE467020C259633AD9EB9B68B9809AD3707
                                  Malicious:false
                                  Preview:......................>...................'...................................N.......{.......4...5...6...7...8...9...:...;..."...#...$...%...&...'...(...)...*...+...,...-......./...R...S...T...U...V...W...X...Y...Z...[...............................................................................................................................................................................................................................................................................................................h...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C...9...E...M...G...H...I...J...K...L...E...P.......P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                  C:\Windows\Installer\MSI9D2F.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI9DCC.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI9E0C.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI9E2C.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:modified
                                  Size (bytes):934880
                                  Entropy (8bit):6.463468533833365
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:B15DBF4B35CD1460BA283795E24878C8
                                  SHA1:327812BE4BFDCE7A87CB00FAB432ECC0D8C38C1E
                                  SHA-256:0AC07DB6140408E9586D46727EB32AF8F8048CAD535ECA9052B6EF1149E63147
                                  SHA-512:95EDC60C9658E0E8631604459969A406414902F297B7A14F2BE6D3BC18878636167D202530D4EE3B4D7AF189A9139A2183929250920196C48C08EDA3D6DFDCA4
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:bu.[.&.[.&.[.&7).'.[.&7).'Q[.&.#.'.[.&.#.'.[.&.#.'.[.&7).'.[.&7).'.[.&.[.&.Z.&d".'.[.&d".'.[.&d".&.[.&.[.&.[.&d".'.[.&Rich.[.&................PE..L....8b.........."!................ ........................................p......$.....@.........................0|..t....|.......`...............*.......p.......,..p...................@-.......+..@............................................text............................... ..`.rdata..T...........................@..@.data...T............x..............@....rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................................................................

                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):432221
                                  Entropy (8bit):5.37516953282471
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:62957DF3A39FDF5C66BEF6C79B0D89E8
                                  SHA1:2A7B6C37203F6A96A0F57C78F6D27DCC4417884F
                                  SHA-256:104FC51191054254824201A08681994399C834CC24F680CAE2C8144B3391CB30
                                  SHA-512:B57FD74DA392FC8E9D0E4B5F1AA4020919A208BE7345DE264857C1095F6EA0339E6B452C52D0F1471959BF606F3529E2951DABB8B4AE083A7DA4ED51B086A091
                                  Malicious:false
                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.977838958843423
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:dK5DtwHlOm.exe
                                  File size:51'730'672 bytes
                                  MD5:932b9920b8fdecc6e2fd9c0aa298ffbc
                                  SHA1:6a058ce158711c8dd50cd914b49e40d55f0377c0
                                  SHA256:11471fefe1cc0d23ed54aa434ea7c0ccbfef0350457235346936822fbcb39f43
                                  SHA512:31ea884412faa2f107a1f31e61b04a045e22ff6732e933f2ca8af22872ba5913157cadd5227a8537404a5abc7c466bc915795fbff252723c9908a8fe6df69f0d
                                  SSDEEP:786432:5tTniVhO792ZWUvUky35+ZM4nUo3oxYRx98JH0McUy6JtvVrnIJw0dKN3AlKBeUo:3wg2ZFUkHPUo3198JH0MTt8A3AlKB3yN
                                  TLSH:32B72330364DC52BDA6605B0293D9A9F55197E650FB298C7B3CC3D7E1AB48C21732E2B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.....t...t...t...w.#.t...q...t...r./.t.L.p.=.t.L.w.6.t.L.q.M.t...p.4.t...u.-.t...s./.t...u...t...}.c.t...../.t...../.t...v./.t

                                  File Icon

                                  Icon Hash:ffb7c95954e6bdff

                                  Static PE Info

                                  General

                                  Entrypoint:0x597714
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6238823F [Mon Mar 21 13:48:47 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:836688c7d21e39394af41ce9a8c2d728

                                  Authenticode Signature

                                  Signature Valid:true
                                  Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 30/08/2024 13:25:00 30/08/2025 13:25:00
                                  Subject Chain
                                  • OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=ConsolHQ LTD, SERIALNUMBER=12800651, O=ConsolHQ LTD, L=Erith, C=GB
                                  Version:3
                                  Thumbprint MD5:E4ED28FFAC43E82D3DB5467DE244B770
                                  Thumbprint SHA-1:787863161875446360E7486D3CF5E34E15DC8009
                                  Thumbprint SHA-256:CA814262219EF4B9EF1CC76050E02D41B34F87AEF05D34FA378DAE913F4C784C
                                  Serial:740833F89CC52CAE8CEA1984A66DBB66

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F0EA123E59Fh
                                  jmp 00007F0EA123DDDFh
                                  mov ecx, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], ecx
                                  pop ecx
                                  pop edi
                                  pop edi
                                  pop esi
                                  pop ebx
                                  mov esp, ebp
                                  pop ebp
                                  push ecx
                                  ret
                                  mov ecx, dword ptr [ebp-10h]
                                  xor ecx, ebp
                                  call 00007F0EA123D433h
                                  jmp 00007F0EA123DF42h
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], esp
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x29de240x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a80000x4b6f8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x31538d80x2018
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f40000x257cc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2478480x70.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x2478c00x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21af380x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x2190000x2c0.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x29b2180x260.rdata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x21791f0x217a00c49c101070a1945156e31ccb8b4c699funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x2190000x85e1c0x860000bc20f46e2242997255f9f9e7ecca899False0.31188236065764924data4.604766709480219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x29f0000x89f00x6a00718c6ac2ba6bcb374d818e1d67c3a166False0.1418410966981132DOS executable (block device driver \340kY)2.877738466626911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x2a80000x4b6f80x4b800a75cda4571179e3232c364eb85e81d7bFalse0.18434719060430463data5.801481286866672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x2f40000x257cc0x25800341590d742eebeddce717893413cf78eFalse0.44703125data6.513825531591639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  IMAGE_FILE0x2a8cb00x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                  IMAGE_FILE0x2a8cb80x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                  RTF_FILE0x2a8cc00x2e9Rich Text Format data, version 1, ANSI, code page 1252EnglishUnited States0.5503355704697986
                                  RTF_FILE0x2a8fac0xa1Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033EnglishUnited States0.906832298136646
                                  RT_BITMAP0x2a90500x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                  RT_BITMAP0x2a91900x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                  RT_BITMAP0x2a99b80x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                  RT_BITMAP0x2ae2600xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                  RT_BITMAP0x2aeccc0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                  RT_BITMAP0x2aee200x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                  RT_ICON0x2af6480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 39 x 39 px/mEnglishUnited States0.7065602836879432
                                  RT_ICON0x2afab00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 39 x 39 px/mEnglishUnited States0.5618852459016394
                                  RT_ICON0x2b04380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 39 x 39 px/mEnglishUnited States0.3968105065666041
                                  RT_ICON0x2b14e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 39 x 39 px/mEnglishUnited States0.28526970954356845
                                  RT_ICON0x2b3a880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 39 x 39 px/mEnglishUnited States0.2151629664619745
                                  RT_ICON0x2b7cb00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 39 x 39 px/mEnglishUnited States0.1788354898336414
                                  RT_ICON0x2bd1380x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 39 x 39 px/mEnglishUnited States0.1355371032163128
                                  RT_ICON0x2c65e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 39 x 39 px/mEnglishUnited States0.10163551401869159
                                  RT_ICON0x2d6e080x2d05PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9739696312364425
                                  RT_MENU0x2d9b100x5cdataEnglishUnited States0.8478260869565217
                                  RT_MENU0x2d9b6c0x2adataEnglishUnited States1.0714285714285714
                                  RT_DIALOG0x2d9b980xacdataEnglishUnited States0.7151162790697675
                                  RT_DIALOG0x2d9c440x2a6dataEnglishUnited States0.5132743362831859
                                  RT_DIALOG0x2d9eec0x3b4dataEnglishUnited States0.43248945147679324
                                  RT_DIALOG0x2da2a00xbcdataEnglishUnited States0.7180851063829787
                                  RT_DIALOG0x2da35c0x204dataEnglishUnited States0.560077519379845
                                  RT_DIALOG0x2da5600x282dataEnglishUnited States0.48598130841121495
                                  RT_DIALOG0x2da7e40xccdataEnglishUnited States0.6911764705882353
                                  RT_DIALOG0x2da8b00x146dataEnglishUnited States0.5736196319018405
                                  RT_DIALOG0x2da9f80x226dataEnglishUnited States0.4690909090909091
                                  RT_DIALOG0x2dac200x388dataEnglishUnited States0.45464601769911506
                                  RT_DIALOG0x2dafa80x1b4dataEnglishUnited States0.5458715596330275
                                  RT_DIALOG0x2db15c0x136dataEnglishUnited States0.6064516129032258
                                  RT_DIALOG0x2db2940x4cdataEnglishUnited States0.8289473684210527
                                  RT_STRING0x2db2e00x45cdataEnglishUnited States0.3844086021505376
                                  RT_STRING0x2db73c0x344dataEnglishUnited States0.37320574162679426
                                  RT_STRING0x2dba800x2f8dataEnglishUnited States0.4039473684210526
                                  RT_STRING0x2dbd780x598dataEnglishUnited States0.2807262569832402
                                  RT_STRING0x2dc3100x3aaStarOffice Gallery theme i, 1627418368 objects, 1st nEnglishUnited States0.4211087420042644
                                  RT_STRING0x2dc6bc0x5c0dataEnglishUnited States0.3498641304347826
                                  RT_STRING0x2dcc7c0x568dataEnglishUnited States0.32875722543352603
                                  RT_STRING0x2dd1e40x164dataEnglishUnited States0.5421348314606742
                                  RT_STRING0x2dd3480x520dataEnglishUnited States0.39176829268292684
                                  RT_STRING0x2dd8680x1a0dataEnglishUnited States0.45913461538461536
                                  RT_STRING0x2dda080x18adataEnglishUnited States0.5228426395939086
                                  RT_STRING0x2ddb940x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                  RT_STRING0x2dddac0x624dataEnglishUnited States0.3575063613231552
                                  RT_STRING0x2de3d00x660dataEnglishUnited States0.3474264705882353
                                  RT_STRING0x2dea300x2e2dataEnglishUnited States0.4037940379403794
                                  RT_GROUP_ICON0x2ded140x84dataEnglishUnited States0.7196969696969697
                                  RT_VERSION0x2ded980x314dataEnglishUnited States0.43781725888324874
                                  RT_HTML0x2df0ac0x37c8ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08291316526610644
                                  RT_HTML0x2e28740x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                  RT_HTML0x2e3b8c0x4faHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3626373626373626
                                  RT_HTML0x2e40880x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                  RT_HTML0x2eab580x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                  RT_HTML0x2eb1fc0x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                  RT_HTML0x2ec2480x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                  RT_HTML0x2ed7fc0x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                  RT_HTML0x2ef8580x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                  RT_MANIFEST0x2f2ee80x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

                                  Imports

                                  DLLImport
                                  KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:04:07:02
                                  Start date:13/11/2024
                                  Path:C:\Users\user\Desktop\dK5DtwHlOm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\dK5DtwHlOm.exe"
                                  Imagebase:0x9e0000
                                  File size:51'730'672 bytes
                                  MD5 hash:932B9920B8FDECC6E2FD9C0AA298FFBC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:04:07:05
                                  Start date:13/11/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                  Imagebase:0x7ff7b9520000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:04:07:06
                                  Start date:13/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 C
                                  Imagebase:0xf00000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:04:07:06
                                  Start date:13/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488655 " AI_EUIMSI=""
                                  Imagebase:0xf00000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:07:07
                                  Start date:13/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CA
                                  Imagebase:0xf00000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:25.6%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:73
                                    execution_graph 63420 a0a260 63421 a0a2cb 63420->63421 63423 a0a295 std::ios_base::_Ios_base_dtor 63420->63423 63422 9e78d0 44 API calls 63422->63423 63423->63421 63423->63422 63424 b2ff90 63435 b2f8c0 63424->63435 63427 b2ffba 63444 b30060 63427->63444 63436 9e7160 44 API calls 63435->63436 63437 b2f8d8 63436->63437 63438 b2f8f0 63437->63438 63532 9e78d0 63437->63532 63528 b31d20 63438->63528 63441 b2f92e 63441->63427 63516 9e7160 63441->63516 63443 b2f908 63443->63441 63536 9e8590 44 API calls std::ios_base::_Ios_base_dtor 63443->63536 63445 b300aa 63444->63445 63475 b303b1 63444->63475 63447 9e7160 44 API calls 63445->63447 63449 b300d0 63447->63449 63448 b2ffca 63481 b303e0 63448->63481 63450 b30272 63449->63450 63465 b300df 63449->63465 63451 9e7070 44 API calls 63450->63451 63452 b301c2 63451->63452 63539 9e8d30 63452->63539 63455 9e7070 44 API calls 63455->63465 63457 9e7160 44 API calls 63457->63465 63461 b30205 63463 9e78d0 44 API calls 63461->63463 63462 9e8dd0 44 API calls 63462->63465 63464 b30211 63463->63464 63466 9e78d0 44 API calls 63464->63466 63465->63452 63465->63455 63465->63457 63465->63462 63469 9e78d0 44 API calls 63465->63469 63563 a09550 44 API calls 63465->63563 63467 b3021d 63466->63467 63468 9e7070 44 API calls 63467->63468 63479 b3024e 63467->63479 63470 b30230 63468->63470 63469->63465 63471 9e7070 44 API calls 63470->63471 63471->63479 63472 b30356 63474 9e78d0 44 API calls 63472->63474 63473 9e7070 44 API calls 63473->63479 63474->63475 63556 b76c0a 63475->63556 63476 9e7160 44 API calls 63476->63479 63478 9e8dd0 44 API calls 63478->63479 63479->63472 63479->63473 63479->63476 63479->63478 63480 9e78d0 44 API calls 63479->63480 63564 a09550 44 API calls 63479->63564 63480->63479 63484 b30421 63481->63484 63485 b30428 63481->63485 63482 b76c0a _ValidateLocalCookies 5 API calls 63483 b2ffd1 63482->63483 63491 b305c0 63483->63491 63484->63482 63485->63485 63487 9e7160 44 API calls 63485->63487 63489 b304f1 63485->63489 63600 a11a50 44 API calls 63485->63600 63487->63485 63489->63484 63601 b80f41 54 API calls 63489->63601 63602 b31990 45 API calls std::_Locinfo::_Locinfo_ctor 63489->63602 63492 b30d83 63491->63492 63495 b30620 std::ios_base::_Ios_base_dtor __set_se_translator 63491->63495 63493 b76c0a _ValidateLocalCookies 5 API calls 63492->63493 63494 b2ffdc 63493->63494 63495->63492 63496 b76c49 std::_Facet_Register 2 API calls 63495->63496 63501 9e7160 44 API calls 63495->63501 63502 9e78d0 44 API calls 63495->63502 63503 b31840 45 API calls 63495->63503 63510 9e8dd0 44 API calls 63495->63510 63514 b30af7 63495->63514 63603 b31da0 63495->63603 63637 ad7e10 44 API calls 2 library calls 63495->63637 63638 a136c0 44 API calls 63495->63638 63639 b2f560 52 API calls __Init_thread_footer 63495->63639 63640 add180 44 API calls 4 library calls 63495->63640 63642 ae1de0 44 API calls 4 library calls 63495->63642 63643 b32150 44 API calls std::_Locinfo::_Locinfo_ctor 63495->63643 63644 b31af0 44 API calls 3 library calls 63495->63644 63645 9e8590 44 API calls std::ios_base::_Ios_base_dtor 63495->63645 63646 b32060 63495->63646 63651 a0ac90 44 API calls std::ios_base::_Ios_base_dtor 63495->63651 63496->63495 63501->63495 63502->63495 63503->63495 63510->63495 63512 9e7070 44 API calls 63512->63514 63514->63495 63514->63512 63515 9e78d0 44 API calls 63514->63515 63641 b2fe40 47 API calls __set_se_translator 63514->63641 63515->63514 63520 9e7171 std::_Locinfo::_Locinfo_ctor 63516->63520 63521 9e71ad 63516->63521 63517 9e7261 63675 9e7150 44 API calls 2 library calls 63517->63675 63519 9e7266 63523 9e7160 44 API calls 63519->63523 63520->63427 63521->63517 63522 9e7750 44 API calls 63521->63522 63525 9e71f6 std::_Locinfo::_Locinfo_ctor 63522->63525 63524 9e72d2 63523->63524 63524->63427 63526 9e7245 std::ios_base::_Ios_base_dtor 63525->63526 63674 b7c0af 44 API calls 2 library calls 63525->63674 63526->63427 63529 b31d86 63528->63529 63531 b31d52 std::ios_base::_Ios_base_dtor 63528->63531 63529->63443 63531->63529 63537 a0ac90 44 API calls std::ios_base::_Ios_base_dtor 63531->63537 63533 9e791e std::ios_base::_Ios_base_dtor 63532->63533 63535 9e78fd 63532->63535 63533->63437 63535->63437 63535->63532 63535->63533 63538 b7c0af 44 API calls 2 library calls 63535->63538 63536->63443 63537->63531 63540 9e8d70 63539->63540 63540->63540 63541 9e8dc9 63540->63541 63542 9e8d90 63540->63542 63569 9e7150 44 API calls 2 library calls 63541->63569 63565 9e6ea0 63542->63565 63544 9e8dce 63546 9e8da7 63547 9e8dd0 63546->63547 63548 9e8e10 63547->63548 63548->63548 63549 9e7070 44 API calls 63548->63549 63550 9e8e2b 63549->63550 63551 9e7070 63550->63551 63552 9e70b7 63551->63552 63555 9e7083 std::_Locinfo::_Locinfo_ctor 63551->63555 63598 9e6f40 44 API calls 2 library calls 63552->63598 63554 9e70c8 63554->63461 63555->63461 63557 b76c13 IsProcessorFeaturePresent 63556->63557 63558 b76c12 63556->63558 63560 b77225 63557->63560 63558->63448 63599 b771e8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 63560->63599 63562 b77308 63562->63448 63563->63465 63564->63479 63566 9e6ecf 63565->63566 63567 9e6ef6 std::_Locinfo::_Locinfo_ctor 63565->63567 63570 9e7750 63566->63570 63567->63546 63569->63544 63571 9e779b 63570->63571 63572 9e775b 63570->63572 63592 9e7730 44 API calls 2 library calls 63571->63592 63574 9e7786 63572->63574 63575 9e7764 63572->63575 63576 9e7796 63574->63576 63585 b76c49 63574->63585 63575->63571 63577 9e776b 63575->63577 63576->63567 63580 b76c49 std::_Facet_Register 2 API calls 63577->63580 63583 9e7771 63580->63583 63584 9e777a 63583->63584 63593 b7c0af 44 API calls 2 library calls 63583->63593 63584->63567 63586 b76c4e __Getctype 63585->63586 63587 9e7790 63586->63587 63589 b76c6a std::_Facet_Register 63586->63589 63594 b8d3d3 EnterCriticalSection std::_Facet_Register 63586->63594 63587->63567 63595 b789ab 63589->63595 63591 b778d8 63592->63583 63594->63586 63596 b789c5 63595->63596 63597 b789f2 RaiseException 63595->63597 63596->63597 63597->63591 63598->63554 63599->63562 63600->63485 63601->63489 63602->63489 63604 b31df0 63603->63604 63605 b31f97 63603->63605 63607 b31f92 63604->63607 63611 b31e63 63604->63611 63612 b31e3c 63604->63612 63655 9e6ac0 44 API calls 63605->63655 63654 9e7730 44 API calls 2 library calls 63607->63654 63609 b31f38 63636 b31f5d std::ios_base::_Ios_base_dtor 63609->63636 63656 b7c0af 44 API calls 2 library calls 63609->63656 63615 b76c49 std::_Facet_Register 2 API calls 63611->63615 63619 b31e4d 63611->63619 63612->63607 63614 b31e47 63612->63614 63617 b76c49 std::_Facet_Register 2 API calls 63614->63617 63615->63619 63617->63619 63619->63609 63620 b32060 44 API calls 63619->63620 63622 b31e9f 63620->63622 63624 b31eb1 63622->63624 63625 b31efe 63622->63625 63630 b31ee4 63624->63630 63632 b32060 44 API calls 63624->63632 63652 b323e0 44 API calls std::_Facet_Register 63625->63652 63629 b31f09 63653 b323e0 44 API calls std::_Facet_Register 63629->63653 63633 b31d20 44 API calls 63630->63633 63632->63624 63634 b31ef3 63633->63634 63635 b31d20 44 API calls 63634->63635 63634->63636 63635->63609 63636->63495 63637->63495 63638->63495 63639->63495 63640->63495 63641->63514 63642->63495 63643->63495 63644->63495 63645->63495 63647 b76c49 std::_Facet_Register 2 API calls 63646->63647 63648 b320a9 63647->63648 63657 b32550 63648->63657 63650 b320d7 63650->63495 63650->63650 63651->63495 63652->63629 63653->63634 63654->63605 63658 b32592 63657->63658 63668 b3263f 63657->63668 63659 b76c49 std::_Facet_Register 2 API calls 63658->63659 63660 b325b4 63659->63660 63669 9e6610 63660->63669 63662 b325ca 63663 9e6610 44 API calls 63662->63663 63664 b325da 63663->63664 63665 b32550 44 API calls 63664->63665 63666 b3262e 63665->63666 63667 b32550 44 API calls 63666->63667 63667->63668 63668->63650 63670 9e6637 63669->63670 63671 9e663e 63670->63671 63672 9e7750 44 API calls 63670->63672 63671->63662 63673 9e6670 std::_Locinfo::_Locinfo_ctor 63672->63673 63673->63662 63675->63519 63676 9f291b 63677 9f293c GetWindowLongW CallWindowProcW 63676->63677 63678 9f2926 CallWindowProcW 63676->63678 63679 9f2970 GetWindowLongW 63677->63679 63681 9f298b 63677->63681 63678->63681 63680 9f297d SetWindowLongW 63679->63680 63679->63681 63680->63681 63682 b7a990 63683 b7a9ae 63682->63683 63701 b7a950 5 API calls _ValidateLocalCookies 63683->63701 63702 aa2620 GetSystemDirectoryW 63703 aa272b 63702->63703 63704 aa266f 63702->63704 63705 b76c0a _ValidateLocalCookies 5 API calls 63703->63705 63704->63703 63727 9e9e20 63704->63727 63707 aa277b 63705->63707 63709 aa2689 63713 aa26b3 63709->63713 63714 aa26a5 63709->63714 63710 aa2783 63846 9e9ae0 63710->63846 63712 aa278d 63715 b76c49 std::_Facet_Register 2 API calls 63712->63715 63845 9e9990 45 API calls 2 library calls 63713->63845 63844 9e9120 53 API calls 63714->63844 63717 aa28e2 63715->63717 63850 9f7990 44 API calls 2 library calls 63717->63850 63718 aa26b1 63742 9fab80 63718->63742 63720 aa292a 63723 aa26f2 63724 9fab80 117 API calls 63723->63724 63725 aa2719 _wcschr 63724->63725 63725->63703 63726 aa272f LoadLibraryExW 63725->63726 63726->63703 63728 9e9eac 63727->63728 63729 9e9e58 63727->63729 63732 b77112 4 API calls 63728->63732 63741 9e9f37 63728->63741 63851 b77112 EnterCriticalSection 63729->63851 63734 9e9ec6 63732->63734 63733 9e9e6e GetProcessHeap 63855 b76fca 44 API calls 63733->63855 63734->63741 63857 b76fca 44 API calls 63734->63857 63737 9e9e9b 63856 b770c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 63737->63856 63738 9e9f26 63858 b770c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 63738->63858 63741->63709 63741->63710 63743 9fac04 63742->63743 63745 9faba2 std::_Locinfo::_Locinfo_ctor 63742->63745 63744 9e9ae0 2 API calls 63743->63744 63754 9fac0e 63743->63754 63746 9fac2b 63744->63746 63745->63743 63747 9fabe7 63745->63747 63877 9e9870 45 API calls 63745->63877 63748 9facae 63746->63748 63750 9faca1 FindClose 63746->63750 63878 9e98e0 44 API calls 3 library calls 63747->63878 63860 9e96e0 63748->63860 63750->63748 63754->63723 63757 9faf47 FindFirstFileW 63759 9faf5f GetFullPathNameW 63757->63759 63827 9fb01c 63757->63827 63758 9fad02 PathIsUNCW 63760 9fae4e 63758->63760 63761 9fad17 63758->63761 63763 9faf78 63759->63763 63818 9fb0b1 std::_Locinfo::_Locinfo_ctor 63759->63818 63764 9ee830 101 API calls 63760->63764 63879 9ee830 63761->63879 63766 9faf93 GetFullPathNameW 63763->63766 63917 9e9870 45 API calls 63763->63917 63783 9fae56 63764->63783 63765 9e9ae0 2 API calls 63767 9fb12c 63765->63767 63769 9fafaf std::_Locinfo::_Locinfo_ctor 63766->63769 63922 9e9620 63767->63922 63771 9fb056 63769->63771 63779 9fafe6 63769->63779 63769->63818 63786 9fb068 _wcsrchr 63771->63786 63918 9e9790 45 API calls 63771->63918 63772 9fb16d 63774 9fb181 63772->63774 63792 9fb1cd 63772->63792 63773 9fad1f 63773->63757 63889 9eeae0 63773->63889 63776 9e9620 45 API calls 63774->63776 63782 9fb189 63776->63782 63777 9fb480 63781 9e9ae0 2 API calls 63777->63781 63780 9fb014 SetLastError 63779->63780 63788 9fb00b FindClose 63779->63788 63780->63827 63807 9fb4a8 63781->63807 63782->63723 63783->63757 63784 9faeed 63783->63784 63783->63818 63914 9e9870 45 API calls 63783->63914 63915 9fb5f0 44 API calls 2 library calls 63784->63915 63785 9fad9e 63903 9fb580 63785->63903 63787 9fb088 _wcsrchr 63786->63787 63919 9e9790 45 API calls 63786->63919 63802 9fb09b 63787->63802 63803 9fb0b5 63787->63803 63788->63780 63791 9fb1fe 63934 9fb660 54 API calls 63791->63934 63792->63777 63792->63791 63933 9fb710 45 API calls 63792->63933 63796 9fb55e 63796->63723 63797 9fae3d 63916 9f69c0 44 API calls 3 library calls 63797->63916 63799 9fb209 63801 9fab80 109 API calls 63799->63801 63806 9fb21b 63801->63806 63802->63818 63802->63827 63920 9e9790 45 API calls 63802->63920 63803->63818 63921 9e9790 45 API calls 63803->63921 63804 9fae19 63913 9fb5f0 44 API calls 2 library calls 63804->63913 63805 9fadb1 63805->63804 63805->63818 63912 9e9870 45 API calls 63805->63912 63811 9fb24a PathIsUNCW 63806->63811 63841 9fb45c 63806->63841 63807->63796 63812 9fb518 63807->63812 63828 9fb54d 63807->63828 63940 9e9870 45 API calls 63807->63940 63819 9fb25f 63811->63819 63820 9fb386 63811->63820 63941 9fb5f0 44 API calls 2 library calls 63812->63941 63813 9e9ae0 2 API calls 63821 9fb57e 63813->63821 63816 9e9620 45 API calls 63816->63777 63817 9faf23 63817->63757 63817->63818 63818->63765 63818->63827 63824 9ee830 101 API calls 63819->63824 63823 9ee830 101 API calls 63820->63823 63831 9fb38e 63823->63831 63829 9fb267 63824->63829 63825 9fb53e 63942 9f69c0 44 API calls 3 library calls 63825->63942 63827->63723 63828->63796 63828->63813 63830 9eeae0 101 API calls 63829->63830 63829->63841 63833 9fb2dd 63830->63833 63831->63777 63832 9fb426 63831->63832 63831->63841 63937 9e9870 45 API calls 63831->63937 63938 9fb5f0 44 API calls 2 library calls 63832->63938 63836 9fb580 45 API calls 63833->63836 63839 9fb2f0 63836->63839 63837 9fb375 63939 9f69c0 44 API calls 3 library calls 63837->63939 63839->63777 63840 9fb354 63839->63840 63935 9e9870 45 API calls 63839->63935 63936 9fb5f0 44 API calls 2 library calls 63840->63936 63841->63777 63841->63816 63844->63718 63845->63718 63847 9e9aed 63846->63847 63848 b789ab Concurrency::cancel_current_task RaiseException 63847->63848 63849 9e9afa RtlAllocateHeap 63848->63849 63849->63712 63850->63720 63852 b77126 63851->63852 63853 9e9e62 63852->63853 63859 b7719a SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 63852->63859 63853->63728 63853->63733 63855->63737 63856->63728 63857->63738 63858->63741 63859->63852 63861 9e9713 63860->63861 63862 9e9722 63860->63862 63861->63862 63863 9e9ae0 2 API calls 63861->63863 63865 9f6a60 63862->63865 63864 9e977c 63863->63864 63866 9e9e20 53 API calls 63865->63866 63867 9f6a8f 63866->63867 63868 9f6aff 63867->63868 63869 9f6a95 63867->63869 63870 9e9ae0 2 API calls 63868->63870 63872 9f6ab5 63869->63872 63874 9f6ac2 63869->63874 63871 9f6b09 63870->63871 63943 9e9120 53 API calls 63872->63943 63874->63874 63944 9e9990 45 API calls 2 library calls 63874->63944 63876 9f6ac0 63876->63757 63876->63758 63876->63827 63877->63747 63878->63743 63880 9ee8a2 63879->63880 63881 9ee872 63879->63881 63885 9e9e20 53 API calls 63880->63885 63886 9ee8b6 63880->63886 63882 9e9620 45 API calls 63881->63882 63884 9ee877 63882->63884 63884->63773 63885->63886 63945 9eebf0 92 API calls 3 library calls 63886->63945 63888 9ee8c9 63888->63773 63890 9eebde 63889->63890 63891 9eeb37 63889->63891 63892 9e9ae0 2 API calls 63890->63892 63893 9eeb8a 63891->63893 63896 9eeb5a 63891->63896 63895 9eebe8 63892->63895 63897 9e9e20 53 API calls 63893->63897 63900 9eeb9f 63893->63900 63898 9e9620 45 API calls 63896->63898 63897->63900 63899 9eeb62 63898->63899 63899->63785 63946 9eebf0 92 API calls 3 library calls 63900->63946 63902 9eebb9 63902->63785 63904 9fb596 63903->63904 63905 9fb5e3 63903->63905 63906 9fb5d0 63904->63906 63907 9fb5a6 63904->63907 63905->63805 63947 9e9990 45 API calls 2 library calls 63906->63947 63909 9e9620 45 API calls 63907->63909 63911 9fb5ac 63909->63911 63910 9fb5db 63910->63805 63911->63805 63912->63804 63913->63797 63914->63784 63915->63797 63916->63817 63917->63766 63918->63786 63919->63787 63920->63818 63921->63818 63923 9e962b 63922->63923 63924 9e963a 63923->63924 63925 9e9672 63923->63925 63926 9e9653 63923->63926 63924->63772 63949 9e9820 45 API calls 63925->63949 63948 9e98e0 44 API calls 3 library calls 63926->63948 63929 9e966a 63929->63772 63930 9e9677 63931 9e9620 45 API calls 63930->63931 63932 9e96b6 63931->63932 63932->63772 63933->63791 63934->63799 63935->63840 63936->63837 63937->63832 63938->63837 63939->63841 63940->63812 63941->63825 63942->63828 63943->63876 63944->63876 63945->63888 63946->63902 63947->63910 63948->63929 63949->63930 63950 acebe0 63951 acec19 63950->63951 63952 acec82 RegCreateKeyExW 63950->63952 63954 acec1e GetModuleHandleW 63951->63954 63955 acec75 63951->63955 63953 acec7b 63952->63953 63958 acecab RegCloseKey 63953->63958 63959 acecb4 63953->63959 63956 acec2d 63954->63956 63957 acec46 GetProcAddress 63954->63957 63955->63952 63955->63953 63957->63953 63960 acec56 63957->63960 63958->63959 63960->63953 63961 ac8dc0 63962 ac8df7 63961->63962 63968 ac8e37 63961->63968 63963 b77112 4 API calls 63962->63963 63964 ac8e01 63963->63964 63964->63968 63969 b76fca 44 API calls 63964->63969 63966 ac8e23 63970 b770c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 63966->63970 63969->63966 63970->63968 63971 9e9cf0 63972 9e9d34 63971->63972 63973 9e9cfc 63971->63973 63973->63972 63974 9e9ae0 2 API calls 63973->63974 63974->63972 63975 af8c40 64257 b1c850 63975->64257 63977 af8c70 63978 9e9e20 53 API calls 63977->63978 63979 af8c7c 63978->63979 63980 af8f93 63979->63980 63983 af8caf 63979->63983 63984 af8ca4 63979->63984 63981 9e9ae0 2 API calls 63980->63981 63982 af8f9d 63981->63982 63986 9e9e20 53 API calls 63982->63986 64004 af9006 63982->64004 64551 9e9990 45 API calls 2 library calls 63983->64551 64550 9e9120 53 API calls 63984->64550 63989 af8fd4 63986->63989 63988 af8cad 64263 ae9e30 63988->64263 63990 af8fda 63989->63990 63991 af9046 63989->63991 63998 9fab80 117 API calls 63990->63998 63993 9e9ae0 2 API calls 63991->63993 63995 af9050 63993->63995 63994 af8ce3 63996 9e9e20 53 API calls 63994->63996 64328 b0e0c0 63995->64328 63999 af8ceb 63996->63999 64001 af8ffb 63998->64001 63999->63980 64270 acca40 63999->64270 64569 b056a0 129 API calls 64001->64569 64003 9f6a60 62 API calls 64007 af90cb 64003->64007 64006 af9478 64012 9e9e20 53 API calls 64006->64012 64049 af94ef 64006->64049 64570 b04d00 64007->64570 64009 af8d1d 64283 aee2f0 64009->64283 64017 af948d 64012->64017 64014 af928a 64020 9e9e20 53 API calls 64014->64020 64018 af9497 64017->64018 64019 af9586 64017->64019 64032 9fab80 117 API calls 64018->64032 64026 9e9ae0 2 API calls 64019->64026 64023 af9298 64020->64023 64022 b76c0a _ValidateLocalCookies 5 API calls 64025 af9560 64022->64025 64028 af9568 64023->64028 64029 af92a2 64023->64029 64027 af9590 64026->64027 64031 af95da 64027->64031 64035 9e9e20 53 API calls 64027->64035 64033 9e9ae0 2 API calls 64028->64033 64041 acca40 11 API calls 64029->64041 64036 af94b8 64032->64036 64037 af9572 64033->64037 64039 af9628 64035->64039 64333 b04f10 64036->64333 64042 9e9ae0 2 API calls 64037->64042 64044 af9826 64039->64044 64057 af965b 64039->64057 64058 af9650 64039->64058 64045 af92ba 64041->64045 64046 af957c 64042->64046 64050 9e9ae0 2 API calls 64044->64050 64051 af92c7 64045->64051 64586 acd3d0 45 API calls 3 library calls 64045->64586 64052 9e9ae0 2 API calls 64046->64052 64048 af90e4 64129 af91e9 64048->64129 64584 b048d0 46 API calls 64048->64584 64354 b04320 64049->64354 64053 af9830 64050->64053 64085 af92db 64051->64085 64587 b80746 64051->64587 64052->64019 64384 9f2a50 RaiseException 64053->64384 64593 9e9990 45 API calls 2 library calls 64057->64593 64592 9e9120 53 API calls 64058->64592 64059 af94c7 64059->64049 64062 9fab80 117 API calls 64059->64062 64062->64049 64064 af983c 64385 afb670 320 API calls 3 library calls 64064->64385 64065 af8d4f 64068 af8ded 64065->64068 64069 af8e42 SetEvent 64065->64069 64066 af9659 64594 ae2bd0 102 API calls 64066->64594 64553 b03960 64068->64553 64315 b1ced0 64069->64315 64072 af9871 64076 9e9e20 53 API calls 64072->64076 64075 af8ea7 64080 af8ef8 64075->64080 64086 b03960 17 API calls 64075->64086 64165 af9882 64076->64165 64077 9e9e20 53 API calls 64081 af935e 64077->64081 64157 af8f2c 64080->64157 64567 b1cdf0 122 API calls 64080->64567 64081->64037 64088 af9368 64081->64088 64083 9e9e20 53 API calls 64091 af8dfa 64083->64091 64084 af93e6 64591 b048d0 46 API calls 64084->64591 64085->64077 64136 af938f 64085->64136 64094 af8eb7 64086->64094 64087 af9ace 64092 9e9ae0 2 API calls 64087->64092 64107 9fab80 117 API calls 64088->64107 64091->63980 64096 af8e02 64091->64096 64097 af9ad8 64092->64097 64100 9e9e20 53 API calls 64094->64100 64095 af8f52 64568 b1c9f0 CloseHandle 64095->64568 64110 b055f0 94 API calls 64096->64110 64386 b0d930 63 API calls _ValidateLocalCookies 64097->64386 64098 acd800 13 API calls 64104 af9803 64098->64104 64105 af8ebc 64100->64105 64112 acd800 13 API calls 64104->64112 64105->63980 64114 af8ec4 64105->64114 64106 af993a 64115 9e9e20 53 API calls 64106->64115 64117 af9386 64107->64117 64109 af8f7d 64119 af8e24 64110->64119 64111 af9b21 64120 9e9e20 53 API calls 64111->64120 64121 af9812 64112->64121 64132 aff440 228 API calls 64114->64132 64141 af9942 64115->64141 64590 b056a0 129 API calls 64117->64590 64124 aff440 228 API calls 64119->64124 64125 af9b2d 64120->64125 64130 af8e31 SetEvent 64124->64130 64131 afa0c9 64125->64131 64387 afb670 320 API calls 3 library calls 64125->64387 64127 9e9e20 53 API calls 64166 af9679 64127->64166 64128 9fb710 45 API calls 64128->64165 64129->64006 64156 af9445 64129->64156 64585 afd570 49 API calls 64129->64585 64130->64095 64135 9e9ae0 2 API calls 64131->64135 64134 af8ee7 64132->64134 64566 b1cb80 122 API calls std::_Locinfo::_Locinfo_ctor 64134->64566 64142 afa0d3 64135->64142 64136->64006 64136->64084 64140 af996c 64147 af9983 64140->64147 64606 9e9790 45 API calls 64140->64606 64141->64087 64141->64140 64605 9e9790 45 API calls 64141->64605 64618 9f2a50 RaiseException 64142->64618 64143 9fab80 117 API calls 64143->64165 64607 b0d930 63 API calls _ValidateLocalCookies 64147->64607 64149 af9b51 64388 9e8d10 64149->64388 64152 afa0df 64156->64022 64157->64080 64158 af9993 64161 9e8d10 74 API calls 64158->64161 64164 af99a4 64161->64164 64168 9e9e20 53 API calls 64164->64168 64165->64087 64165->64106 64165->64128 64165->64143 64604 b0d930 63 API calls _ValidateLocalCookies 64165->64604 64166->64044 64166->64053 64166->64127 64180 af9776 64166->64180 64201 af97e7 64166->64201 64595 acd800 64166->64595 64599 9e9120 53 API calls 64166->64599 64600 9e9990 45 API calls 2 library calls 64166->64600 64601 ae2bd0 102 API calls 64166->64601 64602 afd650 46 API calls 64166->64602 64170 af99ca 64168->64170 64169 af9b91 64611 afea30 103 API calls 2 library calls 64169->64611 64170->64087 64172 af99d2 64170->64172 64177 af99f7 64172->64177 64608 9e9790 45 API calls 64172->64608 64174 af9b99 64175 9e9e20 53 API calls 64174->64175 64176 af9ba2 64175->64176 64176->64131 64185 af9bc8 64176->64185 64186 af9bd6 64176->64186 64609 b0d930 63 API calls _ValidateLocalCookies 64177->64609 64182 9e9e20 53 API calls 64180->64182 64181 af9a07 64183 9e8d10 74 API calls 64181->64183 64184 af977e 64182->64184 64196 af9a17 64183->64196 64184->64044 64187 af9786 64184->64187 64612 afea30 103 API calls 2 library calls 64185->64612 64189 af9bd3 64186->64189 64391 afef60 64186->64391 64193 acca40 11 API calls 64187->64193 64189->64186 64191 af9c06 64192 9e9e20 53 API calls 64191->64192 64194 af9c0b 64192->64194 64195 af97a0 64193->64195 64194->64131 64198 b0e0c0 RaiseException 64194->64198 64199 af97ad 64195->64199 64603 acc860 47 API calls 64195->64603 64200 af9c33 64198->64200 64199->64053 64199->64201 64202 af9c37 64200->64202 64203 af9c46 64200->64203 64201->64098 64204 9fb580 45 API calls 64202->64204 64205 9e9e20 53 API calls 64203->64205 64204->64203 64206 af9c4b 64205->64206 64206->64131 64423 b055f0 64206->64423 64210 af9c87 64211 9e9e20 53 API calls 64210->64211 64212 af9c99 64211->64212 64212->64131 64213 9f6a60 62 API calls 64212->64213 64214 af9cbd 64213->64214 64489 b1bfc0 56 API calls _ValidateLocalCookies 64214->64489 64216 af9ccd 64217 af9ce3 64216->64217 64218 9e9e20 53 API calls 64216->64218 64217->64216 64219 af9cf0 64218->64219 64219->64131 64220 af9d18 64219->64220 64221 af9d23 64219->64221 64613 9e9120 53 API calls 64220->64613 64614 9e9990 45 API calls 2 library calls 64221->64614 64224 af9d21 64225 af9d2f 64224->64225 64258 9e9e20 53 API calls 64257->64258 64259 b1c88c 64258->64259 64260 9e9ae0 2 API calls 64259->64260 64262 b1c892 64259->64262 64261 b1c8e8 64260->64261 64262->63977 64264 ae9e3e 64263->64264 64265 ae9e99 64264->64265 64266 ae9e58 WideCharToMultiByte 64264->64266 64265->63994 64267 ae9e74 64266->64267 64268 ae9e95 64266->64268 64269 ae9e7a WideCharToMultiByte 64267->64269 64268->63994 64269->64268 64271 acca54 64270->64271 64274 accafb 64270->64274 64271->64274 64619 9e8f10 7 API calls 64271->64619 64273 acca69 64273->64274 64275 acca73 FindResourceW 64273->64275 64274->64009 64552 acd3d0 45 API calls 3 library calls 64274->64552 64275->64274 64276 acca87 64275->64276 64620 9e8fe0 LoadResource LockResource SizeofResource 64276->64620 64278 acca91 64278->64274 64279 acca9a WideCharToMultiByte 64278->64279 64279->64274 64280 accb06 64279->64280 64281 9e9ae0 2 API calls 64280->64281 64282 accb10 64281->64282 64284 9e9e20 53 API calls 64283->64284 64285 aee31e 64284->64285 64286 aee324 64285->64286 64287 aee373 64285->64287 64290 aee350 64286->64290 64291 aee343 64286->64291 64288 9e9ae0 2 API calls 64287->64288 64289 aee37d 64288->64289 64622 ae6130 49 API calls 64290->64622 64621 9e9120 53 API calls 64291->64621 64294 aee34e 64295 ae0e50 64294->64295 64297 ae0e95 64295->64297 64296 9e9e20 53 API calls 64298 ae0ea5 64296->64298 64297->64296 64299 ae0eb2 64297->64299 64298->64299 64300 ae0ef5 64298->64300 64623 aca570 64299->64623 64302 9e9ae0 2 API calls 64300->64302 64304 ae0eff 64302->64304 64303 ae0edf 64305 b1c8f0 64303->64305 64306 b1c933 64305->64306 64307 b1c91d 64305->64307 64308 9fb580 45 API calls 64306->64308 64307->64065 64309 b1c944 64308->64309 64637 b1d260 64309->64637 64311 b1c94f 64312 b1c988 CreateFileW 64311->64312 64313 b1c95c CreateNamedPipeW 64311->64313 64314 b1c9a3 64312->64314 64313->64312 64313->64314 64314->64065 64316 b1cf00 64315->64316 64317 b1cf16 64315->64317 64316->64075 64318 9e9e20 53 API calls 64317->64318 64319 b1cf1b 64318->64319 64320 b1d002 64319->64320 64322 b1cf25 64319->64322 64321 9e9ae0 2 API calls 64320->64321 64323 b1d00c 64321->64323 64656 b1d010 64322->64656 64325 b1cf47 64326 9fb580 45 API calls 64325->64326 64327 b1cf54 64326->64327 64327->64075 64329 b0e0cd 64328->64329 64331 af90a8 64328->64331 64329->64331 64708 9f2a50 RaiseException 64329->64708 64331->64003 64331->64129 64332 b0e102 64334 9e9e20 53 API calls 64333->64334 64335 b04f52 64334->64335 64336 b0500b 64335->64336 64337 b04f5c GetLocaleInfoW 64335->64337 64338 9e9ae0 2 API calls 64336->64338 64709 ac5b30 64337->64709 64340 b05015 MsgWaitForMultipleObjectsEx 64338->64340 64341 b050b1 64340->64341 64342 b05047 64340->64342 64341->64059 64345 b05065 PeekMessageW 64342->64345 64346 b050bb 64342->64346 64344 b04f98 64347 b04fb6 GetLocaleInfoW 64344->64347 64734 9e9790 45 API calls 64344->64734 64348 b0509b MsgWaitForMultipleObjectsEx 64345->64348 64349 b0508d TranslateMessage DispatchMessageW 64345->64349 64346->64059 64351 9e8d10 74 API calls 64347->64351 64348->64341 64348->64342 64349->64348 64353 b04fd2 64351->64353 64352 b04fb3 64352->64347 64353->64059 64355 b04d00 46 API calls 64354->64355 64356 b04357 64355->64356 64357 b04373 64356->64357 64358 b0435d 64356->64358 64739 b04930 137 API calls 64357->64739 64358->64156 64360 b0437e 64740 b04b50 11 API calls _ValidateLocalCookies 64360->64740 64362 b04399 64363 9e9e20 53 API calls 64362->64363 64383 b0440d 64362->64383 64367 b043b3 64363->64367 64364 b04465 64373 b0447a 64364->64373 64741 b04530 55 API calls 64364->64741 64365 b04516 64743 9f2a50 RaiseException 64365->64743 64370 b0450c 64367->64370 64371 b043bd 64367->64371 64369 b04522 64372 9e9ae0 2 API calls 64370->64372 64375 9fab80 117 API calls 64371->64375 64372->64365 64376 b044aa 64373->64376 64742 b04530 55 API calls 64373->64742 64377 b043db 64375->64377 64379 b80746 ___std_exception_destroy 13 API calls 64376->64379 64381 b044c0 64376->64381 64378 b04f10 81 API calls 64377->64378 64380 b043e5 64378->64380 64379->64381 64380->64380 64382 9fab80 117 API calls 64380->64382 64380->64383 64381->64156 64382->64383 64383->64364 64383->64365 64384->64064 64385->64072 64386->64111 64387->64149 64744 9e9290 64388->64744 64392 afefb8 64391->64392 64400 afef97 64391->64400 64393 aff16e 64392->64393 64394 afefe6 CreateFileW 64392->64394 64401 afefd8 64392->64401 64396 9e9ae0 2 API calls 64393->64396 64395 aff00f 64394->64395 64397 aff0b7 64395->64397 64398 aff036 GetLastError 64395->64398 64399 aff178 64396->64399 64819 b200c0 64397->64819 64835 ae3200 76 API calls 64398->64835 64400->64392 64400->64393 64833 9fb710 45 API calls 64400->64833 64401->64394 64834 9fb710 45 API calls 64401->64834 64405 aff0c0 64408 aff14e 64405->64408 64409 aff0ca 64405->64409 64406 aff04d 64836 ae54b0 64406->64836 64828 b00df0 64408->64828 64412 aff0cf GetLastError 64409->64412 64422 aff115 64409->64422 64840 ae3200 76 API calls 64412->64840 64413 aff065 64839 aeed40 74 API calls 64413->64839 64416 aff0e9 64418 ae54b0 101 API calls 64416->64418 64419 aff0fd 64418->64419 64841 aeed40 74 API calls 64419->64841 64420 aff07b 64420->64191 64422->64191 64424 b0561c 64423->64424 64428 af9c76 64423->64428 64425 b76c49 std::_Facet_Register 2 API calls 64424->64425 64426 b05626 64425->64426 64904 b22390 64426->64904 64429 aff440 64428->64429 64430 aff475 64429->64430 64431 aff5a0 64429->64431 64432 aff528 64430->64432 64446 aff47d 64430->64446 64433 aff7fc 64431->64433 64453 aff629 64431->64453 65066 b00c40 64432->65066 64434 afd440 15 API calls 64433->64434 64436 aff80b 64434->64436 64439 afd440 15 API calls 64436->64439 64437 aff639 64444 afd440 15 API calls 64437->64444 64438 aff6d4 64998 afd440 64438->64998 64448 aff6cf 64439->64448 64440 aff8fd 65077 9f2a50 RaiseException 64440->65077 64441 aff52f 64441->64440 64442 aff543 64441->64442 65071 b00c90 117 API calls 64442->65071 64451 aff644 64444->64451 65065 b00810 228 API calls 2 library calls 64446->65065 64466 aff84b 64448->64466 64467 aff840 64448->64467 64450 aff4cd 64450->64210 64475 aff7f2 64451->64475 65072 b00be0 RaiseException 64451->65072 64452 aff909 64457 9e9ae0 2 API calls 64452->64457 64453->64437 64453->64438 64454 aff558 64458 9fb580 45 API calls 64454->64458 64456 aff780 64462 aff79b 64456->64462 65005 b03220 64456->65005 64460 aff913 64457->64460 64461 aff568 64458->64461 64459 aff65f 64459->64440 64463 aff670 64459->64463 64461->64210 64465 aff7ba 64462->64465 64471 b80746 ___std_exception_destroy 13 API calls 64462->64471 64470 ae0e50 54 API calls 64463->64470 65036 b036b0 64465->65036 65074 ae6130 49 API calls 64466->65074 65073 9e9120 53 API calls 64467->65073 64473 aff685 64470->64473 64471->64465 64476 9fb580 45 API calls 64473->64476 64474 aff6df 64474->64440 64474->64456 64477 afd440 15 API calls 64474->64477 64480 aff8cf 64475->64480 64482 b80746 ___std_exception_destroy 13 API calls 64475->64482 64479 aff697 64476->64479 64477->64474 64478 aff849 _wcsrchr 64481 aff88f 64478->64481 65075 ae0f90 45 API calls 64478->65075 64479->64481 64483 9e9e20 53 API calls 64479->64483 64480->64210 65076 affdd0 217 API calls ___std_exception_destroy 64481->65076 64482->64480 64486 aff6c5 64483->64486 64486->64448 64486->64452 64487 aff884 64488 9fab80 117 API calls 64487->64488 64488->64481 64489->64216 64550->63988 64551->63988 64552->64009 64554 b03970 64553->64554 64555 b03996 64553->64555 64554->64555 64556 b03982 DeleteFileW 64554->64556 65333 9f2a50 RaiseException 64555->65333 64556->64554 64556->64555 64558 b03a6c 64559 af8df5 64558->64559 64560 b80746 ___std_exception_destroy 13 API calls 64558->64560 64559->64083 64560->64559 64561 b03aa8 65340 9f2a50 RaiseException 64561->65340 64563 b03ab4 64565 b039b1 std::ios_base::_Ios_base_dtor 64565->64558 64565->64561 65334 b20480 64565->65334 64566->64080 64567->64095 64568->64109 64569->64004 64571 b04d3e EnumResourceLanguagesW 64570->64571 64582 b04e98 64570->64582 64572 b04d7d 64571->64572 64573 b04e10 64572->64573 64574 b04dce 64572->64574 64575 b04ec8 64572->64575 64576 b04ddb __Getctype 64573->64576 65341 9fb5f0 44 API calls 2 library calls 64573->65341 64574->64576 64577 b80746 ___std_exception_destroy 13 API calls 64574->64577 65342 9f2a50 RaiseException 64575->65342 64576->64575 64578 b04e76 64576->64578 64577->64576 64580 b80746 ___std_exception_destroy 13 API calls 64578->64580 64578->64582 64580->64582 64581 b04ed4 64581->64048 64582->64048 64585->64014 64586->64051 65343 b8edad 64587->65343 64590->64136 64592->64066 64593->64066 64594->64166 64596 acd82c 64595->64596 64598 acd869 64595->64598 64597 b80746 ___std_exception_destroy 13 API calls 64596->64597 64597->64598 64598->64166 64599->64166 64600->64166 64601->64166 64602->64166 64603->64199 64604->64165 64605->64140 64606->64147 64607->64158 64608->64177 64609->64181 64610 afb460 320 API calls 5 library calls 64610->64169 64611->64174 64612->64189 64613->64224 64614->64225 64618->64152 64619->64273 64620->64278 64621->64294 64622->64294 64624 aca5c5 64623->64624 64626 aca586 64623->64626 64625 9e9ae0 2 API calls 64624->64625 64632 aca5d0 64624->64632 64633 aca5ea 64625->64633 64627 aca5a1 64626->64627 64634 9e9870 45 API calls 64626->64634 64635 9e98e0 44 API calls 3 library calls 64627->64635 64630 aca5b2 64636 9e98e0 44 API calls 3 library calls 64630->64636 64632->64303 64633->64303 64634->64627 64635->64630 64636->64624 64638 9e9e20 53 API calls 64637->64638 64639 b1d29a 64638->64639 64640 b1d2a0 64639->64640 64641 b1d30a 64639->64641 64645 b1d2c2 64640->64645 64646 b1d2cd 64640->64646 64642 9e9ae0 2 API calls 64641->64642 64643 b1d314 64642->64643 64655 b1cb80 122 API calls std::_Locinfo::_Locinfo_ctor 64643->64655 64653 9e9120 53 API calls 64645->64653 64654 9e9990 45 API calls 2 library calls 64646->64654 64649 b1d2cb 64650 9fab80 117 API calls 64649->64650 64651 b1d2f5 64650->64651 64651->64311 64652 b1d358 64652->64311 64653->64649 64654->64649 64655->64652 64657 b1d094 ReadFile 64656->64657 64658 b1d049 ConnectNamedPipe 64656->64658 64659 b1d129 64657->64659 64660 b1d0bc 64657->64660 64658->64657 64661 b1d056 GetLastError 64658->64661 64662 9e9e20 53 API calls 64659->64662 64660->64659 64663 b1d0c1 64660->64663 64661->64657 64664 b1d06a 64661->64664 64665 b1d12e 64662->64665 64666 9f6a60 62 API calls 64663->64666 64664->64657 64670 b1d073 64664->64670 64667 b1d078 64665->64667 64668 b1d134 64665->64668 64669 b1d0cc 64666->64669 64672 9e9ae0 2 API calls 64667->64672 64676 b1d080 64667->64676 64668->64676 64673 9e9620 45 API calls 64669->64673 64671 9e9e20 53 API calls 64670->64671 64671->64667 64674 b1d16f 64672->64674 64675 b1d0de 64673->64675 64677 b1d1e5 WriteFile 64674->64677 64678 b1d1a6 64674->64678 64675->64325 64676->64325 64679 b1d202 64677->64679 64680 b1d21c 64677->64680 64681 9e9e20 53 API calls 64678->64681 64682 9e9e20 53 API calls 64679->64682 64684 b1d010 118 API calls 64680->64684 64683 b1d1ab 64681->64683 64685 b1d207 64682->64685 64686 b1d1b3 64683->64686 64687 9e9ae0 2 API calls 64683->64687 64684->64685 64685->64325 64685->64683 64688 b1d20d 64685->64688 64686->64325 64689 b1d257 64687->64689 64688->64686 64690 9e9e20 53 API calls 64689->64690 64691 b1d29a 64690->64691 64692 b1d2a0 64691->64692 64693 b1d30a 64691->64693 64697 b1d2c2 64692->64697 64698 b1d2cd 64692->64698 64694 9e9ae0 2 API calls 64693->64694 64695 b1d314 64694->64695 64707 b1cb80 122 API calls std::_Locinfo::_Locinfo_ctor 64695->64707 64705 9e9120 53 API calls 64697->64705 64706 9e9990 45 API calls 2 library calls 64698->64706 64701 b1d2cb 64702 9fab80 117 API calls 64701->64702 64703 b1d2f5 64702->64703 64703->64325 64704 b1d358 64704->64325 64705->64701 64706->64701 64707->64704 64708->64332 64710 9e9e20 53 API calls 64709->64710 64715 ac5b6e 64710->64715 64711 ac5ce0 64712 9e9ae0 2 API calls 64711->64712 64713 ac5cea 64712->64713 64716 9e9ae0 2 API calls 64713->64716 64714 ac5caf 64717 b76c0a _ValidateLocalCookies 5 API calls 64714->64717 64715->64711 64715->64714 64720 ac5cd6 64715->64720 64723 ac5be7 64715->64723 64718 ac5cf4 64716->64718 64719 ac5cd0 64717->64719 64721 ac5d0b 64718->64721 64724 b80746 ___std_exception_destroy 13 API calls 64718->64724 64719->64344 64722 9e9ae0 2 API calls 64720->64722 64721->64344 64722->64711 64725 ac5bf5 64723->64725 64735 ac5d50 RtlAllocateHeap RaiseException __Getctype 64723->64735 64726 ac5d39 64724->64726 64736 b806b7 44 API calls 2 library calls 64725->64736 64726->64344 64729 ac5c0d 64729->64713 64731 ac5c41 64729->64731 64737 9e9870 45 API calls 64729->64737 64731->64713 64731->64731 64732 ac5c91 64731->64732 64732->64714 64738 ac5d10 13 API calls ___std_exception_destroy 64732->64738 64734->64352 64735->64725 64736->64729 64737->64731 64738->64714 64739->64360 64740->64362 64743->64369 64745 9e92c3 64744->64745 64759 9e9361 64744->64759 64761 b80635 64745->64761 64746 9e9ae0 2 API calls 64747 9e93b6 64746->64747 64748 9e9ae0 2 API calls 64747->64748 64750 9e93c0 64748->64750 64751 9e9e20 53 API calls 64753 9e930f 64751->64753 64767 9e91d0 64753->64767 64756 9e9342 64777 b80676 64756->64777 64759->64746 64760 9e8d23 64759->64760 64760->64610 64762 b80649 __Getctype 64761->64762 64784 b7c74f 64762->64784 64768 9e926b 64767->64768 64771 9e9201 64767->64771 64769 9e9ae0 2 API calls 64768->64769 64770 9e9275 64769->64770 64772 9e9221 64771->64772 64773 9e922e 64771->64773 64806 9e9120 53 API calls 64772->64806 64773->64773 64807 9e9990 45 API calls 2 library calls 64773->64807 64776 9e922c 64776->64756 64783 9e9870 45 API calls 64776->64783 64778 b8068a __Getctype 64777->64778 64808 b7c971 64778->64808 64781 b7bddb __Getctype 44 API calls 64782 b806b2 64781->64782 64782->64759 64783->64756 64785 b7c79e 64784->64785 64786 b7c77b 64784->64786 64785->64786 64790 b7c7a6 64785->64790 64801 b7c022 44 API calls 2 library calls 64786->64801 64788 b7c793 64789 b76c0a _ValidateLocalCookies 5 API calls 64788->64789 64791 b7c8d0 64789->64791 64802 b7ef22 56 API calls __cftof 64790->64802 64795 b7bddb 64791->64795 64793 b7c827 64803 b7e444 13 API calls ___free_lconv_mon 64793->64803 64796 b7bde7 64795->64796 64797 b7bdfe 64796->64797 64804 b7be86 44 API calls __Getctype 64796->64804 64799 9e92e3 64797->64799 64805 b7be86 44 API calls __Getctype 64797->64805 64799->64747 64799->64751 64799->64753 64801->64788 64802->64793 64803->64788 64804->64797 64805->64799 64806->64776 64807->64776 64809 b7c97d 64808->64809 64811 b7c9a0 64808->64811 64816 b7c022 44 API calls 2 library calls 64809->64816 64814 b7c9c7 64811->64814 64817 b7c458 56 API calls 2 library calls 64811->64817 64815 b7c998 64814->64815 64818 b7c022 44 API calls 2 library calls 64814->64818 64815->64781 64816->64815 64817->64814 64818->64815 64820 b20106 64819->64820 64821 b2015b SetFilePointer 64820->64821 64824 b2010d 64820->64824 64825 b20236 SetFilePointer 64820->64825 64822 b20182 ReadFile 64821->64822 64823 b20174 GetLastError 64821->64823 64822->64820 64822->64824 64823->64822 64823->64824 64824->64405 64825->64824 64826 b2025e ReadFile 64825->64826 64826->64824 64827 b20275 64826->64827 64827->64824 64842 b019d0 64828->64842 64830 b00dff 64831 aff15c 64830->64831 64861 b01ea0 64830->64861 64831->64191 64833->64392 64834->64394 64835->64406 64837 9eeae0 101 API calls 64836->64837 64838 ae54e1 64837->64838 64838->64413 64839->64420 64840->64416 64841->64422 64843 b01a1b SetFilePointer 64842->64843 64844 b01abd 64842->64844 64843->64844 64845 b01ad1 64843->64845 64844->64830 64846 9e9e20 53 API calls 64845->64846 64847 b01af1 64846->64847 64848 b01e0f 64847->64848 64851 b01cd5 64847->64851 64852 b01b2f ReadFile 64847->64852 64849 9e9ae0 2 API calls 64848->64849 64850 b01e19 64849->64850 64896 9f2a50 RaiseException 64850->64896 64851->64830 64852->64851 64854 b01d91 GetLastError 64852->64854 64894 ae3200 76 API calls 64854->64894 64855 b01e25 64855->64830 64857 b01dae 64858 ae54b0 101 API calls 64857->64858 64859 b01dc8 64858->64859 64895 aeed40 74 API calls 64859->64895 64862 b01edb SetFilePointer 64861->64862 64874 b0215c 64861->64874 64863 b01f06 GetLastError 64862->64863 64864 b01f8a 64862->64864 64897 ae3200 76 API calls 64863->64897 64866 b01fb0 ReadFile 64864->64866 64864->64874 64867 b02233 GetLastError 64866->64867 64891 b01fd2 64866->64891 64902 ae3200 76 API calls 64867->64902 64868 b01f20 64870 ae54b0 101 API calls 64868->64870 64873 b01f38 64870->64873 64871 b02250 64875 ae54b0 101 API calls 64871->64875 64872 9e9e20 53 API calls 64872->64891 64898 aeed40 74 API calls 64873->64898 64874->64831 64876 b02265 64875->64876 64903 aeed40 74 API calls 64876->64903 64877 b022a9 64880 9e9ae0 2 API calls 64877->64880 64879 b01f4e 64879->64831 64882 b022b3 64880->64882 64883 b02032 ReadFile 64884 b02189 GetLastError 64883->64884 64883->64891 64900 ae3200 76 API calls 64884->64900 64886 b021a6 64887 ae54b0 101 API calls 64886->64887 64890 b021bb 64887->64890 64889 b021d3 64889->64874 64901 aeed40 74 API calls 64890->64901 64891->64866 64891->64867 64891->64872 64891->64874 64891->64877 64891->64883 64891->64884 64891->64889 64893 9e9620 45 API calls 64891->64893 64899 9e9990 45 API calls 2 library calls 64891->64899 64893->64891 64894->64857 64895->64848 64896->64855 64897->64868 64898->64879 64899->64891 64900->64886 64901->64889 64902->64871 64903->64889 64905 9e9e20 53 API calls 64904->64905 64906 b22438 64905->64906 64907 b22599 64906->64907 64911 9e9e20 53 API calls 64906->64911 64908 9e9ae0 2 API calls 64907->64908 64909 b225a3 64908->64909 64928 b22690 IsWindow 64909->64928 64913 b2245b 64911->64913 64912 b225b8 std::ios_base::_Ios_base_dtor 64912->64428 64913->64907 64914 9e9e20 53 API calls 64913->64914 64915 b224c7 64914->64915 64915->64907 64916 9e9e20 53 API calls 64915->64916 64917 b2253c 64916->64917 64917->64907 64918 9e9e20 53 API calls 64917->64918 64919 b2255e 64918->64919 64919->64907 64920 b22562 64919->64920 64923 b27b10 64920->64923 64935 ae3860 64923->64935 64929 b226eb EndDialog 64928->64929 64930 b226f6 64928->64930 64929->64930 64996 b225e0 10 API calls 64930->64996 64932 b22792 64933 b227ff 64932->64933 64997 b76864 10 API calls 64932->64997 64933->64912 64942 ae3ad0 64935->64942 64996->64932 64997->64933 64999 afd47a 64998->64999 65001 afd48b 64998->65001 65000 9e9ae0 2 API calls 64999->65000 64999->65001 65002 afd515 65000->65002 65001->64474 65003 afd551 65002->65003 65004 b80746 ___std_exception_destroy 13 API calls 65002->65004 65003->64474 65004->65003 65006 9e9e20 53 API calls 65005->65006 65007 b0326c 65006->65007 65008 b03684 65007->65008 65078 b022c0 65007->65078 65009 9e9ae0 2 API calls 65008->65009 65010 b0368e 65009->65010 65087 9f2a50 RaiseException 65010->65087 65013 b0369a 65014 9e9ae0 2 API calls 65013->65014 65037 b036f8 65036->65037 65038 b036ee 65036->65038 65090 b0dae0 65037->65090 65136 9e9790 45 API calls 65038->65136 65041 b03701 65042 b037f2 65041->65042 65065->64450 65067 b00c50 65066->65067 65068 b00c6d 65066->65068 65067->65068 65300 9f2a50 RaiseException 65067->65300 65068->64441 65070 b00c81 65071->64454 65072->64459 65073->64478 65074->64478 65075->64487 65076->64475 65077->64452 65079 9e96e0 2 API calls 65078->65079 65080 b022d3 65079->65080 65088 b00be0 RaiseException 65080->65088 65082 b022de 65083 9fb580 45 API calls 65082->65083 65087->65013 65088->65082 65091 b0db05 65090->65091 65092 b0dc2a 65090->65092 65091->65092 65095 b0dba1 GetDiskFreeSpaceExW 65091->65095 65093 b76c0a _ValidateLocalCookies 5 API calls 65092->65093 65094 b0dc3d 65093->65094 65094->65041 65095->65091 65096 b0dbff 65095->65096 65096->65092 65097 b0dc13 65096->65097 65136->65037 65300->65070 65333->64565 65335 b204c0 65334->65335 65336 b204f5 65335->65336 65337 b204e4 FreeLibrary 65335->65337 65338 b20538 CloseHandle 65336->65338 65339 b20549 65336->65339 65337->65336 65338->65339 65339->64565 65340->64563 65341->64573 65342->64581 65344 b8edb8 RtlFreeHeap 65343->65344 65345 b8075e 65343->65345 65344->65345 65346 b8edcd GetLastError 65344->65346 65345->64085 65347 b8edda ___free_lconv_mon 65346->65347 65349 b7c1bf 13 API calls __set_se_translator 65347->65349 65349->65345 65350 b767b8 GetProcessHeap HeapAlloc 65351 b767d4 65350->65351 65352 b767d0 65350->65352 65360 b7654a 65351->65360 65354 b767df 65355 b767fb 65354->65355 65357 b767ef 65354->65357 65374 b76656 15 API calls __set_se_translator 65355->65374 65358 b76819 65357->65358 65359 b76808 GetProcessHeap HeapFree 65357->65359 65359->65352 65361 b76557 DecodePointer 65360->65361 65362 b76564 LoadLibraryExA 65360->65362 65361->65354 65363 b765f5 65362->65363 65364 b7657d 65362->65364 65363->65354 65375 b765fa GetProcAddress EncodePointer 65364->65375 65366 b7658d 65366->65363 65376 b765fa GetProcAddress EncodePointer 65366->65376 65368 b765a4 65368->65363 65377 b765fa GetProcAddress EncodePointer 65368->65377 65370 b765bb 65370->65363 65378 b765fa GetProcAddress EncodePointer 65370->65378 65372 b765d2 65372->65363 65373 b765d9 DecodePointer 65372->65373 65373->65363 65374->65357 65375->65366 65376->65368 65377->65370 65378->65372 65379 b02380 65380 9e9e20 53 API calls 65379->65380 65384 b023d5 65380->65384 65381 b02df4 65382 9e9ae0 2 API calls 65381->65382 65383 b02dfe 65382->65383 65384->65381 65385 9e9e20 53 API calls 65384->65385 65386 b02414 65385->65386 65386->65381 65387 9e9e20 53 API calls 65386->65387 65389 b02432 65387->65389 65388 b02531 65391 9e9e20 53 API calls 65388->65391 65389->65381 65389->65388 65470 ae4970 101 API calls _wcsrchr 65389->65470 65402 b0256e __set_se_translator 65391->65402 65392 b02463 65393 9fb580 45 API calls 65392->65393 65394 b02470 65393->65394 65396 9fb580 45 API calls 65394->65396 65395 b76c49 std::_Facet_Register 2 API calls 65395->65402 65398 b024c8 65396->65398 65471 b02f30 101 API calls 65398->65471 65399 b02b4e 65400 b02b54 65399->65400 65403 b02ba0 CreateThread 65399->65403 65404 b02b73 CreateEventW 65399->65404 65405 b02c55 CloseHandle 65400->65405 65439 b02a9f 65400->65439 65402->65381 65402->65395 65406 9e9e20 53 API calls 65402->65406 65418 b02de8 65402->65418 65427 ae0e50 54 API calls 65402->65427 65431 9fb580 45 API calls 65402->65431 65436 b0291d __set_se_translator 65402->65436 65438 ae58e0 133 API calls 65402->65438 65402->65439 65440 ae03b0 46 API calls 65402->65440 65441 b02a9d 65402->65441 65442 b20560 65402->65442 65472 ae4970 101 API calls _wcsrchr 65402->65472 65473 b20600 CreateFileW 65402->65473 65408 b02bd4 WaitForSingleObject GetExitCodeThread 65403->65408 65409 b02bcd 65403->65409 65499 b206e0 179 API calls 65403->65499 65415 b02b8a 65404->65415 65405->65439 65406->65402 65407 b02c74 CloseHandle 65412 b02c7e 65407->65412 65410 b02c14 65408->65410 65411 b02bec 65408->65411 65409->65408 65410->65400 65414 b02c23 CloseHandle 65410->65414 65411->65400 65413 b02c02 CloseHandle 65411->65413 65416 acd800 13 API calls 65412->65416 65413->65400 65414->65400 65415->65403 65424 b02cb3 std::ios_base::_Ios_base_dtor 65416->65424 65417 b02d30 65420 b80746 ___std_exception_destroy 13 API calls 65417->65420 65421 b02d41 65417->65421 65480 9f2a50 RaiseException 65418->65480 65420->65421 65423 b76c0a _ValidateLocalCookies 5 API calls 65421->65423 65422 b20480 2 API calls 65422->65424 65425 b02dd4 65423->65425 65424->65417 65424->65418 65424->65422 65427->65402 65428 ae0e50 54 API calls 65428->65436 65430 b02946 FindFirstFileW 65432 b0298a FindClose 65430->65432 65430->65436 65431->65402 65432->65436 65434 9fb580 45 API calls 65434->65436 65435 b20600 180 API calls 65435->65436 65436->65402 65436->65428 65436->65430 65436->65434 65436->65435 65437 b02aa8 65436->65437 65437->65439 65438->65402 65439->65407 65439->65412 65440->65402 65448 b215c0 65441->65448 65443 b20569 65442->65443 65444 b2056e LoadLibraryW 65442->65444 65443->65402 65445 b20587 65444->65445 65446 b205a1 65445->65446 65447 b205a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 65445->65447 65446->65402 65447->65402 65449 b21626 CreateThread 65448->65449 65450 b215f8 CreateEventW 65448->65450 65452 b2173c WaitForSingleObject GetExitCodeThread 65449->65452 65459 b21662 65449->65459 65495 b21980 65449->65495 65451 b2160d 65450->65451 65451->65449 65453 b21777 65452->65453 65454 b21769 CloseHandle 65452->65454 65453->65399 65454->65453 65455 b21720 65455->65452 65456 b2178d 65481 9f2a50 RaiseException 65456->65481 65458 b21799 65460 b217d1 WaitForSingleObject 65458->65460 65469 b217da 65458->65469 65459->65455 65459->65456 65460->65469 65461 b2196f 65482 9f2a50 RaiseException 65461->65482 65463 b2197b 65483 b217a0 65463->65483 65464 9f6a60 62 API calls 65464->65469 65466 b21937 65466->65399 65467 ae58e0 133 API calls 65467->65469 65468 b21989 65468->65399 65469->65461 65469->65464 65469->65466 65469->65467 65470->65392 65471->65388 65472->65402 65475 b2062d 65473->65475 65474 b206a9 65474->65402 65475->65474 65476 9e9ae0 2 API calls 65475->65476 65477 b206db 65476->65477 65498 b206f0 179 API calls ___std_exception_destroy 65477->65498 65479 b206e9 65479->65402 65480->65381 65481->65458 65482->65463 65484 b217d1 WaitForSingleObject 65483->65484 65493 b217da 65483->65493 65484->65493 65485 b2196f 65494 9f2a50 RaiseException 65485->65494 65487 b2197b 65489 b217a0 133 API calls 65487->65489 65488 9f6a60 62 API calls 65488->65493 65492 b21989 65489->65492 65490 b21937 65490->65468 65491 ae58e0 133 API calls 65491->65493 65492->65468 65493->65485 65493->65488 65493->65490 65493->65491 65494->65487 65496 b217a0 134 API calls 65495->65496 65497 b21989 65496->65497 65498->65479 65500 a12530 65501 a12543 std::ios_base::_Ios_base_dtor 65500->65501 65506 b78723 65501->65506 65504 a12559 SetUnhandledExceptionFilter 65505 a1256b 65504->65505 65511 b7875b 65506->65511 65508 b7872c 65509 b7875b __set_se_translator 55 API calls 65508->65509 65510 a1254d 65509->65510 65510->65504 65510->65505 65524 b78769 23 API calls 4 library calls 65511->65524 65513 b78760 65513->65508 65525 b90417 EnterCriticalSection __set_se_translator 65513->65525 65515 b80fa6 65516 b80fb1 65515->65516 65526 b9045c 44 API calls 5 library calls 65515->65526 65517 b80fbb IsProcessorFeaturePresent 65516->65517 65518 b80fda 65516->65518 65520 b80fc7 65517->65520 65528 b8d911 65518->65528 65527 b7bea3 8 API calls 2 library calls 65520->65527 65524->65513 65525->65515 65526->65516 65527->65518 65531 b8d735 65528->65531 65532 b8d762 65531->65532 65533 b8d774 65531->65533 65556 b8d7fd GetModuleHandleW 65532->65556 65543 b8d5de 65533->65543 65536 b8d767 65536->65533 65557 b8d862 GetModuleHandleExW 65536->65557 65537 b8d7ab 65538 b80fe4 65537->65538 65549 b8d7cc 65537->65549 65538->65508 65544 b8d5ea __set_se_translator 65543->65544 65563 b8ba2a EnterCriticalSection 65544->65563 65546 b8d5f4 65564 b8d64a 65546->65564 65548 b8d601 __set_se_translator 65548->65537 65626 b8d840 65549->65626 65552 b8d7ea 65554 b8d862 __set_se_translator 3 API calls 65552->65554 65553 b8d7da GetCurrentProcess TerminateProcess 65553->65552 65555 b8d7f2 ExitProcess 65554->65555 65556->65536 65558 b8d8a1 GetProcAddress 65557->65558 65559 b8d8c2 65557->65559 65558->65559 65562 b8d8b5 65558->65562 65560 b8d8c8 FreeLibrary 65559->65560 65561 b8d773 65559->65561 65560->65561 65561->65533 65562->65559 65563->65546 65565 b8d656 __set_se_translator 65564->65565 65570 b8d6eb 65565->65570 65571 b8d6bd 65565->65571 65572 b8e21c 65565->65572 65566 b8d6da 65567 b8e4c0 __set_se_translator 44 API calls 65566->65567 65567->65570 65570->65548 65571->65566 65576 b8e4c0 65571->65576 65573 b8e228 __EH_prolog3 65572->65573 65580 b8df74 65573->65580 65575 b8e24f std::locale::_Init 65575->65571 65577 b8e4ce 65576->65577 65578 b8e4e7 65576->65578 65577->65578 65591 9e1990 65577->65591 65578->65566 65581 b8df80 __set_se_translator 65580->65581 65586 b8ba2a EnterCriticalSection 65581->65586 65583 b8df8e 65587 b8e12c 65583->65587 65585 b8df9b __set_se_translator 65585->65575 65586->65583 65588 b8e143 65587->65588 65589 b8e14b 65587->65589 65588->65585 65589->65588 65590 b8edad ___free_lconv_mon 13 API calls 65589->65590 65590->65588 65592 9e19cd 65591->65592 65599 9e6520 65592->65599 65594 9e1a67 65609 b76fca 44 API calls 65594->65609 65596 9e1a8d 65597 b76c0a _ValidateLocalCookies 5 API calls 65596->65597 65598 9e1aa5 65597->65598 65598->65577 65600 9e65d5 65599->65600 65601 9e6581 65599->65601 65600->65594 65602 9e6589 65601->65602 65603 9e6606 65601->65603 65610 9e6ba0 65602->65610 65625 9e6ac0 44 API calls 65603->65625 65607 9e658f 65607->65600 65608 9e6610 44 API calls 65607->65608 65608->65607 65609->65596 65611 9e6bef 65610->65611 65612 9e6bab 65610->65612 65613 9e7730 44 API calls 65611->65613 65614 9e6bda 65612->65614 65615 9e6bb8 65612->65615 65623 9e6bc5 65613->65623 65617 9e6bea 65614->65617 65620 b76c49 std::_Facet_Register RaiseException EnterCriticalSection 65614->65620 65615->65611 65616 9e6bbf 65615->65616 65619 b76c49 std::_Facet_Register RaiseException EnterCriticalSection 65616->65619 65617->65607 65618 b7c0af 44 API calls 65622 9e6bf9 65618->65622 65619->65623 65621 9e6be4 65620->65621 65621->65607 65623->65618 65624 9e6bce 65623->65624 65624->65607 65631 b98a0e 6 API calls __set_se_translator 65626->65631 65628 b8d845 65629 b8d84a GetPEB 65628->65629 65630 b8d7d6 65628->65630 65629->65630 65630->65552 65630->65553 65631->65628 65632 b21d20 65641 b21990 65632->65641 65635 b21d7a 65638 b21d91 GetFileVersionInfoW 65635->65638 65640 b21d8a 65635->65640 65636 b21dde GetLastError 65636->65640 65637 b21df0 DeleteFileW 65639 b21df7 65637->65639 65638->65636 65638->65640 65640->65637 65640->65639 65656 ae39a0 65641->65656 65644 b21b3a 65647 b76c0a _ValidateLocalCookies 5 API calls 65644->65647 65645 b219d5 SHGetFolderPathW 65646 b219f3 __set_se_translator 65645->65646 65646->65644 65649 b21a6a GetTempPathW 65646->65649 65648 b21b68 GetFileVersionInfoSizeW 65647->65648 65648->65635 65648->65636 65663 b79160 65649->65663 65653 b21abe Wow64DisableWow64FsRedirection CopyFileW 65654 b21b10 65653->65654 65654->65644 65655 b21b28 Wow64RevertWow64FsRedirection 65654->65655 65655->65644 65657 ae3ad0 79 API calls 65656->65657 65658 ae39c9 65657->65658 65659 b77112 4 API calls 65658->65659 65660 ae3a77 65658->65660 65661 ae39f0 __set_se_translator 65659->65661 65660->65644 65660->65645 65661->65660 65667 b770c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65661->65667 65664 b21a92 GetTempFileNameW 65663->65664 65665 b21bd0 65664->65665 65666 b21bda 65665->65666 65666->65653 65667->65660 65668 a44cb0 65673 afde50 GetLastError 65668->65673 65669 a44d27 65670 a44d5e 65669->65670 65671 a44d78 SetWindowLongW 65669->65671 65671->65670 65674 afde5a 65673->65674 65675 9e9ae0 2 API calls 65674->65675 65676 afde68 65675->65676 65677 afde8e 65676->65677 65678 afdec6 65676->65678 65679 afdecd 65676->65679 65680 ae1f70 5 API calls 65677->65680 65678->65679 65681 afdf04 DestroyWindow 65678->65681 65679->65669 65682 afde9d 65680->65682 65681->65669 65687 afe0d0 6 API calls 65682->65687 65685 a45a70 16 API calls 65686 afdeb0 65685->65686 65686->65669 65688 afe16a SetWindowPos 65687->65688 65689 afe163 65687->65689 65690 b76c0a _ValidateLocalCookies 5 API calls 65688->65690 65689->65688 65691 afdea7 65690->65691 65691->65685 65692 adfcb0 65693 9e6610 44 API calls 65692->65693 65694 adfd2a 65693->65694 65720 ae01e0 65694->65720 65697 adfd73 65699 9e78d0 44 API calls 65697->65699 65698 9e78d0 44 API calls 65698->65697 65700 adfdac 65699->65700 65701 adfe70 65700->65701 65702 adfdc9 65700->65702 65703 adfde5 65700->65703 65735 aae0c0 65701->65735 65746 9e6c00 44 API calls 65702->65746 65706 9e6610 44 API calls 65703->65706 65708 adfdd8 65706->65708 65707 adfe9c 65709 b76c0a _ValidateLocalCookies 5 API calls 65707->65709 65711 9e8d30 44 API calls 65708->65711 65710 adfebc 65709->65710 65712 adfe0d 65711->65712 65713 9e7070 44 API calls 65712->65713 65714 adfe2c 65713->65714 65715 9e78d0 44 API calls 65714->65715 65716 adfe38 65715->65716 65717 adfe54 65716->65717 65718 9e78d0 44 API calls 65716->65718 65717->65701 65719 9e78d0 44 API calls 65717->65719 65718->65717 65719->65701 65721 ae023d 65720->65721 65722 ae0252 65720->65722 65723 9e7160 44 API calls 65721->65723 65724 ae026f 65722->65724 65725 ae025a 65722->65725 65726 adfd60 65723->65726 65728 ae028c 65724->65728 65729 ae0277 65724->65729 65727 9e7160 44 API calls 65725->65727 65726->65697 65726->65698 65727->65726 65731 ae02a9 65728->65731 65732 ae0294 65728->65732 65730 9e7160 44 API calls 65729->65730 65730->65726 65731->65726 65734 9e7160 44 API calls 65731->65734 65733 9e7160 44 API calls 65732->65733 65733->65726 65734->65726 65736 aae158 RegOpenKeyExW 65735->65736 65737 aae0f9 65735->65737 65740 aae151 65736->65740 65738 aae14b 65737->65738 65739 aae0fe GetModuleHandleW 65737->65739 65738->65736 65738->65740 65742 aae10d 65739->65742 65743 aae126 GetProcAddress 65739->65743 65741 aae180 65740->65741 65745 aae177 RegCloseKey 65740->65745 65741->65707 65742->65707 65743->65740 65744 aae136 65743->65744 65744->65740 65745->65741 65746->65708 65747 ad7cb0 65748 ad7cfb 65747->65748 65751 ad7ce8 65747->65751 65755 ac7fd0 56 API calls 3 library calls 65748->65755 65750 ad7d05 65753 9e78d0 44 API calls 65750->65753 65752 b76c0a _ValidateLocalCookies 5 API calls 65751->65752 65754 ad7d4a 65752->65754 65753->65751 65755->65750 65756 9eb800 65757 9eb847 std::ios_base::_Ios_base_dtor 65756->65757 65758 9eb837 65756->65758 65758->65757 65763 b7c0af 44 API calls 2 library calls 65758->65763 65764 9e8720 65765 9e872a CloseHandle 65764->65765 65766 9e8738 65764->65766 65765->65766 65767 af74f0 65831 af7360 65767->65831 65769 af753c 65917 b1b490 GetUserNameW 65769->65917 65772 9e7160 44 API calls 65773 af75b9 65772->65773 65775 b77112 4 API calls 65773->65775 65785 af7636 65773->65785 65774 9e6610 44 API calls 65776 af7645 65774->65776 65777 af75dc 65775->65777 65781 b76c49 std::_Facet_Register 2 API calls 65776->65781 65778 9e7160 44 API calls 65777->65778 65777->65785 65779 af761b 65778->65779 65941 b76fca 44 API calls 65779->65941 65783 af7706 65781->65783 65782 af7625 65942 b770c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65782->65942 65786 9e7160 44 API calls 65783->65786 65785->65774 65787 af775c 65786->65787 65788 9e7160 44 API calls 65787->65788 65789 af77b9 65788->65789 65790 9e6610 44 API calls 65789->65790 65791 af77d5 65790->65791 65792 9e6610 44 API calls 65791->65792 65793 af77e8 65792->65793 65794 9e6610 44 API calls 65793->65794 65795 af77f8 65794->65795 65796 9e6610 44 API calls 65795->65796 65797 af780a 65796->65797 65798 9e78d0 44 API calls 65797->65798 65799 af784e 65798->65799 65800 9e78d0 44 API calls 65799->65800 65801 af7866 65800->65801 65803 9e78d0 44 API calls 65801->65803 65824 af78e3 std::ios_base::_Ios_base_dtor 65801->65824 65802 9e78d0 44 API calls 65805 af7925 65802->65805 65806 af78c0 65803->65806 65804 9e78d0 44 API calls 65807 af7974 65804->65807 65808 9e78d0 44 API calls 65805->65808 65809 9e78d0 44 API calls 65806->65809 65810 9e78d0 44 API calls 65807->65810 65811 af7937 65808->65811 65812 af78cc 65809->65812 65813 af7980 65810->65813 65814 9e78d0 44 API calls 65811->65814 65815 9e78d0 44 API calls 65812->65815 65816 9e78d0 44 API calls 65813->65816 65818 af7949 65814->65818 65819 af78d8 65815->65819 65817 af798f 65816->65817 65820 af79a4 65817->65820 65825 af79d3 GetCurrentProcess OpenProcessToken 65817->65825 65821 9e78d0 44 API calls 65818->65821 65822 9e78d0 44 API calls 65819->65822 65828 b76c0a _ValidateLocalCookies 5 API calls 65820->65828 65823 af7954 std::ios_base::_Ios_base_dtor 65821->65823 65822->65824 65823->65804 65824->65802 65824->65823 65826 af79ed GetTokenInformation 65825->65826 65827 af7a19 65825->65827 65826->65827 65827->65820 65830 af7a4f CloseHandle 65827->65830 65829 af7aa0 65828->65829 65830->65820 65832 9e9e20 53 API calls 65831->65832 65833 af739a 65832->65833 65834 af74df 65833->65834 65943 b0dfd0 56 API calls 65833->65943 65835 9e9ae0 2 API calls 65834->65835 65836 af74e9 65835->65836 65839 af7360 137 API calls 65836->65839 65838 af73c3 65840 af73dc 65838->65840 65841 af73e4 GetTickCount 65838->65841 65842 af753c 65839->65842 65840->65841 65944 b75deb GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 65841->65944 65843 b1b490 49 API calls 65842->65843 65845 af754e 65843->65845 65847 9e7160 44 API calls 65845->65847 65846 af73f1 65848 9e9e20 53 API calls 65846->65848 65849 af75b9 65847->65849 65850 af7411 65848->65850 65851 af7636 65849->65851 65853 b77112 4 API calls 65849->65853 65850->65834 65856 af7419 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65850->65856 65852 9e6610 44 API calls 65851->65852 65867 af7645 65852->65867 65854 af75dc 65853->65854 65854->65851 65855 9e7160 44 API calls 65854->65855 65857 af761b 65855->65857 65858 9e8d10 74 API calls 65856->65858 65947 b76fca 44 API calls 65857->65947 65860 af744b 65858->65860 65945 b0dfd0 56 API calls 65860->65945 65861 b76c49 std::_Facet_Register 2 API calls 65864 af7706 65861->65864 65862 af7625 65948 b770c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 65862->65948 65870 9e7160 44 API calls 65864->65870 65866 af745c 65946 b0e110 129 API calls 65866->65946 65867->65861 65869 af746a 65872 9e9620 45 API calls 65869->65872 65871 af775c 65870->65871 65874 9e7160 44 API calls 65871->65874 65873 af7479 65872->65873 65873->65769 65875 af77b9 65874->65875 65876 9e6610 44 API calls 65875->65876 65877 af77d5 65876->65877 65878 9e6610 44 API calls 65877->65878 65879 af77e8 65878->65879 65880 9e6610 44 API calls 65879->65880 65881 af77f8 65880->65881 65882 9e6610 44 API calls 65881->65882 65883 af780a 65882->65883 65884 9e78d0 44 API calls 65883->65884 65885 af784e 65884->65885 65886 9e78d0 44 API calls 65885->65886 65887 af7866 65886->65887 65888 af78e3 std::ios_base::_Ios_base_dtor 65887->65888 65890 9e78d0 44 API calls 65887->65890 65889 9e78d0 44 API calls 65888->65889 65910 af7954 std::ios_base::_Ios_base_dtor 65888->65910 65892 af7925 65889->65892 65893 af78c0 65890->65893 65891 9e78d0 44 API calls 65894 af7974 65891->65894 65895 9e78d0 44 API calls 65892->65895 65896 9e78d0 44 API calls 65893->65896 65897 9e78d0 44 API calls 65894->65897 65898 af7937 65895->65898 65899 af78cc 65896->65899 65900 af7980 65897->65900 65901 9e78d0 44 API calls 65898->65901 65902 9e78d0 44 API calls 65899->65902 65903 9e78d0 44 API calls 65900->65903 65905 af7949 65901->65905 65906 af78d8 65902->65906 65904 af798f 65903->65904 65909 af79d3 GetCurrentProcess OpenProcessToken 65904->65909 65911 af79a4 65904->65911 65907 9e78d0 44 API calls 65905->65907 65908 9e78d0 44 API calls 65906->65908 65907->65910 65908->65888 65912 af79ed GetTokenInformation 65909->65912 65913 af7a19 65909->65913 65910->65891 65914 b76c0a _ValidateLocalCookies 5 API calls 65911->65914 65912->65913 65913->65911 65916 af7a4f CloseHandle 65913->65916 65915 af7aa0 65914->65915 65915->65769 65916->65911 65918 b1b524 GetLastError 65917->65918 65919 b1b56e GetEnvironmentVariableW 65917->65919 65918->65919 65920 b1b52f 65918->65920 65921 b1b5f2 65919->65921 65922 b1b5ae 65919->65922 65923 b1b539 65920->65923 65949 a136c0 44 API calls 65920->65949 65929 b1b648 65921->65929 65930 9e7160 44 API calls 65921->65930 65924 b1b5b5 65922->65924 65950 a136c0 44 API calls 65922->65950 65925 b1b55c GetUserNameW 65923->65925 65927 b1b5da GetEnvironmentVariableW 65924->65927 65925->65919 65927->65921 65931 9e7070 44 API calls 65929->65931 65930->65929 65932 b1b65d 65931->65932 65933 9e7070 44 API calls 65932->65933 65934 b1b673 65933->65934 65935 9e78d0 44 API calls 65934->65935 65936 b1b67f 65935->65936 65937 9e78d0 44 API calls 65936->65937 65938 b1b68b 65937->65938 65939 b76c0a _ValidateLocalCookies 5 API calls 65938->65939 65940 af754e 65939->65940 65940->65772 65941->65782 65942->65785 65943->65838 65944->65846 65945->65866 65946->65869 65947->65862 65948->65851 65949->65925 65950->65927 65951 af4b10 65952 af4b6a GetShortPathNameW 65951->65952 65953 af4b42 65951->65953 65954 af4b7b 65952->65954 65955 af4b4f 65952->65955 66004 acc9a0 RtlAllocateHeap RaiseException 65953->66004 65957 9e9e20 53 API calls 65954->65957 65964 af4b80 65957->65964 65958 af4b47 65959 9e96e0 2 API calls 65958->65959 65959->65955 65960 af4c67 65961 9e9ae0 2 API calls 65960->65961 65962 af4c71 65961->65962 65965 9e9e20 53 API calls 65962->65965 65963 af4c5d 65967 9e9ae0 2 API calls 65963->65967 65964->65960 65964->65963 65966 af4bc1 65964->65966 66005 9e9870 45 API calls 65964->66005 65968 af4cb1 65965->65968 65966->65963 65970 af4bcd GetShortPathNameW 65966->65970 65967->65960 65971 af4e80 65968->65971 65975 af4cbb 65968->65975 65970->65955 65974 af4be7 std::_Locinfo::_Locinfo_ctor 65970->65974 65972 9e9ae0 2 API calls 65971->65972 65973 af4e8a 65972->65973 65974->65963 65976 af4c04 65974->65976 66007 af4e90 65975->66007 66006 acc860 47 API calls 65976->66006 65979 af4c1a 65981 9fb580 45 API calls 65979->65981 65980 af4d13 65982 af4e36 65980->65982 65983 9e7160 44 API calls 65980->65983 65981->65955 66133 9e6ad0 44 API calls std::ios_base::_Ios_base_dtor 65982->66133 65985 af4d53 65983->65985 65987 af4e90 162 API calls 65985->65987 65986 af4e42 65988 b76c0a _ValidateLocalCookies 5 API calls 65986->65988 65989 af4d66 65987->65989 65990 af4e7a 65988->65990 65991 9e78d0 44 API calls 65989->65991 65992 af4d75 65991->65992 65992->65982 65993 9e7160 44 API calls 65992->65993 65994 af4db7 65993->65994 65995 af4e90 162 API calls 65994->65995 65996 af4dca 65995->65996 65997 9e78d0 44 API calls 65996->65997 65998 af4dd9 65997->65998 65998->65982 65999 9e7160 44 API calls 65998->65999 66000 af4e17 65999->66000 66001 af4e90 162 API calls 66000->66001 66002 af4e2a 66001->66002 66003 9e78d0 44 API calls 66002->66003 66003->65982 66004->65958 66005->65966 66006->65979 66008 9e9e20 53 API calls 66007->66008 66009 af4ec8 66008->66009 66010 af5132 66009->66010 66011 af4ed2 66009->66011 66012 9e9ae0 2 API calls 66010->66012 66016 9f6a60 62 API calls 66011->66016 66013 af513c 66012->66013 66014 9e9ae0 2 API calls 66013->66014 66015 af5146 66014->66015 66017 af5575 66015->66017 66019 af51e9 66015->66019 66020 af5474 66015->66020 66018 af4efc 66016->66018 66021 9e9e20 53 API calls 66017->66021 66022 9f6a60 62 API calls 66018->66022 66167 b10e90 118 API calls _ValidateLocalCookies 66019->66167 66024 9e9e20 53 API calls 66020->66024 66025 af559b 66021->66025 66026 af4f16 66022->66026 66028 af5479 66024->66028 66029 af58bb 66025->66029 66038 af55bf 66025->66038 66052 af5606 66025->66052 66030 9e9e20 53 API calls 66026->66030 66027 af51ee 66031 af52ec 66027->66031 66032 af51f6 66027->66032 66028->66029 66134 aff920 66028->66134 66033 9e9ae0 2 API calls 66029->66033 66034 af4f1f 66030->66034 66170 9eaf70 72 API calls _ValidateLocalCookies 66031->66170 66036 9e9e20 53 API calls 66032->66036 66037 af58c5 66033->66037 66034->66013 66039 af4f29 66034->66039 66041 af51fb 66036->66041 66176 ad4ab0 55 API calls 2 library calls 66038->66176 66049 af4f49 66039->66049 66050 af4f54 66039->66050 66040 af5300 66043 af531a 66040->66043 66046 9e78d0 44 API calls 66040->66046 66041->66029 66168 aeed40 74 API calls 66041->66168 66047 9e78d0 44 API calls 66043->66047 66045 af55d1 66054 9e8d10 74 API calls 66045->66054 66046->66043 66051 af535f 66047->66051 66048 af54cb 66053 ae54b0 101 API calls 66048->66053 66164 9e9120 53 API calls 66049->66164 66165 9e9990 45 API calls 2 library calls 66050->66165 66171 b11220 56 API calls std::ios_base::_Ios_base_dtor 66051->66171 66059 9e9e20 53 API calls 66052->66059 66070 af54d6 66053->66070 66060 af55ef 66054->66060 66094 af565d 66059->66094 66064 9e78d0 44 API calls 66060->66064 66061 af4f52 66069 9f6a60 62 API calls 66061->66069 66062 af536e 66172 ad4ab0 55 API calls 2 library calls 66062->66172 66063 af5232 66068 9e9e20 53 API calls 66063->66068 66088 af528c 66063->66088 66071 af5601 66064->66071 66066 af5384 66075 9f6a60 62 API calls 66066->66075 66072 af5249 66068->66072 66073 af4f7a 66069->66073 66074 9e7160 44 API calls 66070->66074 66078 9e9e20 53 API calls 66071->66078 66072->66029 66092 af5253 66072->66092 66166 ae0a00 45 API calls 2 library calls 66073->66166 66077 af5550 66074->66077 66079 af539c 66075->66079 66175 ad4cc0 54 API calls _ValidateLocalCookies 66077->66175 66082 af5729 66078->66082 66084 ae03b0 46 API calls 66079->66084 66080 af4f99 66089 9f6a60 62 API calls 66080->66089 66082->66029 66096 9e9e20 53 API calls 66082->66096 66083 9e78d0 44 API calls 66086 af589c 66083->66086 66087 af53d4 66084->66087 66085 af5566 66090 9e78d0 44 API calls 66085->66090 66091 b76c0a _ValidateLocalCookies 5 API calls 66086->66091 66098 acd800 13 API calls 66087->66098 66169 aee980 121 API calls 66088->66169 66093 af4fac 66089->66093 66090->66017 66095 af58b5 66091->66095 66092->66088 66092->66092 66099 9fab80 117 API calls 66092->66099 66100 9f6a60 62 API calls 66093->66100 66094->66029 66097 9e8d10 74 API calls 66094->66097 66095->65980 66101 af5758 66096->66101 66102 af56d3 66097->66102 66103 af5404 66098->66103 66099->66088 66123 af4fc3 66100->66123 66101->66029 66104 af5762 SHGetFolderPathW 66101->66104 66105 9e8d10 74 API calls 66102->66105 66108 9e78d0 44 API calls 66103->66108 66110 af578f 66104->66110 66120 af57e2 66104->66120 66106 af56eb 66105->66106 66177 9e6ad0 44 API calls std::ios_base::_Ios_base_dtor 66106->66177 66112 af543d 66108->66112 66118 af57a5 PathFileExistsW 66110->66118 66110->66120 66113 af545a 66112->66113 66114 af5446 66112->66114 66174 af58d0 15 API calls 66113->66174 66173 af58d0 15 API calls 66114->66173 66117 af5455 66125 af52cc 66117->66125 66118->66120 66121 af57b6 66118->66121 66119 af5469 66119->66017 66120->66125 66179 aee980 121 API calls 66120->66179 66178 9e9990 45 API calls 2 library calls 66121->66178 66124 af50ac PathFileExistsW 66123->66124 66127 af50e0 66123->66127 66124->66127 66128 af50b7 66124->66128 66125->66083 66129 b76c0a _ValidateLocalCookies 5 API calls 66127->66129 66128->66127 66130 9e7160 44 API calls 66128->66130 66131 af512c 66129->66131 66132 af50db 66130->66132 66131->65980 66132->66127 66133->65986 66135 aff9d4 66134->66135 66136 b00c40 RaiseException 66135->66136 66137 aff9db 66136->66137 66180 9f2a50 RaiseException 66137->66180 66139 affa4f 66140 9e9620 45 API calls 66139->66140 66141 affa84 66140->66141 66142 affbc7 66141->66142 66196 b02f30 101 API calls 66141->66196 66181 ae4da0 66142->66181 66145 affb0b 66147 9fab80 117 API calls 66145->66147 66149 affb1d 66147->66149 66148 ae4fa0 123 API calls 66150 affbd7 66148->66150 66151 b00c40 RaiseException 66149->66151 66150->66048 66152 affb72 66151->66152 66152->66142 66153 affc13 66152->66153 66197 9f2a50 RaiseException 66153->66197 66155 affc1f 66156 affd54 66155->66156 66157 affdb5 66155->66157 66198 b00c90 117 API calls 66156->66198 66160 9e9ae0 2 API calls 66157->66160 66159 affd60 66162 9fb580 45 API calls 66159->66162 66161 affdbf 66160->66161 66163 affd70 66162->66163 66163->66048 66164->66061 66165->66061 66166->66080 66167->66027 66168->66063 66169->66125 66170->66040 66171->66062 66172->66066 66173->66117 66174->66119 66175->66085 66176->66045 66177->66071 66178->66120 66179->66125 66180->66139 66182 9e9620 45 API calls 66181->66182 66183 ae4de3 66182->66183 66184 9fab80 117 API calls 66183->66184 66185 ae4e2a 66184->66185 66199 ac84f0 66185->66199 66189 ae4edd GetFileAttributesW 66193 ae4e32 66189->66193 66190 b76c0a _ValidateLocalCookies 5 API calls 66191 ae4f8a 66190->66191 66191->66148 66192 ae4f41 66206 ac85a0 66192->66206 66193->66189 66193->66192 66194 ae4f26 FindNextFileW 66193->66194 66195 ae4da0 118 API calls 66193->66195 66194->66192 66194->66193 66195->66189 66196->66145 66197->66155 66198->66159 66200 ac8552 __set_se_translator 66199->66200 66201 9e9e20 53 API calls 66200->66201 66202 ac856a 66201->66202 66203 ac8570 66202->66203 66204 9e9ae0 2 API calls 66202->66204 66203->66193 66205 ac859e 66204->66205 66207 ac85f1 66206->66207 66208 ac863a 66207->66208 66209 ac862d FindClose 66207->66209 66208->66190 66209->66208 66210 afa370 66268 afb460 320 API calls 5 library calls 66210->66268 66212 afa3a5 66269 afea30 103 API calls 2 library calls 66212->66269 66214 afa3ad 66239 b05210 66214->66239 66217 afef60 140 API calls 66218 afa3c6 66217->66218 66219 afa3ca 66218->66219 66250 aeb9d0 55 API calls 66218->66250 66221 afa3f4 66251 af7060 66221->66251 66240 9fb580 45 API calls 66239->66240 66241 b0523f 66240->66241 66242 9fb580 45 API calls 66241->66242 66243 b0524b 66242->66243 66270 b21e30 66243->66270 66245 b05253 66295 b0d930 63 API calls _ValidateLocalCookies 66245->66295 66247 b05260 66248 9e8d10 74 API calls 66247->66248 66249 afa3bf 66248->66249 66249->66217 66250->66221 66301 aff260 66251->66301 66254 af719a 66267 aecce0 172 API calls 66254->66267 66255 af70b3 CreateFileW 66256 af70f1 SetFilePointer 66255->66256 66266 af70e0 66255->66266 66258 af711e 66256->66258 66256->66266 66257 af71ca CloseHandle 66257->66254 66259 ac5b30 54 API calls 66258->66259 66260 af712d 66259->66260 66261 af7148 ReadFile 66260->66261 66331 9e9790 45 API calls 66260->66331 66263 af715b 66261->66263 66261->66266 66263->66266 66332 b19c00 110 API calls 66263->66332 66264 af7145 66264->66261 66266->66254 66266->66257 66268->66212 66269->66214 66271 9e9620 45 API calls 66270->66271 66272 b21e6f 66271->66272 66273 b21e90 GetFileVersionInfoSizeW 66272->66273 66296 9e9790 45 API calls 66272->66296 66276 b21eb5 66273->66276 66277 b21ea8 66273->66277 66275 b21e8d 66275->66273 66276->66245 66277->66276 66278 b21eda GetFileVersionInfoW 66277->66278 66297 9e9790 45 API calls 66277->66297 66278->66276 66280 b21ef1 66278->66280 66282 9e9e20 53 API calls 66280->66282 66281 b21ed7 66281->66278 66283 b21ef6 66282->66283 66284 b22040 66283->66284 66285 b21f00 66283->66285 66286 9e9ae0 2 API calls 66284->66286 66290 9e8d10 74 API calls 66285->66290 66287 b2204a 66286->66287 66300 b22070 WaitForSingleObject GetExitCodeThread TerminateThread CloseHandle 66287->66300 66289 b22058 std::ios_base::_Ios_base_dtor 66289->66245 66291 b21f58 66290->66291 66294 b21f6f 66291->66294 66298 9e9790 45 API calls 66291->66298 66294->66276 66299 9e9990 45 API calls 2 library calls 66294->66299 66295->66247 66296->66275 66297->66281 66298->66294 66299->66276 66300->66289 66302 aff307 66301->66302 66303 aff2c3 66301->66303 66304 b00c40 RaiseException 66302->66304 66333 b00be0 RaiseException 66303->66333 66306 aff30e 66304->66306 66308 aff3ca 66306->66308 66309 aff316 66306->66309 66307 aff2cc 66307->66308 66310 aff2d6 66307->66310 66311 9e9e20 53 API calls 66308->66311 66312 aff423 66309->66312 66313 aff322 66309->66313 66310->66312 66314 aff2df 66310->66314 66315 aff3de 66311->66315 66335 9f2a50 RaiseException 66312->66335 66334 b00c90 117 API calls 66313->66334 66318 9e9620 45 API calls 66314->66318 66319 aff42f 66315->66319 66320 aff2fd 66315->66320 66318->66320 66323 9e9ae0 2 API calls 66319->66323 66326 b76c0a _ValidateLocalCookies 5 API calls 66320->66326 66321 aff337 FindFirstFileW 66322 aff369 66321->66322 66324 9e9620 45 API calls 66322->66324 66325 aff439 66323->66325 66327 aff379 66324->66327 66328 af709c 66326->66328 66329 aff398 FindClose 66327->66329 66330 aff3a6 66327->66330 66328->66254 66328->66255 66329->66330 66330->66320 66331->66264 66332->66266 66333->66307 66334->66321 66335->66319

                                    Executed Functions

                                    Function 00AF8C40 Relevance: 24.5, APIs: 2, Strings: 11, Instructions: 1753COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                      • Part of subcall function 009E9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,009F6AC0,-00000010,?,00B21897,00000008,C310823C), ref: 009E9143
                                    • SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00AF8E37
                                    • SetEvent.KERNEL32(?), ref: 00AF8E95
                                      • Part of subcall function 00B03960: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,C310823C), ref: 00B0398B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
                                    • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
                                    • API String ID: 4144826820-297406034
                                    • Opcode ID: 648464a8a0c3c09f84ab87c84328266d86e12c696fb9e32a45cfe4a584d484b8
                                    • Instruction ID: 86cc4023e2dbe3c017b8b3e128d52d6f9fdb014aa3449f29218b73298a00ab95
                                    • Opcode Fuzzy Hash: 648464a8a0c3c09f84ab87c84328266d86e12c696fb9e32a45cfe4a584d484b8
                                    • Instruction Fuzzy Hash: F2E2BE70900649DFDB01DFA8C849BAEFBB5EF45314F1482A8F515EB292EB349D05CBA1
                                    Function 009FAB80 Relevance: 23.6, APIs: 10, Strings: 3, Instructions: 895fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNEL32(00000000), ref: 009FACA2
                                    • PathIsUNCW.SHLWAPI(?,*.*), ref: 009FAD03
                                    • FindFirstFileW.KERNEL32(?,00000000,*.*), ref: 009FAF4E
                                    • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 009FAF68
                                    • GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 009FAF9B
                                    • FindClose.KERNEL32(00000000), ref: 009FB00C
                                    • SetLastError.KERNEL32(0000007B), ref: 009FB016
                                    • _wcsrchr.LIBVCRUNTIME ref: 009FB06C
                                    • _wcsrchr.LIBVCRUNTIME ref: 009FB08C
                                    • PathIsUNCW.SHLWAPI(?,?,C310823C,?,00000000), ref: 009FB24B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
                                    • String ID: *.*$\\?\$\\?\UNC\
                                    • API String ID: 1241272779-1700010636
                                    • Opcode ID: 504af139f6190335d4f81bc54e1a6ae136b55a9b0daca8a0541feb24cb288cb5
                                    • Instruction ID: 015c2ca5d2bb98ed3b2888d1608087a124a7d1f61622e6be8f5b4cd0ca970ee0
                                    • Opcode Fuzzy Hash: 504af139f6190335d4f81bc54e1a6ae136b55a9b0daca8a0541feb24cb288cb5
                                    • Instruction Fuzzy Hash: E362E571A006099FDB14DF68C889BBEB7F9FF84314F148668E915DB2A5DB31AD04CB90
                                    Function 00B1C120 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 550COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1025 b1c120-b1c14d 1026 b1c165-b1c16e call 9e9e20 1025->1026 1027 b1c14f-b1c162 1025->1027 1030 b1c174-b1c1b2 call 9e8d10 1026->1030 1031 b1c33a-b1c389 call 9e9ae0 call 9e9e20 1026->1031 1039 b1c1b4 1030->1039 1040 b1c1b7-b1c1d2 1030->1040 1041 b1c539-b1c53e call 9e9ae0 1031->1041 1042 b1c38f-b1c3a6 1031->1042 1039->1040 1047 b1c2f5 1040->1047 1048 b1c1d8-b1c1e4 1040->1048 1046 b1c543-b1c55a call 9e9ae0 1041->1046 1049 b1c3b0-b1c3c3 1042->1049 1055 b1c560-b1c569 1046->1055 1056 b1c736-b1c73b 1046->1056 1051 b1c2f7-b1c300 1047->1051 1048->1047 1067 b1c1ea-b1c1f6 1048->1067 1052 b1c3d2-b1c3d6 1049->1052 1053 b1c3c5-b1c3cf call 9e9870 1049->1053 1058 b1c302 1051->1058 1059 b1c305-b1c31a 1051->1059 1066 b1c3de-b1c3e3 1052->1066 1053->1052 1062 b1c5d2-b1c5d7 1055->1062 1063 b1c56b-b1c5b2 call ae1f70 SetWindowTextW call a45a70 GetDlgItem SendMessageW 1055->1063 1058->1059 1064 b1c324-b1c337 1059->1064 1065 b1c31c-b1c31f 1059->1065 1062->1056 1071 b1c5dd-b1c5ec 1062->1071 1097 b1c5b6-b1c5cf 1063->1097 1065->1064 1069 b1c501 1066->1069 1070 b1c3e9-b1c3eb 1066->1070 1072 b1c1f8 1067->1072 1073 b1c1fb-b1c211 1067->1073 1076 b1c503-b1c51b 1069->1076 1070->1069 1075 b1c3f1-b1c404 call b808fb 1070->1075 1077 b1c649-b1c651 1071->1077 1078 b1c5ee-b1c621 GetDlgItem * 2 SendMessageW 1071->1078 1072->1073 1092 b1c213-b1c215 1073->1092 1093 b1c21a-b1c23b 1073->1093 1075->1046 1098 b1c40a-b1c410 1075->1098 1083 b1c525-b1c538 1076->1083 1084 b1c51d-b1c520 1076->1084 1079 b1c653-b1c673 EndDialog 1077->1079 1080 b1c676-b1c67e 1077->1080 1085 b1c623-b1c625 1078->1085 1086 b1c627-b1c62b 1078->1086 1080->1056 1088 b1c684-b1c697 GetDlgItem 1080->1088 1084->1083 1091 b1c62c-b1c644 SendMessageW 1085->1091 1086->1091 1095 b1c699-b1c6a5 1088->1095 1096 b1c70d-b1c710 call 9e96e0 1088->1096 1091->1097 1094 b1c2e5-b1c2ee 1092->1094 1104 b1c244-b1c272 call af3270 1093->1104 1105 b1c23d-b1c23f 1093->1105 1094->1051 1103 b1c2f0-b1c2f3 1094->1103 1111 b1c6ab-b1c6bd 1095->1111 1112 b1c73e-b1c75d call 9e9ae0 call b1c770 1095->1112 1107 b1c715-b1c733 EndDialog 1096->1107 1098->1046 1102 b1c416-b1c429 call 9e9e20 1098->1102 1102->1041 1119 b1c42f-b1c457 1102->1119 1103->1051 1126 b1c285-b1c2bf call 9e9e20 call 9eebf0 call 9fb580 1104->1126 1127 b1c274-b1c283 call b774c5 1104->1127 1105->1094 1116 b1c6c8-b1c6d8 1111->1116 1117 b1c6bf-b1c6c3 call 9e9870 1111->1117 1139 b1c76a-b1c76d 1112->1139 1140 b1c75f-b1c767 call b76c18 1112->1140 1128 b1c6f3-b1c6f5 1116->1128 1129 b1c6da-b1c6df 1116->1129 1117->1116 1131 b1c466-b1c487 call b808fb 1119->1131 1132 b1c459-b1c463 call 9e9870 1119->1132 1159 b1c2c1-b1c2c4 1126->1159 1160 b1c2c9-b1c2d6 call b774c5 1126->1160 1151 b1c2d8-b1c2de 1127->1151 1128->1112 1134 b1c6f7-b1c6fd 1128->1134 1137 b1c6e1-b1c6e3 1129->1137 1138 b1c6e5-b1c6f1 call b808fb 1129->1138 1131->1046 1156 b1c48d-b1c490 1131->1156 1132->1131 1134->1112 1145 b1c6ff-b1c70b 1134->1145 1137->1134 1138->1128 1140->1139 1145->1107 1151->1094 1156->1046 1158 b1c496-b1c4ac call 9ee790 1156->1158 1165 b1c4d2-b1c4d7 1158->1165 1166 b1c4ae-b1c4bf 1158->1166 1159->1160 1160->1151 1167 b1c4e2-b1c4f3 1165->1167 1168 b1c4d9-b1c4dd call 9fb580 1165->1168 1169 b1c4c1-b1c4c4 1166->1169 1170 b1c4c9-b1c4cd 1166->1170 1172 b1c4f5-b1c4f8 1167->1172 1173 b1c4fd-b1c4ff 1167->1173 1168->1167 1169->1170 1170->1049 1172->1173 1173->1076
                                    Strings
                                    • PackageCode, xrefs: 00B1C46B
                                    • SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 00B1C18E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
                                    • API String ID: 0-2409377028
                                    • Opcode ID: 55106606ae14e90daea8be731fb010a2d23afc53a3670f6f19cec91fa23537bf
                                    • Instruction ID: d5b17a0d75c768eae080f9d11d9b289755dcfe597f4d996dbda001be74e2c2d1
                                    • Opcode Fuzzy Hash: 55106606ae14e90daea8be731fb010a2d23afc53a3670f6f19cec91fa23537bf
                                    • Instruction Fuzzy Hash: 6B12BF71A40205AFDB10DFA8DC49BEEBBE8EF44310F5481A9F805EB2A1DB759D40CB94
                                    Function 00B0FD20 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1174 b0fd20-b0fd7d GetCurrentProcess OpenProcessToken 1176 b0fd8c-b0fdad GetTokenInformation 1174->1176 1177 b0fd7f-b0fd87 GetLastError 1174->1177 1179 b0fddb-b0fddf 1176->1179 1180 b0fdaf-b0fdb8 GetLastError 1176->1180 1178 b0fe4a-b0fe5d 1177->1178 1181 b0fe6d-b0fe89 call b76c0a 1178->1181 1182 b0fe5f-b0fe66 CloseHandle 1178->1182 1184 b0fe2e GetLastError 1179->1184 1185 b0fde1-b0fe10 AllocateAndInitializeSid 1179->1185 1183 b0fdba-b0fdd9 call b03ac0 GetTokenInformation 1180->1183 1180->1184 1182->1181 1183->1179 1183->1184 1186 b0fe34 1184->1186 1185->1186 1189 b0fe12-b0fe2c EqualSid FreeSid 1185->1189 1190 b0fe36-b0fe43 call b774c5 1186->1190 1189->1190 1190->1178
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00B0FD68
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B0FD75
                                    • GetLastError.KERNEL32 ref: 00B0FD7F
                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00B0FDA9
                                    • GetLastError.KERNEL32 ref: 00B0FDAF
                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 00B0FDD5
                                    • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B0FE08
                                    • EqualSid.ADVAPI32(00000000,?), ref: 00B0FE17
                                    • FreeSid.ADVAPI32(?), ref: 00B0FE26
                                    • CloseHandle.KERNEL32(00000000), ref: 00B0FE60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                    • String ID:
                                    • API String ID: 695978879-0
                                    • Opcode ID: 105074c73070102d8deb308ff6c9f007daeededfda2f650b7f25f37839389256
                                    • Instruction ID: 0f7a2ebeec077b1382588649c881f210871a9b4adf79ce482850958b7bca9db9
                                    • Opcode Fuzzy Hash: 105074c73070102d8deb308ff6c9f007daeededfda2f650b7f25f37839389256
                                    • Instruction Fuzzy Hash: D9411871A0021AEBDF209FA4CD49BEEBBF8FF08714F104165E511B72A1DB759A04CB64
                                    Function 00B20560 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1336 b20560-b20567 1337 b20569-b2056b 1336->1337 1338 b2056e-b20585 LoadLibraryW 1336->1338 1339 b20587-b20597 1338->1339 1340 b2059d-b2059f 1338->1340 1339->1340 1341 b205a1-b205a4 1340->1341 1342 b205a7-b205f9 GetProcAddress * 4 1340->1342
                                    APIs
                                    • LoadLibraryW.KERNEL32(?,00000000,00B026CB,?,?,?,?,?), ref: 00B20575
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                    • API String ID: 1029625771-3462492388
                                    • Opcode ID: b47a4be3da4d6544d3241a1bafdc5d8177e0f9db0f4825e88f8f689a29b4a5a1
                                    • Instruction ID: 7bc84e176b1042d1366ef7539ba94adf137bfb6bfc30a0c56f729fdc9bb9e56e
                                    • Opcode Fuzzy Hash: b47a4be3da4d6544d3241a1bafdc5d8177e0f9db0f4825e88f8f689a29b4a5a1
                                    • Instruction Fuzzy Hash: 5F014879A40321ABCB54AB60BC18B5E7BA1F798311F20446BFA1663222CA359815DF98
                                    Function 00B02380 Relevance: 15.7, APIs: 10, Instructions: 744COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess
                                    • String ID:
                                    • API String ID: 275895251-0
                                    • Opcode ID: 209a557928cfc01dd566998f27ff4a85640617ccb1ce98424c446766431bf457
                                    • Instruction ID: 0e7fbbde1423b65ca28a24ed85e82345f501673a2fb4c0bfb848005247ab734d
                                    • Opcode Fuzzy Hash: 209a557928cfc01dd566998f27ff4a85640617ccb1ce98424c446766431bf457
                                    • Instruction Fuzzy Hash: 3E62AE70900649DFDB14DFA8C988BAEBBF4FF45314F1482A9E415AB2D1DB70AD49CB90
                                    Function 00B04F10 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1641 b04f10-b04f56 call 9e9e20 1644 b0500b-b05045 call 9e9ae0 MsgWaitForMultipleObjectsEx 1641->1644 1645 b04f5c-b04fa6 GetLocaleInfoW call ac5b30 1641->1645 1649 b050b1-b050ba 1644->1649 1650 b05047-b05059 1644->1650 1656 b04fb6-b04fed GetLocaleInfoW call 9e8d10 1645->1656 1657 b04fa8-b04fb3 call 9e9790 1645->1657 1652 b05060-b05063 1650->1652 1654 b05065-b0508b PeekMessageW 1652->1654 1655 b050bb-b050c4 1652->1655 1658 b0509b-b050af MsgWaitForMultipleObjectsEx 1654->1658 1659 b0508d-b05099 TranslateMessage DispatchMessageW 1654->1659 1664 b04ff7-b0500a 1656->1664 1665 b04fef-b04ff2 1656->1665 1657->1656 1658->1649 1658->1652 1659->1658 1665->1664
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • GetLocaleInfoW.KERNEL32(?,00000002,00C0438C,00000000), ref: 00B04F81
                                    • GetLocaleInfoW.KERNEL32(?,00000002,000000FF,-00000001,00000078,-00000001), ref: 00B04FBD
                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00B05041
                                    • PeekMessageW.USER32(?,00000000), ref: 00B05087
                                    • TranslateMessage.USER32(00000000), ref: 00B05092
                                    • DispatchMessageW.USER32(00000000), ref: 00B05099
                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00B050AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
                                    • String ID: %d-%s
                                    • API String ID: 445213441-1781338863
                                    • Opcode ID: 5fc0d1a3e6113551fc526b24015d182f805f3533a0d73df5ec38b2805b7f1a93
                                    • Instruction ID: af340122214bc191b1820a1a24cc0cc51934d7891196ed0d22f14f1ead001c73
                                    • Opcode Fuzzy Hash: 5fc0d1a3e6113551fc526b24015d182f805f3533a0d73df5ec38b2805b7f1a93
                                    • Instruction Fuzzy Hash: 0651FF71A40209ABE710DBA9CC45FAFBBE8EF44724F104269F614A72D1EB719944CBA0
                                    Function 00B1B490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 161COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1817 b1b490-b1b522 GetUserNameW 1818 b1b524-b1b52d GetLastError 1817->1818 1819 b1b56e-b1b5ac GetEnvironmentVariableW 1817->1819 1818->1819 1820 b1b52f-b1b537 1818->1820 1821 b1b5f2-b1b5fc 1819->1821 1822 b1b5ae-b1b5b3 1819->1822 1825 b1b539-b1b54d 1820->1825 1826 b1b54f-b1b557 call a136c0 1820->1826 1823 b1b607-b1b60d 1821->1823 1824 b1b5fe-b1b605 1821->1824 1827 b1b5b5-b1b5c9 1822->1827 1828 b1b5cb-b1b5d5 call a136c0 1822->1828 1829 b1b610-b1b639 1823->1829 1824->1829 1830 b1b55c-b1b56c GetUserNameW 1825->1830 1826->1830 1832 b1b5da-b1b5ec GetEnvironmentVariableW 1827->1832 1828->1832 1834 b1b648-b1b6a7 call 9e7070 * 2 call 9e78d0 * 2 call b76c0a 1829->1834 1835 b1b63b-b1b643 call 9e7160 1829->1835 1830->1819 1832->1821 1835->1834
                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,?), ref: 00B1B51E
                                    • GetLastError.KERNEL32 ref: 00B1B524
                                    • GetUserNameW.ADVAPI32(00000000,?), ref: 00B1B56C
                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00B1B5A2
                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00B1B5EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: EnvironmentNameUserVariable$ErrorLast
                                    • String ID: UserDomain
                                    • API String ID: 3567734997-2275544873
                                    • Opcode ID: a3b79b17be1a14dab7920a7180818d62d85e28979328c9fcbdf84f53b8b44c5c
                                    • Instruction ID: 24f177de304b42816a43707a3c89e51498103050a89061e8c8edac6218e3d751
                                    • Opcode Fuzzy Hash: a3b79b17be1a14dab7920a7180818d62d85e28979328c9fcbdf84f53b8b44c5c
                                    • Instruction Fuzzy Hash: 21611671A00209DBDF14DFA8C969BEEBBF5FF58704F50412DE401A7280DB75AA45CBA1
                                    Function 00B215C0 Relevance: 9.3, APIs: 6, Instructions: 329synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,C310823C,?,?,00000000,?,?,?,?,00BE804D,000000FF,?,00B02B4E), ref: 00B21600
                                    • CreateThread.KERNEL32(00000000,00000000,00B21980,?,00000000,?), ref: 00B21636
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B2173F
                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 00B2174A
                                    • CloseHandle.KERNEL32(00000000), ref: 00B2176A
                                      • Part of subcall function 009F2A50: RaiseException.KERNEL32(C310823C,C310823C,00000000,00000000,00B2197B,C000008C,00000001,C310823C), ref: 009F2A5C
                                    • WaitForSingleObject.KERNEL32(?,000000FF,C310823C,00000000,?,?,00000001), ref: 00B217D4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CreateObjectSingleThreadWait$CloseCodeEventExceptionExitHandleRaise
                                    • String ID:
                                    • API String ID: 4001640722-0
                                    • Opcode ID: 0e8a30b1ee779a79a737210660b874dddfa37fbd8be4d71558cc290f3414c794
                                    • Instruction ID: e6b98f23d99f7ae090a49dcb71fdff8e80538eaacf4644c731cdb000fac4eade
                                    • Opcode Fuzzy Hash: 0e8a30b1ee779a79a737210660b874dddfa37fbd8be4d71558cc290f3414c794
                                    • Instruction Fuzzy Hash: D1D17C75A006159FCB14CF68D884BAAB7F5FF58310F158699E91AEB3A1DB30EC41CB90
                                    Function 00AA2620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AA2661
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • _wcschr.LIBVCRUNTIME ref: 00AA271F
                                      • Part of subcall function 009E9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,009F6AC0,-00000010,?,00B21897,00000008,C310823C), ref: 009E9143
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 00AA2734
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
                                    • String ID: Kernel32.dll
                                    • API String ID: 1122257418-1926710522
                                    • Opcode ID: 1a246b36ff1b27e1ca928d68d7ec01b50533ee06504632ae96374e22d7047731
                                    • Instruction ID: eaf311276e71c5ba57b995b3750b888222091565fb423b4dc0bfa06ffaf82668
                                    • Opcode Fuzzy Hash: 1a246b36ff1b27e1ca928d68d7ec01b50533ee06504632ae96374e22d7047731
                                    • Instruction Fuzzy Hash: E0A17AB0501645EFEB14CF68C818BAABBF0FF05318F10865DD4299B6C1D7BAA619CF91
                                    Function 00B0DAE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B0DBBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: DiskFreeSpace
                                    • String ID: \$\$\
                                    • API String ID: 1705453755-3791832595
                                    • Opcode ID: c902b09875fe8388551d8defeecd13b7c93085962b57f2593ad0478c53a3f311
                                    • Instruction ID: 2d854e1f641aa2e588cf1bea99273282a12dbbb68d3e981d035427942650e7a4
                                    • Opcode Fuzzy Hash: c902b09875fe8388551d8defeecd13b7c93085962b57f2593ad0478c53a3f311
                                    • Instruction Fuzzy Hash: 6C41B662E1425186CB30DFA48441ABBBBF5FF95354F168AAEE8D8D71C0F76089858386
                                    Function 00B767B8 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000008,?,009F0E77,?,?,009F0C24,?), ref: 00B767BD
                                    • HeapAlloc.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B767C4
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,009F0C24,?), ref: 00B7680A
                                    • HeapFree.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B76811
                                      • Part of subcall function 00B76656: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00B76800,00000000,?,?,009F0C24,?), ref: 00B7667A
                                      • Part of subcall function 00B76656: HeapAlloc.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B76681
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$Process$Alloc$Free
                                    • String ID:
                                    • API String ID: 1864747095-0
                                    • Opcode ID: 6b6d46cb738df21f46bc152c886fe5b0a82daf848443cbc301f3178403ebff10
                                    • Instruction ID: ee9962e4701ca820fef721146471e3a01f971c1ea4e37343d12f497947b29ad1
                                    • Opcode Fuzzy Hash: 6b6d46cb738df21f46bc152c886fe5b0a82daf848443cbc301f3178403ebff10
                                    • Instruction Fuzzy Hash: 72F0B436644F2157CB252BB8BC09A6B3BE5AF84B9571184A9F46AC7644DF30CC01DB61
                                    Function 00AE5370 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,00000000), ref: 00AE540D
                                    • FindClose.KERNEL32(00000000), ref: 00AE546C
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$AllocateCloseFileFirstHeap
                                    • String ID:
                                    • API String ID: 1673784098-0
                                    • Opcode ID: 33a4ea131b9ba6a5e2e7e460957869bbaf60711c5e115ef8e3ca8abe739e394c
                                    • Instruction ID: 67d5b3507af5fcbff61c06bdebdaa4f9ca0071f80c220795db7e7c92c76937a6
                                    • Opcode Fuzzy Hash: 33a4ea131b9ba6a5e2e7e460957869bbaf60711c5e115ef8e3ca8abe739e394c
                                    • Instruction Fuzzy Hash: 4B31D571D04A54DFDB24DF66D848BAAB7B5EF44318F208199E81A973C0EB709D84CF81
                                    Function 00B03220 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess
                                    • String ID:
                                    • API String ID: 275895251-0
                                    • Opcode ID: 4a6040e55299599862685e20557e670589125387e80cc689339748aafec19d07
                                    • Instruction ID: ac9d97daedba35c1d12d9b8877d4c2d30dfe26b945f9262d585a6c7497aa86f5
                                    • Opcode Fuzzy Hash: 4a6040e55299599862685e20557e670589125387e80cc689339748aafec19d07
                                    • Instruction Fuzzy Hash: 4EE16170A00649DFDB14DFA9C888BAEBBF4FF44314F1482A9E415AB3D1DB75AA05CB50
                                    Function 00AE4DA0 Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 31e04df9dae9fa454c8410db955571b404a50555ded2edcd476c1a3b7a689c2d
                                    • Instruction ID: a3bf6bc84c125a5d4c19366c264d239a642ead3e7b4d8206160a73db8841e312
                                    • Opcode Fuzzy Hash: 31e04df9dae9fa454c8410db955571b404a50555ded2edcd476c1a3b7a689c2d
                                    • Instruction Fuzzy Hash: 80419B30901689DFDB24DF69C998BEDB3A8FF48720F508269E819972D1EB709E04CB50
                                    Function 00B1C8F0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,C310823C,C310823C,?,?,?,?,00000000), ref: 00B1C979
                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,C310823C,C310823C,?,?,?,?,00000000,00B9EE85), ref: 00B1C99A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Create$FileNamedPipe
                                    • String ID:
                                    • API String ID: 1328467360-0
                                    • Opcode ID: d714de9b605fec83143f8c7ccf6732efd7768cddca8ee88c00bf6bfe82635fc1
                                    • Instruction ID: a04715cfbcceee24031bb1d792451748dcff803609f9ef6104fdc89d8c8fb4bc
                                    • Opcode Fuzzy Hash: d714de9b605fec83143f8c7ccf6732efd7768cddca8ee88c00bf6bfe82635fc1
                                    • Instruction Fuzzy Hash: 42310331A84745AFE731CF24CC01B99BFE4EB01B20F10826EF9A99B6D0DB71A940CB44
                                    Function 00A12530 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • __set_se_translator.LIBVCRUNTIME ref: 00A12548
                                    • SetUnhandledExceptionFilter.KERNEL32(00AE17A0), ref: 00A1255E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                    • String ID:
                                    • API String ID: 2480343447-0
                                    • Opcode ID: d493021ae522eed53dc80a28dcc81565cc4d2fdaa042c6c1dd15b0ea5dd353c6
                                    • Instruction ID: 8e3b2cd3ea5a5cabda96ee0999fadfa1d066f39b185280768edfb6c52808ffbd
                                    • Opcode Fuzzy Hash: d493021ae522eed53dc80a28dcc81565cc4d2fdaa042c6c1dd15b0ea5dd353c6
                                    • Instruction Fuzzy Hash: 6DE07D32A042503EC30093619C0EF0E3F50FB96B10F048459F30C23151C770A841C772
                                    Function 00B27B10 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AE3860: __Init_thread_footer.LIBCMT ref: 00AE3940
                                    • CoCreateInstance.COMBASE(00C041E8,00000000,00000001,00C20588,000000B0), ref: 00B27B8E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CreateInit_thread_footerInstance
                                    • String ID:
                                    • API String ID: 3436645735-0
                                    • Opcode ID: 26eb32404a96ad38c2b8c1f2e9cbf7ec2eb4763b5f54d6f91eef20bc968dca07
                                    • Instruction ID: 7a06e25655fae69bd8fe0da6a7d07660396397230d11f131bf387adba2b3222f
                                    • Opcode Fuzzy Hash: 26eb32404a96ad38c2b8c1f2e9cbf7ec2eb4763b5f54d6f91eef20bc968dca07
                                    • Instruction Fuzzy Hash: D211ADB1644745EBD720CF59D804B4ABBF8EB05B10F1046AEE8259B7D0D7BAA504CB90
                                    Function 00B22390 Relevance: .2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                    • String ID:
                                    • API String ID: 3807588171-0
                                    • Opcode ID: ae354cdcdec3a84a3383de68d3739542eed3c0a0cf90f5c1cd7824153dfad69a
                                    • Instruction ID: a2c0431331be52173ff5b276abcb4d620e0cbd6d2e0614890a9ae2afc0a7ada8
                                    • Opcode Fuzzy Hash: ae354cdcdec3a84a3383de68d3739542eed3c0a0cf90f5c1cd7824153dfad69a
                                    • Instruction Fuzzy Hash: 2B6168B0500745DFEB21CF65C15839ABBE0FF48318F208A9DD58A9B792D7B5E509CB90
                                    Function 00AE3B70 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00AE3BDE
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00AE3C25
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00AE3C44
                                    • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00AE3C73
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00AE3CE8
                                    • RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00AE3D51
                                    • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00AE3DB4
                                    • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00AE3E06
                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00AE3EA3
                                    • GetProcAddress.KERNEL32(00000000), ref: 00AE3EAA
                                    • __Init_thread_footer.LIBCMT ref: 00AE3EBE
                                    • GetCurrentProcess.KERNEL32(?), ref: 00AE3EE1
                                    • IsWow64Process.KERNEL32(00000000), ref: 00AE3EE8
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00AE3F22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                    • String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
                                    • API String ID: 1906320730-525127412
                                    • Opcode ID: 972dcbabf25ff320abaca1935fd74d821568137bfe45c5a1db7795337310593f
                                    • Instruction ID: e67ed06027e12adcd20f404ee91ac85d21567d0b37b5167cd4a82e607d22d917
                                    • Opcode Fuzzy Hash: 972dcbabf25ff320abaca1935fd74d821568137bfe45c5a1db7795337310593f
                                    • Instruction Fuzzy Hash: 0AA14D71900658EADF20DF21CD49BAEB7F4FB04705F1481EAE549A7190EB74AA84CF94
                                    Function 00AE3F50 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 51 ae3f50-ae3fc8 RegOpenKeyExW 53 ae3fce-ae3fff RegQueryValueExW 51->53 54 ae4232-ae424b 51->54 57 ae404f-ae407a RegQueryValueExW 53->57 58 ae4001-ae4013 call ae9fe0 53->58 55 ae425e-ae4279 call b76c0a 54->55 56 ae424d-ae4254 RegCloseKey 54->56 56->55 57->54 61 ae4080-ae4091 57->61 67 ae4024-ae403b call ae9fe0 58->67 68 ae4015-ae4022 58->68 62 ae409d-ae409f 61->62 63 ae4093-ae409b 61->63 62->54 66 ae40a5-ae40ac 62->66 63->62 63->63 69 ae40b0-ae40be call ae9fe0 66->69 75 ae403d 67->75 76 ae4042-ae4048 67->76 71 ae404a 68->71 77 ae40c9-ae40d7 call ae9fe0 69->77 78 ae40c0-ae40c4 69->78 71->57 75->76 76->71 83 ae40d9-ae40dd 77->83 84 ae40e2-ae40f0 call ae9fe0 77->84 79 ae4204 78->79 82 ae420b-ae4218 79->82 85 ae422a-ae422c 82->85 86 ae421a 82->86 83->79 90 ae40fb-ae4109 call ae9fe0 84->90 91 ae40f2-ae40f6 84->91 85->54 85->69 88 ae4220-ae4228 86->88 88->85 88->88 94 ae410b-ae410f 90->94 95 ae4114-ae4122 call ae9fe0 90->95 91->79 94->79 98 ae412d-ae413b call ae9fe0 95->98 99 ae4124-ae4128 95->99 102 ae413d-ae4141 98->102 103 ae4146-ae4154 call ae9fe0 98->103 99->79 102->79 106 ae415f-ae416d call ae9fe0 103->106 107 ae4156-ae415a 103->107 110 ae416f-ae4174 106->110 111 ae4179-ae4187 call ae9fe0 106->111 107->79 112 ae4201 110->112 115 ae4189-ae418e 111->115 116 ae4190-ae419e call ae9fe0 111->116 112->79 115->112 119 ae41a7-ae41b5 call ae9fe0 116->119 120 ae41a0-ae41a5 116->120 123 ae41be-ae41cc call ae9fe0 119->123 124 ae41b7-ae41bc 119->124 120->112 127 ae41ce-ae41d3 123->127 128 ae41d5-ae41e3 call ae9fe0 123->128 124->112 127->112 131 ae41ec-ae41fa call ae9fe0 128->131 132 ae41e5-ae41ea 128->132 131->82 135 ae41fc 131->135 132->112 135->112
                                    APIs
                                    • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00AE3FC0
                                    • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00AE3FFB
                                    • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00AE4076
                                    • RegCloseKey.KERNEL32(00000000), ref: 00AE424E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                    • API String ID: 1586453840-3149529848
                                    • Opcode ID: 0353f0f231cb82feb97c2438e4ab7a6841b3a895dc3cce3e274effd45a85f7ff
                                    • Instruction ID: c87e682d88e707e28819e9ea51f8abe8bfa7276c1959ece523eccf8f8a5bda25
                                    • Opcode Fuzzy Hash: 0353f0f231cb82feb97c2438e4ab7a6841b3a895dc3cce3e274effd45a85f7ff
                                    • Instruction Fuzzy Hash: 607102B07003889ADF209B66CD50BEE76B8EB59354F104178EA16EB695FB34DD899B00
                                    Function 00B05820 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 136 b05820-b0585f 137 b05861-b05875 call b77112 136->137 138 b058a4-b058af 136->138 137->138 146 b05877-b058a1 call b05d10 call b76fca call b770c8 137->146 139 b058b1-b058c5 call b77112 138->139 140 b058f4-b0591c call ae3ad0 138->140 139->140 148 b058c7-b058f1 call b06600 call b76fca call b770c8 139->148 150 b059c1-b059c3 140->150 151 b05922-b05929 140->151 146->138 148->140 153 b059c8-b059ce 150->153 155 b05930-b05936 151->155 157 b059d0-b059d3 153->157 158 b059ee-b059f0 153->158 160 b05956-b05958 155->160 161 b05938-b0593b 155->161 166 b059d5-b059dd 157->166 167 b059ea-b059ec 157->167 168 b059f3-b059f5 158->168 164 b0595b-b0595d 160->164 162 b05952-b05954 161->162 163 b0593d-b05945 161->163 162->164 163->160 170 b05947-b05950 163->170 171 b05ac3 164->171 172 b05963-b0596a call 9e9e20 164->172 166->158 174 b059df-b059e8 166->174 167->168 168->171 175 b059fb-b05a04 call 9e9e20 168->175 170->155 170->162 179 b05ac5-b05ae7 call acd800 171->179 186 b05970-b0598e 172->186 187 b05ae8-b05aed call 9e9ae0 172->187 174->153 174->167 175->187 189 b05a0a-b05a26 175->189 197 b05990-b05999 call 9e9120 186->197 198 b0599b-b059a2 call 9e9990 186->198 191 b05af2-b05aff call 9f2a50 187->191 195 b05a33-b05a3a call 9e9990 189->195 196 b05a28-b05a31 call 9e9120 189->196 206 b05a3f-b05a51 call ae2bd0 195->206 196->206 204 b059a7-b059bc call ae2bd0 197->204 198->204 212 b05a54-b05a69 204->212 206->212 213 b05a73-b05a7c 212->213 214 b05a6b-b05a6e 212->214 215 b05a7e 213->215 216 b05abf-b05ac1 213->216 214->213 217 b05a80-b05a82 215->217 216->179 217->191 218 b05a84-b05a86 217->218 218->191 219 b05a88-b05a9a call 9ee790 218->219 219->171 222 b05a9c-b05a9f 219->222 222->191 223 b05aa1-b05ab3 call 9ee790 222->223 223->171 226 b05ab5-b05ab8 223->226 226->216 227 b05aba-b05abd 226->227 227->217
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00B0589C
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                      • Part of subcall function 009F2A50: RaiseException.KERNEL32(C310823C,C310823C,00000000,00000000,00B2197B,C000008C,00000001,C310823C), ref: 009F2A5C
                                    • __Init_thread_footer.LIBCMT ref: 00B058EC
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AllocateConditionExceptionHeapRaiseVariableWake
                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$shfolder.dll
                                    • API String ID: 2519272855-3044903971
                                    • Opcode ID: 5fc1737ce458d58f0360c6d2a0ed80782dc234054a1d0bff759f2762bb84072e
                                    • Instruction ID: c371a11b7b8ed3545d26b64c1ed6bb594fc7cea335aa99b72c5887e46d1b31f2
                                    • Opcode Fuzzy Hash: 5fc1737ce458d58f0360c6d2a0ed80782dc234054a1d0bff759f2762bb84072e
                                    • Instruction Fuzzy Hash: 1571E671A04A46CBDF20EB68C846BAFBBE0EF10324F1486E9E416976D2E731DD05CB51
                                    Function 00AF7360 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 509COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1195 af7360-af739c call 9e9e20 1198 af74df-af759e call 9e9ae0 call af7360 call b1b490 1195->1198 1199 af73a2-af73da call b0dfd0 1195->1199 1214 af75a0-af75a9 1198->1214 1207 af73dc-af73df 1199->1207 1208 af73e4-af7413 GetTickCount call b75deb call b77850 call 9e9e20 1199->1208 1207->1208 1208->1198 1224 af7419-af74a0 call b9df50 call 9e8d10 call b0dfd0 call b0e110 call 9e9620 1208->1224 1214->1214 1216 af75ab-af75d0 call 9e7160 1214->1216 1222 af7639-af7656 call 9e6610 1216->1222 1223 af75d2-af75e6 call b77112 1216->1223 1231 af765f 1222->1231 1232 af7658-af765d 1222->1232 1223->1222 1233 af75e8-af7636 call 9e7160 call b76fca call b770c8 1223->1233 1273 af74aa-af74bf 1224->1273 1274 af74a2-af74a5 1224->1274 1236 af7662-af7672 1231->1236 1232->1236 1233->1222 1239 af76fb-af773f call b76c49 1236->1239 1240 af7678-af767d 1236->1240 1253 af7743-af774c 1239->1253 1244 af7680-af769e 1240->1244 1248 af76e4-af76ed 1244->1248 1249 af76a0-af76a6 1244->1249 1248->1244 1252 af76ef-af76f5 1248->1252 1254 af76ca-af76cc 1249->1254 1255 af76a8-af76ae 1249->1255 1252->1239 1253->1253 1262 af774e-af7798 call 9e7160 1253->1262 1259 af76df 1254->1259 1260 af76ce-af76d5 1254->1260 1256 af76c2 1255->1256 1257 af76b0-af76b3 1255->1257 1264 af76c4 1256->1264 1263 af76b5-af76c0 1257->1263 1257->1264 1259->1248 1260->1259 1265 af76d7-af76dc 1260->1265 1270 af77a0-af77a9 1262->1270 1263->1256 1263->1257 1264->1254 1265->1259 1270->1270 1272 af77ab-af7888 call 9e7160 call 9e6610 * 4 call 9e78d0 * 2 1270->1272 1291 af788a-af78ac 1272->1291 1292 af7902-af7911 1272->1292 1276 af74c9-af74dc 1273->1276 1277 af74c1-af74c4 1273->1277 1274->1273 1277->1276 1293 af78ae-af78fe call 9e78d0 * 4 call b76c18 1291->1293 1294 af7900 1291->1294 1295 af795f-af79a2 call 9e78d0 * 3 1292->1295 1296 af7913-af795c call 9e78d0 * 4 call b76c18 1292->1296 1293->1292 1294->1292 1315 af79ac-af79eb GetCurrentProcess OpenProcessToken 1295->1315 1316 af79a4-af79a7 1295->1316 1296->1295 1327 af79ed-af7a17 GetTokenInformation 1315->1327 1328 af7a2c 1315->1328 1319 af7a60-af7a7e 1316->1319 1324 af7a88-af7aa3 call b76c0a 1319->1324 1325 af7a80-af7a83 1319->1325 1325->1324 1327->1328 1332 af7a19-af7a2a 1327->1332 1333 af7a31-af7a4d 1328->1333 1332->1333 1333->1319 1335 af7a4f-af7a56 CloseHandle 1333->1335 1335->1319
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • GetTickCount.KERNEL32 ref: 00AF73E4
                                    • __Xtime_get_ticks.LIBCPMT ref: 00AF73EC
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF7436
                                    • __Init_thread_footer.LIBCMT ref: 00AF7631
                                    • GetCurrentProcess.KERNEL32 ref: 00AF79D3
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00AF79E3
                                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00AF7A0F
                                    • CloseHandle.KERNEL32(00000000), ref: 00AF7A50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                    • String ID: \/:*?"<>|
                                    • API String ID: 3363527671-3830478854
                                    • Opcode ID: e376ecf78c7202dd37188acca49c8fb437f6ed59c25cf2e09509a62b2a7a3ad9
                                    • Instruction ID: 0e353e1344568520c8d6a0239f0f705e4f6fc3b2f82632e135588d485b88a4df
                                    • Opcode Fuzzy Hash: e376ecf78c7202dd37188acca49c8fb437f6ed59c25cf2e09509a62b2a7a3ad9
                                    • Instruction Fuzzy Hash: 0A22BE70904259DFDB10DFA8CC85BAEBBB4FF45304F1481A9E509AB292EB749E44CF91
                                    Function 00AE4FA0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 324fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1550 ae4fa0-ae4fd0 1551 ae4fd6-ae4fdd call ae54b0 1550->1551 1552 ae5070-ae507b RemoveDirectoryW 1550->1552 1551->1552 1558 ae4fe3-ae4fec call 9e9e20 1551->1558 1554 ae507e-ae5080 1552->1554 1556 ae5088-ae509a 1554->1556 1557 ae5082 GetLastError 1554->1557 1557->1556 1561 ae509b-ae50e0 call 9e9ae0 1558->1561 1562 ae4ff2-ae5011 1558->1562 1570 ae50e6-ae50ed call ae54b0 1561->1570 1571 ae5180-ae518b DeleteFileW 1561->1571 1566 ae501e-ae5025 call 9e9990 1562->1566 1567 ae5013-ae501c call 9e9120 1562->1567 1576 ae502a-ae5064 call 9fab80 RemoveDirectoryW 1566->1576 1567->1576 1570->1571 1581 ae50f3-ae50fc call 9e9e20 1570->1581 1573 ae518e-ae5190 1571->1573 1578 ae5198-ae51aa 1573->1578 1579 ae5192 GetLastError 1573->1579 1576->1554 1584 ae5066-ae506e 1576->1584 1579->1578 1586 ae51ab-ae51f5 call 9e9ae0 call 9e9e20 1581->1586 1587 ae5102-ae5121 1581->1587 1584->1554 1601 ae531a-ae5324 call 9e9ae0 1586->1601 1602 ae51fb-ae5217 1586->1602 1592 ae512e-ae5135 call 9e9990 1587->1592 1593 ae5123-ae512c call 9e9120 1587->1593 1600 ae513a-ae5174 call 9fab80 DeleteFileW 1592->1600 1593->1600 1600->1573 1608 ae5176-ae517e 1600->1608 1609 ae521d-ae521f 1602->1609 1610 ae5310-ae5315 call 9e9ae0 1602->1610 1608->1573 1609->1610 1612 ae5225-ae522d 1609->1612 1610->1601 1614 ae522f-ae525c call 9ee830 call 9fb580 1612->1614 1615 ae5268-ae526c call 9fb580 1612->1615 1619 ae5271-ae527c 1614->1619 1627 ae525e-ae5266 1614->1627 1615->1619 1621 ae527e-ae528b call b78347 1619->1621 1622 ae52df-ae52f4 1619->1622 1629 ae528d-ae5290 1621->1629 1630 ae5292-ae5294 1621->1630 1624 ae52fe-ae530f 1622->1624 1625 ae52f6-ae52f9 1622->1625 1625->1624 1627->1619 1631 ae5296-ae52ad call 9ee830 1629->1631 1630->1631 1635 ae52af-ae52b1 call ae4fa0 1631->1635 1636 ae52c1-ae52d5 1631->1636 1639 ae52b6-ae52bc call ae51c0 1635->1639 1636->1622 1638 ae52d7-ae52da 1636->1638 1638->1622 1639->1636
                                    APIs
                                    • RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,00AE5A23), ref: 00AE5043
                                      • Part of subcall function 009E9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,009F6AC0,-00000010,?,00B21897,00000008,C310823C), ref: 009E9143
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                    • RemoveDirectoryW.KERNEL32(00000008,C310823C,00000008,00000000,00000008,00000000,00BDB90D,000000FF,?,00AE5A23), ref: 00AE5072
                                    • GetLastError.KERNEL32(?,00AE5A23,?,?,?,?,?,?,?,?,?,?,?,?,00BE8085,000000FF), ref: 00AE5082
                                    • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,00000000,00BDB90D,000000FF,?,80004005,C310823C,00000008,00000000,00000008,00000000), ref: 00AE5153
                                    • GetLastError.KERNEL32(?,C310823C,00000008,00000000,?,00000000,00BDB90D,000000FF,?,80004005,C310823C,00000008,00000000,00000008,00000000,00BDB90D), ref: 00AE5192
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • DeleteFileW.KERNEL32(?,C310823C,00000008,00000000,?,00000000,00BDB90D,000000FF,?,80004005,C310823C,00000008,00000000,00000008,00000000,00BDB90D), ref: 00AE5182
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AE5281
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: DeleteDirectoryErrorFileHeapInit_thread_footerLastRemove$AllocateFindProcessResource_wcsrchr
                                    • String ID: \\?\
                                    • API String ID: 3513978327-4282027825
                                    • Opcode ID: 5e00e57e03fec2dea082df07b6ea76c056e4e4493af77d018802aedafb4eaf8e
                                    • Instruction ID: 66a2df8d91985309e7c848568ee06eac80cb15ed953cffcf25dc2d5274c54b8a
                                    • Opcode Fuzzy Hash: 5e00e57e03fec2dea082df07b6ea76c056e4e4493af77d018802aedafb4eaf8e
                                    • Instruction Fuzzy Hash: CCA1CE71A01A89DFDB10DBB9D858BAEB7B4EF04325F148669F921D72D1DB319D00CB90
                                    Function 00B7654A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1666 b7654a-b76555 1667 b76557-b76563 DecodePointer 1666->1667 1668 b76564-b7657b LoadLibraryExA 1666->1668 1669 b765f5 1668->1669 1670 b7657d-b76592 call b765fa 1668->1670 1671 b765f7-b765f9 1669->1671 1670->1669 1674 b76594-b765a9 call b765fa 1670->1674 1674->1669 1677 b765ab-b765c0 call b765fa 1674->1677 1677->1669 1680 b765c2-b765d7 call b765fa 1677->1680 1680->1669 1683 b765d9-b765f3 DecodePointer 1680->1683 1683->1671
                                    APIs
                                    • DecodePointer.KERNEL32(C310823C,?,?,00B76890,00C85C90,?,?,?,00B22657,00000000,C310823C,?,00B22792), ref: 00B7655C
                                    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,C310823C,?,?,00B76890,00C85C90,?,?,?,00B22657,00000000,C310823C,?,00B22792), ref: 00B76571
                                    • DecodePointer.KERNEL32(C310823C,?,?,?,?,?,?,?,?,?,00000000,C310823C,?,00B22792), ref: 00B765ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: DecodePointer$LibraryLoad
                                    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                    • API String ID: 1423960858-1745123996
                                    • Opcode ID: d793f89fed03a0631b20a62fac50f31407676c80842e96df8601bf74bcf21612
                                    • Instruction ID: f64445c8072693fceac66f71ba306b414ff83346780616d9303c627d93710630
                                    • Opcode Fuzzy Hash: d793f89fed03a0631b20a62fac50f31407676c80842e96df8601bf74bcf21612
                                    • Instruction Fuzzy Hash: 7C01DB71541B18BBCB0567249C07FDA3BD99B21708F0480F0BC1EB72A9DE919A08D696
                                    Function 00B21990 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1684 b21990-b219cf call ae39a0 1687 b21b43-b21b4b call b21bd0 1684->1687 1688 b219d5-b219f1 SHGetFolderPathW 1684->1688 1697 b21b4f 1687->1697 1690 b219f3-b219fb 1688->1690 1691 b219fd-b21a0c 1688->1691 1690->1690 1690->1691 1692 b21a22-b21a33 call ac8d20 1691->1692 1693 b21a0e 1691->1693 1701 b21a57-b21b0e call b79160 GetTempPathW call b79160 GetTempFileNameW call b21bd0 Wow64DisableWow64FsRedirection CopyFileW 1692->1701 1702 b21a35 1692->1702 1695 b21a10-b21a18 1693->1695 1695->1695 1698 b21a1a-b21a1c 1695->1698 1700 b21b51-b21b6b call b76c0a 1697->1700 1698->1687 1698->1692 1713 b21b10-b21b13 call b21bd0 1701->1713 1714 b21b18-b21b26 1701->1714 1704 b21a40-b21a4c 1702->1704 1704->1687 1707 b21a52-b21a55 1704->1707 1707->1701 1707->1704 1713->1714 1714->1697 1716 b21b28-b21b38 Wow64RevertWow64FsRedirection 1714->1716 1716->1700 1717 b21b3a-b21b41 1716->1717 1717->1700
                                    APIs
                                      • Part of subcall function 00AE39A0: __Init_thread_footer.LIBCMT ref: 00AE3A72
                                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C310823C,00000000,00000000), ref: 00B219E4
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00B21A79
                                    • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00B21AAA
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00B21ADD
                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 00B21AFF
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B21B2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
                                    • String ID: shim_clone
                                    • API String ID: 4264308349-3944563459
                                    • Opcode ID: 7e0607ef98c3c6a41d1f5e517450228e806c038e0fe61f2b4cc9ee02c8928ac5
                                    • Instruction ID: a4ce4af5bd55610045184bacd5f0d87c4f94233799689e59d5d17b3425654acc
                                    • Opcode Fuzzy Hash: 7e0607ef98c3c6a41d1f5e517450228e806c038e0fe61f2b4cc9ee02c8928ac5
                                    • Instruction Fuzzy Hash: 5251F970A00228AADB24DF28DC59BAEB7F9EF64700F1444E9E509A71C1DB759F44CB90
                                    Function 00B036B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1718 b036b0-b036ec 1719 b036f8-b03706 call b0dae0 1718->1719 1720 b036ee-b036f3 call 9e9790 1718->1720 1724 b037f2-b037f4 1719->1724 1725 b0370c-b03717 1719->1725 1720->1719 1726 b037f6 1724->1726 1727 b03818-b03821 1724->1727 1728 b03747-b0374e 1725->1728 1729 b03719-b03731 call ae54b0 1725->1729 1735 b037f8-b037fa 1726->1735 1736 b037fc-b03809 call ae58e0 1726->1736 1730 b03934-b03947 1727->1730 1731 b03827-b0382e call 9e9e20 1727->1731 1733 b03754-b0375b call 9e9e20 1728->1733 1734 b037d9-b037ef 1728->1734 1742 b03733 1729->1742 1743 b03736-b03741 1729->1743 1746 b03834-b038a1 call 9e8d10 CreateFileW call ae03b0 1731->1746 1747 b0394a-b03954 call 9e9ae0 1731->1747 1733->1747 1748 b03761-b03788 call 9fab80 1733->1748 1735->1727 1735->1736 1745 b0380e-b03816 1736->1745 1742->1743 1743->1724 1743->1728 1745->1731 1766 b038a3 1746->1766 1767 b038bf-b038ca 1746->1767 1759 b037a9-b037cf call b18750 1748->1759 1760 b0378a-b0378f 1748->1760 1759->1734 1769 b037d1-b037d4 1759->1769 1761 b03790-b03799 1760->1761 1761->1761 1764 b0379b-b037a4 call 9fab80 1761->1764 1764->1759 1770 b038a5-b038ab 1766->1770 1771 b038ad-b038bd 1766->1771 1772 b038cd-b038f4 SetFilePointer SetEndOfFile 1767->1772 1769->1734 1770->1767 1770->1771 1771->1772 1773 b03904-b03919 1772->1773 1774 b038f6-b038fd CloseHandle 1772->1774 1775 b03923-b0392e 1773->1775 1776 b0391b-b0391e 1773->1776 1774->1773 1775->1730 1775->1731 1776->1775
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B03876
                                    • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00B038D5
                                    • SetEndOfFile.KERNEL32(?), ref: 00B038DE
                                    • CloseHandle.KERNEL32(?), ref: 00B038F7
                                    Strings
                                    • Not enough disk space to extract file:, xrefs: 00B0377A
                                    • %sholder%d.aiph, xrefs: 00B03852
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointer
                                    • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                    • API String ID: 22866420-929304071
                                    • Opcode ID: e70279e8c3af04ee18692641744e6512224d928073c9140ff902069cfe712f28
                                    • Instruction ID: ca071d61c5377b8ce320da7d8c85fb44ca2461d4fb06d1dcd719e76acb49564d
                                    • Opcode Fuzzy Hash: e70279e8c3af04ee18692641744e6512224d928073c9140ff902069cfe712f28
                                    • Instruction Fuzzy Hash: DD8190B5A002499BDB10DF68CC49BAEBBE8FF44720F148699F915A72D1DB71DE00CB90
                                    Function 00B200C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1777 b200c0-b2010b call b03ac0 1780 b20117-b20125 1777->1780 1781 b2010d-b20112 1777->1781 1783 b20130-b20151 1780->1783 1782 b202c1-b202eb call b774c5 1781->1782 1785 b20153-b20159 1783->1785 1786 b2015b-b20172 SetFilePointer 1783->1786 1785->1786 1787 b20182-b20197 ReadFile 1786->1787 1788 b20174-b2017c GetLastError 1786->1788 1790 b202bc 1787->1790 1791 b2019d-b201a4 1787->1791 1788->1787 1788->1790 1790->1782 1791->1790 1792 b201aa-b201bb 1791->1792 1792->1783 1793 b201c1-b201cd 1792->1793 1794 b201d0-b201d4 1793->1794 1795 b201e1-b201e5 1794->1795 1796 b201d6-b201df 1794->1796 1797 b201e7-b201ed 1795->1797 1798 b20208-b2020a 1795->1798 1796->1794 1796->1795 1797->1798 1799 b201ef-b201f2 1797->1799 1800 b2020d-b2020f 1798->1800 1801 b20204-b20206 1799->1801 1802 b201f4-b201fa 1799->1802 1803 b20211-b20214 1800->1803 1804 b20224-b20226 1800->1804 1801->1800 1802->1798 1808 b201fc-b20202 1802->1808 1803->1793 1805 b20216-b2021f 1803->1805 1806 b20236-b2025c SetFilePointer 1804->1806 1807 b20228-b20231 1804->1807 1805->1783 1806->1790 1809 b2025e-b20273 ReadFile 1806->1809 1807->1783 1808->1798 1808->1801 1809->1790 1810 b20275-b20279 1809->1810 1810->1790 1811 b2027b-b20285 1810->1811 1812 b20287-b2028d 1811->1812 1813 b2029f-b202a4 1811->1813 1812->1813 1814 b2028f-b20297 1812->1814 1813->1782 1814->1813 1815 b20299-b2029d 1814->1815 1815->1813 1816 b202a6-b202ba 1815->1816 1816->1782
                                    APIs
                                    • SetFilePointer.KERNEL32(00BE7C6D,-00000400,?,00000002,00000400,C310823C,?,?,?), ref: 00B20166
                                    • GetLastError.KERNEL32(?,?), ref: 00B20174
                                    • ReadFile.KERNEL32(00BE7C6D,00000000,00000400,?,00000000,?,?), ref: 00B2018F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$ErrorLastPointerRead
                                    • String ID: ADVINSTSFX
                                    • API String ID: 64821003-4038163286
                                    • Opcode ID: f9394dd0e1cc1252a112e74373bc0f421b59e8bffbfc65aaddd251c5865c92af
                                    • Instruction ID: 7a36f38dd2762103498e99c87d039208a351041b522a1962966e9d205e24be02
                                    • Opcode Fuzzy Hash: f9394dd0e1cc1252a112e74373bc0f421b59e8bffbfc65aaddd251c5865c92af
                                    • Instruction Fuzzy Hash: 13619071A10229DBDB10DFA4D889BBEBBF6FB55310F2446A9E419B7382D7309D41CB60
                                    Function 00ACEBE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1847 acebe0-acec17 1848 acec19-acec1c 1847->1848 1849 acec82-acec99 RegCreateKeyExW 1847->1849 1851 acec1e-acec2b GetModuleHandleW 1848->1851 1852 acec75-acec79 1848->1852 1850 acec9f-aceca1 1849->1850 1854 acecc4-acecd5 1850->1854 1855 aceca3-aceca9 1850->1855 1856 acec2d-acec43 1851->1856 1857 acec46-acec54 GetProcAddress 1851->1857 1852->1849 1853 acec7b-acec80 1852->1853 1853->1850 1858 acecab-acecb2 RegCloseKey 1855->1858 1859 acecb4-acecc1 1855->1859 1857->1853 1860 acec56-acec73 1857->1860 1858->1859 1859->1854 1860->1850
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,C310823C,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 00ACEC23
                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00ACEC4C
                                    • RegCreateKeyExW.KERNEL32(?,009F7319,00000000,00000000,00000000,?,00000000,00000000,?,C310823C,?,?,?,00000000,?,Function_001BEE20), ref: 00ACEC99
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 00ACECAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressCloseCreateHandleModuleProc
                                    • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                    • API String ID: 1765684683-2994018265
                                    • Opcode ID: 4a637951fd225c8c3d048a1d499f4e6e5b60df69ee6857288e9ecedf09ecb9a5
                                    • Instruction ID: d28224512dbfa033794207141541472f5a89e1b4768b411c0f797ec1b7cd9e39
                                    • Opcode Fuzzy Hash: 4a637951fd225c8c3d048a1d499f4e6e5b60df69ee6857288e9ecedf09ecb9a5
                                    • Instruction Fuzzy Hash: AB317C72608205EBEB24CF55DC45FAABBA8EB08750F10812AF91597290EB71A850CB94
                                    Function 00AAE0C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,C310823C,?,?,?,?,?,Function_001BEE20,000000FF,?,00ADFE9C,?,?,000000FF), ref: 00AAE103
                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00AAE12C
                                    • RegOpenKeyExW.KERNEL32(?,C310823C,00000000,?,00000000,C310823C,?,?,?,?,?,Function_001BEE20,000000FF,?,00ADFE9C,?), ref: 00AAE165
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BEE20,000000FF,?,00ADFE9C,?,?,000000FF), ref: 00AAE178
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressCloseHandleModuleOpenProc
                                    • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                    • API String ID: 823179699-3913318428
                                    • Opcode ID: c72f8fca30d19c221138eb2830c8d959a79d3c264f65bca443fc012fd0d3d39f
                                    • Instruction ID: 4e68606650c1e2057b1159d222a591a5e0c2e8896b8738892cf6b40a525f5e16
                                    • Opcode Fuzzy Hash: c72f8fca30d19c221138eb2830c8d959a79d3c264f65bca443fc012fd0d3d39f
                                    • Instruction Fuzzy Hash: F1218B72604619EFEB25CF55DC44BAABBA8EB59750F00863AF915D7290D771A800CBA0
                                    Function 00AFE0D0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000002), ref: 00AFE0F0
                                    • GetWindowRect.USER32(00000000,?), ref: 00AFE106
                                    • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00AFDEA7,?,00000000), ref: 00AFE11F
                                    • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00AFDEA7,?), ref: 00AFE12A
                                    • GetDlgItem.USER32(?,000003E9), ref: 00AFE13C
                                    • GetWindowRect.USER32(00000000,?), ref: 00AFE152
                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 00AFE195
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Item$InvalidateShow
                                    • String ID:
                                    • API String ID: 2147159307-0
                                    • Opcode ID: f2d1b0c729ce460bdc9578870064b1e086a2375be9c65fbc9aa455ede3113163
                                    • Instruction ID: b89325b8e5ef51b876d05410504be0a56b9d542884b43fc3af3f03e4f59c4128
                                    • Opcode Fuzzy Hash: f2d1b0c729ce460bdc9578870064b1e086a2375be9c65fbc9aa455ede3113163
                                    • Instruction Fuzzy Hash: 61212A71614700AFD300DF24DC49B6FBBE9EF88705F008659F859D62A1E770E9858B56
                                    Function 00B01EA0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,C310823C,?,?,00000002,?,?,?,?,?,?,00000000,00BE1942), ref: 00B01EF7
                                    • GetLastError.KERNEL32(?,00000002), ref: 00B02189
                                    • GetLastError.KERNEL32(?,00000002), ref: 00B02233
                                    • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00BE1942,000000FF,?,00B00E0A,00000010), ref: 00B01F06
                                      • Part of subcall function 00AE3200: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,C310823C,?,00000000), ref: 00AE324B
                                      • Part of subcall function 00AE3200: GetLastError.KERNEL32(?,00000000), ref: 00AE3255
                                    • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00B01FC8
                                    • ReadFile.KERNEL32(?,C310823C,00000000,00000000,00000000,00000001,?,00000002), ref: 00B02045
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$File$Read$FormatMessagePointer
                                    • String ID:
                                    • API String ID: 3903527278-0
                                    • Opcode ID: 4198abf35de6036b6439d1d4fc48caf6c96b13d4d1769dc78d4e410acc0fb978
                                    • Instruction ID: 822eee4933626ab6f7dde1c82810f21030ade2961e78b61c4142cc665117f0b3
                                    • Opcode Fuzzy Hash: 4198abf35de6036b6439d1d4fc48caf6c96b13d4d1769dc78d4e410acc0fb978
                                    • Instruction Fuzzy Hash: 00D16171D00209DFDB00DFA8C889BADBBB5FF54314F1482A9E915AB3D2EB749905CB90
                                    Function 00B21E30 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,C310823C,C310823C,?,?,?,?,00B0485D,?,C310823C,?,00000000,?,00000000,00BE20E5), ref: 00B21E95
                                    • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,?,00000000,?,?,00B0485D,?,C310823C,?,00000000,?,00000000,00BE20E5), ref: 00B21EE3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion$Size
                                    • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                    • API String ID: 2104008232-2149928195
                                    • Opcode ID: 0334609c4e36b41d435600db7abcd011c230670c69d58b493350d9dd3eb3091b
                                    • Instruction ID: 6e7bda29b5ff1fb9bee671d6fd75747133630c010033f899ae70d1aba51ed1aa
                                    • Opcode Fuzzy Hash: 0334609c4e36b41d435600db7abcd011c230670c69d58b493350d9dd3eb3091b
                                    • Instruction Fuzzy Hash: B771AC719011599BCB10DFACD949BAFBBF8FF55310F1485AAF829A7291DB309D04CBA0
                                    Function 00B21D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B21990: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C310823C,00000000,00000000), ref: 00B219E4
                                      • Part of subcall function 00B21990: GetTempPathW.KERNEL32(00000104,?), ref: 00B21A79
                                      • Part of subcall function 00B21990: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00B21AAA
                                      • Part of subcall function 00B21990: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00B21ADD
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,C310823C,00000000,?,?,00000000,00BE8105,000000FF,Shlwapi.dll,00B21CD6,?,?,00000010), ref: 00B21D6D
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 00B21D99
                                    • GetLastError.KERNEL32(?,00000010), ref: 00B21DDE
                                    • DeleteFileW.KERNEL32(?), ref: 00B21DF1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
                                    • String ID: Shlwapi.dll
                                    • API String ID: 1841109139-1687636465
                                    • Opcode ID: fa7e88afdeb0b0708e5d09843e1350554b787529946f95dcddc8e5e419f38f8f
                                    • Instruction ID: 439bb284d8bc1a56185752e9a30bbf155dc531dc026b619b4b6584ac5a5f986e
                                    • Opcode Fuzzy Hash: fa7e88afdeb0b0708e5d09843e1350554b787529946f95dcddc8e5e419f38f8f
                                    • Instruction Fuzzy Hash: 5231A571A04219EBDB10CFA9DC44BEFFBF8EF19750F1445A9E409A3291DB349901CBA0
                                    Function 00AE3320 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(ComCtl32.dll,C310823C,00000000,?,00000000), ref: 00AE335E
                                    • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00AE3381
                                    • FreeLibrary.KERNEL32(00000000), ref: 00AE33FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: ComCtl32.dll$LoadIconMetric
                                    • API String ID: 145871493-764666640
                                    • Opcode ID: 3f1641bf298746883c10496a81e714c5c034f5eb4583aa9deb70cff7983720ef
                                    • Instruction ID: 123cc508098dc27a309f58267f4b27574cc9105d99fc18e4076a1b77a1cc66b5
                                    • Opcode Fuzzy Hash: 3f1641bf298746883c10496a81e714c5c034f5eb4583aa9deb70cff7983720ef
                                    • Instruction Fuzzy Hash: F73164B1A00255ABDF148FA5CC44BAFBFF8EF49754F00412AF915A7380DBB58A00CB90
                                    Function 009F291B Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 009F2930
                                    • GetWindowLongW.USER32(?,000000FC), ref: 009F2945
                                    • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 009F295B
                                    • GetWindowLongW.USER32(?,000000FC), ref: 009F2975
                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 009F2985
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$CallProc
                                    • String ID:
                                    • API String ID: 513923721-0
                                    • Opcode ID: a1109a852f1d5f6fafdb6d79a44c4aaba5c4a2e4daa3b015e7d8525e23c8bea2
                                    • Instruction ID: 0735a4ca5c0ed4c02a1053753debda17414f470a8b4b3f83dbecdf0502c3adbf
                                    • Opcode Fuzzy Hash: a1109a852f1d5f6fafdb6d79a44c4aaba5c4a2e4daa3b015e7d8525e23c8bea2
                                    • Instruction Fuzzy Hash: B6214971604B00AFC7209F19DD84A6BFBF5FB88720B504A2DF596836B0D772E9909B50
                                    Function 00AE5560 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • PathIsUNCW.SHLWAPI(?,?), ref: 00AE56F6
                                    • _wcschr.LIBVCRUNTIME ref: 00AE5712
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapPathProcess_wcschr
                                    • String ID: \\?\$\\?\UNC\
                                    • API String ID: 660126660-3019864461
                                    • Opcode ID: f1c151c1cb344ef0bda0d2430fb8db57c8e0b05d521d8e44867e603ed56c9202
                                    • Instruction ID: 66144b16656356d27a2bab11bc50dab29b5b3c5cff8c40e5d07882752dfdafef
                                    • Opcode Fuzzy Hash: f1c151c1cb344ef0bda0d2430fb8db57c8e0b05d521d8e44867e603ed56c9202
                                    • Instruction Fuzzy Hash: 72C18E71D00A499FDB00DBA9CC45BAEF7B8FF45324F188269E415EB2D1EB749904CBA0
                                    Function 00AFEB80 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,C310823C,?,00000010,?), ref: 00AFEE4A
                                      • Part of subcall function 00B0FD20: GetCurrentProcess.KERNEL32 ref: 00B0FD68
                                      • Part of subcall function 00B0FD20: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B0FD75
                                      • Part of subcall function 00B0FD20: GetLastError.KERNEL32 ref: 00B0FD7F
                                      • Part of subcall function 00B0FD20: CloseHandle.KERNEL32(00000000), ref: 00B0FE60
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                      • Part of subcall function 009E9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,009F6AC0,-00000010,?,00B21897,00000008,C310823C), ref: 009E9143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                    • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                    • API String ID: 699919280-3538578949
                                    • Opcode ID: 140d683265683cdbedc8a5bf6ff0594c0d364d44613b6611df0b1c3692f5d43d
                                    • Instruction ID: c701075dd8ab89c3a9a73710de5e70bacf5e6a93de78882b883c5f043afc4590
                                    • Opcode Fuzzy Hash: 140d683265683cdbedc8a5bf6ff0594c0d364d44613b6611df0b1c3692f5d43d
                                    • Instruction Fuzzy Hash: A5C1C270A016499FDB11DFACC884BAEB7B5AF44324F1482A8F515AB2E2DB70DD41CB91
                                    Function 00B1D010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ConnectNamedPipe.KERNEL32(?,00000000,C310823C,?,000000FF,?,?,00000000,00BE7306,000000FF,?,00B1D22A,000000FF,?,00000001), ref: 00B1D04C
                                    • GetLastError.KERNEL32(?,?,00000000,00BE7306,000000FF,?,00B1D22A,000000FF,?,00000001), ref: 00B1D056
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,C310823C,?,000000FF,?,?,00000000,00BE7306,000000FF,?,00B1D22A,000000FF), ref: 00B1D0A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
                                    • String ID: \\.\pipe\ToServer
                                    • API String ID: 2973225359-63420281
                                    • Opcode ID: d8484b77135e2c09eab3fd5e5c3f2a15d39240398a33c4a05e06a009343ebe12
                                    • Instruction ID: 3edef7d5616805662153158072969b5aac53d9fa2b6d03ff5837d13e0421c00e
                                    • Opcode Fuzzy Hash: d8484b77135e2c09eab3fd5e5c3f2a15d39240398a33c4a05e06a009343ebe12
                                    • Instruction Fuzzy Hash: 3F71CF71604249AFDB14CF69D804BAEB7E8FF48324F10866DE925DB381DB71A940CB90
                                    Function 00AF7060 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,C310823C,?,00000010,?,00AFA430,?), ref: 00AF70C6
                                    • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00AF710F
                                    • ReadFile.KERNEL32(00000000,C310823C,?,?,00000000,00000078,?), ref: 00AF7151
                                    • CloseHandle.KERNEL32(00000000), ref: 00AF71CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerRead
                                    • String ID:
                                    • API String ID: 4133201480-0
                                    • Opcode ID: 73c14957c41cd7aa63132e3346d7ad731ecef99e7e01e5b6873ca71bb65d9cb4
                                    • Instruction ID: 89f11f2c465cab695246bbdb9fe0f421fd976b30870945c2cbd1fd992e7b0d8e
                                    • Opcode Fuzzy Hash: 73c14957c41cd7aa63132e3346d7ad731ecef99e7e01e5b6873ca71bb65d9cb4
                                    • Instruction Fuzzy Hash: 7651AE70904609ABDB11CBA8CC88BEEFBB8EF44324F148359F510AB2E1D7709D49CB64
                                    Function 00B90112 Relevance: 4.7, APIs: 3, Instructions: 202COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __freea.LIBCMT ref: 00B902C1
                                      • Part of subcall function 00B8EDE7: RtlAllocateHeap.NTDLL(00000000,00000000,00B8E2B4,?,00B90055,?,00000000,?,00B807B5,00000000,00B8E2B4,?,?,?,?,00B8E0AE), ref: 00B8EE19
                                    • __freea.LIBCMT ref: 00B902D6
                                    • __freea.LIBCMT ref: 00B902E6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: __freea$AllocateHeap
                                    • String ID:
                                    • API String ID: 2243444508-0
                                    • Opcode ID: bc5f686c49e1adb2af4dbfea96ad893bf01c12fa585733bbea789e6a3eb9065e
                                    • Instruction ID: 456e146c589fd6bf7894028788202776f570d65c54afac10ce24c6335bbf52ff
                                    • Opcode Fuzzy Hash: bc5f686c49e1adb2af4dbfea96ad893bf01c12fa585733bbea789e6a3eb9065e
                                    • Instruction Fuzzy Hash: 4C519372610216AFEF25AF64CC89EBF36E9EF44750B1541B9FD18E6150EB70DC109760
                                    Function 00B019D0 Relevance: 4.7, APIs: 3, Instructions: 191fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,C310823C,?,?), ref: 00B01A37
                                    • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00B01B44
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$PointerRead
                                    • String ID:
                                    • API String ID: 3154509469-0
                                    • Opcode ID: 076641be58891e4b5a5b8a88b439a4a2da24f8af8e46829dd6614db203f28b40
                                    • Instruction ID: 8f86f679987617f64bb90077fd30787f94075e43b3e3b2588e909240538489a4
                                    • Opcode Fuzzy Hash: 076641be58891e4b5a5b8a88b439a4a2da24f8af8e46829dd6614db203f28b40
                                    • Instruction Fuzzy Hash: 56615D71D00649AFDB14CFA9C945B9DFBB4FB49320F10826AE825A73D0DB759A14CB90
                                    Function 00AFEF60 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,C310823C,?,00000000,?,80004005,?,00000000), ref: 00AFEFFE
                                    • GetLastError.KERNEL32 ref: 00AFF036
                                    • GetLastError.KERNEL32(?), ref: 00AFF0CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CreateFile
                                    • String ID:
                                    • API String ID: 1722934493-0
                                    • Opcode ID: 7dc4f7f61b3d368cc392c136289e7d34d62fc2578e5d7c7f95210630df9a2d96
                                    • Instruction ID: ed8b149d989fbf2677d3c035283f97eaa04b27f5463cf5178ca81e653056ec07
                                    • Opcode Fuzzy Hash: 7dc4f7f61b3d368cc392c136289e7d34d62fc2578e5d7c7f95210630df9a2d96
                                    • Instruction Fuzzy Hash: 8551A171A00609DFDB20DFA9DC45BAAF7B1FF44320F148769E619972E1EB31A905CB90
                                    Function 00AE58E0 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,C310823C,-00000010,?,?,?,00B218AA,00000000,00000008,C310823C), ref: 00AE592B
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00C13B4C,00000001,?), ref: 00AE59EA
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00BE8085,000000FF,?,00B21989), ref: 00AE59F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLastPath
                                    • String ID:
                                    • API String ID: 953296794-0
                                    • Opcode ID: ab799d9cfd0530231d7b2daa8e598a071f76f094816a4d87fa010dd56598ca14
                                    • Instruction ID: 574a700b5df855919eb2f67250ccd61f4e13566a5325d830e6770b9f6280f9a6
                                    • Opcode Fuzzy Hash: ab799d9cfd0530231d7b2daa8e598a071f76f094816a4d87fa010dd56598ca14
                                    • Instruction Fuzzy Hash: FF61E131D006499FDB10DFB9D889BADFBF4EF08364F148269E411A72D1EB709904CB60
                                    Function 00B8D7CC Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,00B8D7C6,?,00B7BEA2,?,?,C310823C,00B7BEA2,?), ref: 00B8D7DD
                                    • TerminateProcess.KERNEL32(00000000,?,00B8D7C6,?,00B7BEA2,?,?,C310823C,00B7BEA2,?), ref: 00B8D7E4
                                    • ExitProcess.KERNEL32 ref: 00B8D7F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 5bdbea904f05fc419c82690e8c2054db977d3fc5ed772726457f986c1a276055
                                    • Instruction ID: 74c6fe212f7054a6b470304a411126277b3b27086883c494ffb041437b407a72
                                    • Opcode Fuzzy Hash: 5bdbea904f05fc419c82690e8c2054db977d3fc5ed772726457f986c1a276055
                                    • Instruction Fuzzy Hash: 80D09232000108BBCF013F69EC0DAAD3FAAEF84751B0080A2B9095B0B2DF319992DB81
                                    Function 00AFF440 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 403COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: _wcsrchr
                                    • String ID: .msi
                                    • API String ID: 1752292252-299543723
                                    • Opcode ID: 623ee19ccea4e9410e7712a52ce5487de504aa498b966acc863f369a722b5cf6
                                    • Instruction ID: 887f94cfeb5064c80a0a784968cafd1db8f247b8ad73da7c2ea554d86ee2c9e4
                                    • Opcode Fuzzy Hash: 623ee19ccea4e9410e7712a52ce5487de504aa498b966acc863f369a722b5cf6
                                    • Instruction Fuzzy Hash: 7CE1BF71A0024EAFDB10DFA8C984BAEBBF5FF44314F148169FA2197291DB74E954CB90
                                    Function 00AF74F0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AF7360: GetTickCount.KERNEL32 ref: 00AF73E4
                                      • Part of subcall function 00AF7360: __Xtime_get_ticks.LIBCPMT ref: 00AF73EC
                                      • Part of subcall function 00AF7360: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF7436
                                      • Part of subcall function 00B1B490: GetUserNameW.ADVAPI32(00000000,?), ref: 00B1B51E
                                      • Part of subcall function 00B1B490: GetLastError.KERNEL32 ref: 00B1B524
                                      • Part of subcall function 00B1B490: GetUserNameW.ADVAPI32(00000000,?), ref: 00B1B56C
                                      • Part of subcall function 00B1B490: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00B1B5A2
                                      • Part of subcall function 00B1B490: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00B1B5EC
                                    • __Init_thread_footer.LIBCMT ref: 00AF7631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                    • String ID: \/:*?"<>|
                                    • API String ID: 2099558200-3830478854
                                    • Opcode ID: 177bad358ddb1ff3c410c6b5257fa292d55898d2f1b6e3579664a8742eb73293
                                    • Instruction ID: f219e3dcb53872e8f3835f5a7c1b692d9dc9a2888fd1289cbb5df2c19af5f77b
                                    • Opcode Fuzzy Hash: 177bad358ddb1ff3c410c6b5257fa292d55898d2f1b6e3579664a8742eb73293
                                    • Instruction Fuzzy Hash: 8CE1AB70904258DFDB10DFA8C895BEEFBB0BF55304F144298E509AB292EBB45E44CFA1
                                    Function 00AE5C20 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,C310823C), ref: 00AE5DC0
                                      • Part of subcall function 00AE5E80: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00AE5E8D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                    • String ID: USERPROFILE
                                    • API String ID: 1777821646-2419442777
                                    • Opcode ID: fd627641e9fd517f68b58fa054959bc7ed7c509041de2b2785bc13f49e4731e8
                                    • Instruction ID: 445f2afcdfccbd6f30af335f3b095c861f58e28c9d2d20f3be9588f1405bce02
                                    • Opcode Fuzzy Hash: fd627641e9fd517f68b58fa054959bc7ed7c509041de2b2785bc13f49e4731e8
                                    • Instruction Fuzzy Hash: 2E619C71A00A89DFDB14DF69DC99BAEB7E4EF44314F14826DE816DB291DB709E00CB90
                                    Function 00A44CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00A44D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID: $
                                    • API String ID: 1378638983-3993045852
                                    • Opcode ID: cccd0c993a8b1a11365bbb588bebd374429949e064c8d7e4e47a5693255c9f62
                                    • Instruction ID: bd31493899f1e0626c4be98696e84c1fa6a5ecc0b215f21b071a44f99b4b4ec0
                                    • Opcode Fuzzy Hash: cccd0c993a8b1a11365bbb588bebd374429949e064c8d7e4e47a5693255c9f62
                                    • Instruction Fuzzy Hash: 8731967A508380DBDB54DF09C880B1ABBF0BFC9711F088559F9948B2A9D3B2D945CB92
                                    Function 00B9444C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B93F7C: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00B93FA7
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00B94293,?,00000000,?,?,?), ref: 00B944AD
                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B94293,?,00000000,?,?,?), ref: 00B944EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID:
                                    • API String ID: 546120528-0
                                    • Opcode ID: 3a7c2e819ffcbd6773fcc934e2ddef7114435aeccf956481285b5d010369ae32
                                    • Instruction ID: b8c25a10b476b208cf164696a94ee67ae492e8aea945bdd61221b11bab0b445e
                                    • Opcode Fuzzy Hash: 3a7c2e819ffcbd6773fcc934e2ddef7114435aeccf956481285b5d010369ae32
                                    • Instruction Fuzzy Hash: C751E071A002459FDF21CFB5C881BAABBF9EF55300F1584BED0968B251EB74D946CB90
                                    Function 00B22690 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 00B226E1
                                    • EndDialog.USER32(00000000,00000001), ref: 00B226F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: DialogWindow
                                    • String ID:
                                    • API String ID: 2634769047-0
                                    • Opcode ID: 1381fb9246b38150b27b02a379f2270abf83c66928e6cfba3c3f8b9aedc0d91a
                                    • Instruction ID: 83a12c0b1e326502a3ec40decc3450e0a39e510647ecb991a568bd1584e9c0d4
                                    • Opcode Fuzzy Hash: 1381fb9246b38150b27b02a379f2270abf83c66928e6cfba3c3f8b9aedc0d91a
                                    • Instruction Fuzzy Hash: 46516670905A85EFDB11CF68C948B4ABBF4EF49310F1482A9E459DB2A1DB70AE04CB91
                                    Function 00AFDE50 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00AFD643,00000000), ref: 00AFDE50
                                    • DestroyWindow.USER32(?), ref: 00AFDF07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: DestroyErrorLastWindow
                                    • String ID:
                                    • API String ID: 1182162058-0
                                    • Opcode ID: 439c1005810dc372f0a609c60f228d696e106075030a1d33ffb0477a727a123d
                                    • Instruction ID: 31082e9c290798d70be43693dd87acbfe92fe86ad595debf0cb11028806390b6
                                    • Opcode Fuzzy Hash: 439c1005810dc372f0a609c60f228d696e106075030a1d33ffb0477a727a123d
                                    • Instruction Fuzzy Hash: 9321067261010D9BD7219F58EC01BBA77A5EB55321F004226FD05CB691DBB5EC60CBE5
                                    Function 00B20480 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000), ref: 00B204E5
                                    • CloseHandle.KERNEL32(?), ref: 00B20539
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CloseFreeHandleLibrary
                                    • String ID:
                                    • API String ID: 10933145-0
                                    • Opcode ID: bf5a3767dd3e874d8d61301dd36c2e5f9823c71193d343a90d866cfcf463436f
                                    • Instruction ID: 2ac7c2bc17c7c78c530a8ce20f1f632a4741618d6d36512f9a7c1a621738b80c
                                    • Opcode Fuzzy Hash: bf5a3767dd3e874d8d61301dd36c2e5f9823c71193d343a90d866cfcf463436f
                                    • Instruction Fuzzy Hash: F2217C70600606AFD714DF69EC58B9ABBF8FB04310F10426AE429D73A1DB799904CF94
                                    Function 00AE1F70 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AE3320: LoadLibraryW.KERNEL32(ComCtl32.dll,C310823C,00000000,?,00000000), ref: 00AE335E
                                      • Part of subcall function 00AE3320: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00AE3381
                                      • Part of subcall function 00AE3320: FreeLibrary.KERNEL32(00000000), ref: 00AE33FF
                                    • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00AE1FB4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AE1FBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: LibraryMessageSend$AddressFreeLoadProc
                                    • String ID:
                                    • API String ID: 3032493519-0
                                    • Opcode ID: c59ad7b91fad059a78a8a6cc74e1008010578060ffb6c1771f9b7b29aba22d7d
                                    • Instruction ID: 2f1e0c476cb66142c48e33089069b21167928bb6dc7fc6d6339c7fd90540066b
                                    • Opcode Fuzzy Hash: c59ad7b91fad059a78a8a6cc74e1008010578060ffb6c1771f9b7b29aba22d7d
                                    • Instruction Fuzzy Hash: 5AF0303278121837F660215A5C47F6BB64DD781B64F104266FA98AF2C2ECD67D0403D8
                                    Function 00B914D8 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringEx.KERNEL32(?,00B90200,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00B9150C
                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00B90200,?,?,00000000,?,00000000), ref: 00B9152A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: String
                                    • String ID:
                                    • API String ID: 2568140703-0
                                    • Opcode ID: d0b88dc611b5518563eab9f08e6e8136e3c1c33f4e62082ad953d96fe0933c48
                                    • Instruction ID: 235766d909e9c31d8a7d4091f621332d9b56c62f8ccaa5620a152b2c6392d73e
                                    • Opcode Fuzzy Hash: d0b88dc611b5518563eab9f08e6e8136e3c1c33f4e62082ad953d96fe0933c48
                                    • Instruction Fuzzy Hash: 84F0683200011ABBCF126F94DC05ADE3E66EB587A0F068560BA1966020CB32D972EB90
                                    Function 00B8EDAD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,00B933ED,?,00000000,?,?,00B9368E,?,00000007,?,?,00B93CE8,?,?), ref: 00B8EDC3
                                    • GetLastError.KERNEL32(?,?,00B933ED,?,00000000,?,?,00B9368E,?,00000007,?,?,00B93CE8,?,?), ref: 00B8EDCE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 485612231-0
                                    • Opcode ID: 59deedc43b3523c23fcc50312037e1abd423d89b6ed061aaf152ce8a33fc0c0d
                                    • Instruction ID: cd01eaa56c6de3034eacfe2585ee5046fa20fa1fdb577a89856a83ff3dea571f
                                    • Opcode Fuzzy Hash: 59deedc43b3523c23fcc50312037e1abd423d89b6ed061aaf152ce8a33fc0c0d
                                    • Instruction Fuzzy Hash: E7E08C32200214ABCB113FB4AC0DBA93BE9EB00792F1480B8F61C971B1DE34C880CB94
                                    Function 00B78832 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B78850
                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B7885B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                    • String ID:
                                    • API String ID: 1660781231-0
                                    • Opcode ID: 4bc3d773b515cef655ad4421e89c65e14629695646fa4303b3159ae10eab5871
                                    • Instruction ID: 15d5d38980358720dd3fa8e3fa0205754e8939cb8556d8d9338e97a07ee2e0fd
                                    • Opcode Fuzzy Hash: 4bc3d773b515cef655ad4421e89c65e14629695646fa4303b3159ae10eab5871
                                    • Instruction Fuzzy Hash: CCD0A922AC4380488D283A76288AA9912D49A127F83E0C2DAE03D8E9C2FF1088402617
                                    Function 00B04D00 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00B04EE0,?), ref: 00B04D4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: EnumLanguagesResource
                                    • String ID:
                                    • API String ID: 4141015960-0
                                    • Opcode ID: c07c95866ad8f687c4c228a8e373ccdc4c520ff70c98f7ab38bc3bef99d40899
                                    • Instruction ID: 692e4de0da3e6ef525dc79fe10be9735f1a2bdaded49d21fe3451e68ca86ae8c
                                    • Opcode Fuzzy Hash: c07c95866ad8f687c4c228a8e373ccdc4c520ff70c98f7ab38bc3bef99d40899
                                    • Instruction Fuzzy Hash: CB51B4B19006069FDB24DF68C885BAFBBF4FF48304F0146A9E615A7691E771ED44CB60
                                    Function 00B217A0 Relevance: 1.7, APIs: 1, Instructions: 177synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,C310823C,00000000,?,?,00000001), ref: 00B217D4
                                      • Part of subcall function 009F2A50: RaiseException.KERNEL32(C310823C,C310823C,00000000,00000000,00B2197B,C000008C,00000001,C310823C), ref: 009F2A5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ExceptionObjectRaiseSingleWait
                                    • String ID:
                                    • API String ID: 2077088295-0
                                    • Opcode ID: 19f52ac2e6c11e0458de5ae824a6eae027519b23fafd3efc3345e41cd2ee03ea
                                    • Instruction ID: 35c3dd1d1f9948140fe5789942011bf32251392ab48e5c42a653a9b1be21256b
                                    • Opcode Fuzzy Hash: 19f52ac2e6c11e0458de5ae824a6eae027519b23fafd3efc3345e41cd2ee03ea
                                    • Instruction Fuzzy Hash: 6B516A35A006159FCB14DF6CD894A6AB7F5FF99310F1586A9E819EB3A1CB30EC41CB90
                                    Function 00B94050 Relevance: 1.6, APIs: 1, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(E8458D00,?,00B9429F,00B94293,00000000), ref: 00B94082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Info
                                    • String ID:
                                    • API String ID: 1807457897-0
                                    • Opcode ID: 8a7ec455ff2dc252db4a2e1d6bd3657d96de3dc3e86e188b0165908957b3a98e
                                    • Instruction ID: d40cf24b0f2dd839728282d1f43336a350a1b6e9f31de923e67d96926e8ecc7f
                                    • Opcode Fuzzy Hash: 8a7ec455ff2dc252db4a2e1d6bd3657d96de3dc3e86e188b0165908957b3a98e
                                    • Instruction Fuzzy Hash: 445128B15042689ADF218B28DC80FE67FF8EB56704F2405F9E59AD7142D3319D86DB20
                                    Function 00B03960 Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,C310823C), ref: 00B0398B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 1d35b4c12710f680bbbc6ac3f00ceeb45baf639eae0ec3dc3a683363ca77fc69
                                    • Instruction ID: 145bb8685121596e08b3752ffc3bcacc09f9f31fea4f62c73feb3b04b15ac8f6
                                    • Opcode Fuzzy Hash: 1d35b4c12710f680bbbc6ac3f00ceeb45baf639eae0ec3dc3a683363ca77fc69
                                    • Instruction Fuzzy Hash: 18410631A00615DFDB10DF58C885B9EBBF8FF45B10F1082A9E955AB2D1DB70EA00CBA1
                                    Function 00AE3860 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AE3AD0: __Init_thread_footer.LIBCMT ref: 00AE3B46
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • __Init_thread_footer.LIBCMT ref: 00AE3940
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                    • String ID:
                                    • API String ID: 984842325-0
                                    • Opcode ID: f4849daa7bc5bd8278b54ed56dc0d2485b8ee02d04bfa7121018783e46dbc00b
                                    • Instruction ID: 01a91635f67ff701d93b7fdcaccb042c0b1a3874da987b942a94c2aec779efbb
                                    • Opcode Fuzzy Hash: f4849daa7bc5bd8278b54ed56dc0d2485b8ee02d04bfa7121018783e46dbc00b
                                    • Instruction Fuzzy Hash: 0931CEB2548A80EBDB10EF09ED8AB59B7A0F700B14F304369F465477D1F7B6A940CB58
                                    Function 00B20600 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00B029F8,?,00000000,00000000,?,?), ref: 00B2061D
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                      • Part of subcall function 00B206F0: WaitForSingleObject.KERNEL32(?,000000FF,C310823C,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B20724
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AllocateCreateFileHeapObjectSingleWait
                                    • String ID:
                                    • API String ID: 1261966429-0
                                    • Opcode ID: 2baff0c7f3ea640523172dc1af9d59ca00c87f3a1d33b3405750197bbeaf5cb1
                                    • Instruction ID: 2548e856aada239c949e064fd183c99ddb6409ce904fe163e42b2deb5ddf83a1
                                    • Opcode Fuzzy Hash: 2baff0c7f3ea640523172dc1af9d59ca00c87f3a1d33b3405750197bbeaf5cb1
                                    • Instruction Fuzzy Hash: FD312874214B109FD325EF28D888B1AB7E0FF88300F20895DE59AEB361D771E991CB55
                                    Function 00AC8DC0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • __Init_thread_footer.LIBCMT ref: 00AC8E32
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID:
                                    • API String ID: 2296764815-0
                                    • Opcode ID: 90895b740488fe9c98786fe73a8af7118a0a7d7bdf99b331ba12d668b609bbcc
                                    • Instruction ID: a9e995265bd06b3c58a501201c947433d4ccb0f5128610776a0bf159b746e79d
                                    • Opcode Fuzzy Hash: 90895b740488fe9c98786fe73a8af7118a0a7d7bdf99b331ba12d668b609bbcc
                                    • Instruction Fuzzy Hash: 8F0188B1948944DBCB14DB58E986B4D73A0F704714F1047BDE82DC7BD0EB35E9049715
                                    Function 00AE3AD0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                      • Part of subcall function 00AE3B70: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00AE3BDE
                                      • Part of subcall function 00AE3B70: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00AE3C25
                                      • Part of subcall function 00AE3B70: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00AE3C44
                                      • Part of subcall function 00AE3B70: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00AE3C73
                                      • Part of subcall function 00AE3B70: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00AE3CE8
                                    • __Init_thread_footer.LIBCMT ref: 00AE3B46
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                    • String ID:
                                    • API String ID: 3563064969-0
                                    • Opcode ID: 329ca51bb6c8897e944d41cff95497e73ab958f07a925948967af226f2f3579c
                                    • Instruction ID: e9f5319c733436705a5e40685ecbd40aaa6bdf587b398c366f8d5b185565fcfe
                                    • Opcode Fuzzy Hash: 329ca51bb6c8897e944d41cff95497e73ab958f07a925948967af226f2f3579c
                                    • Instruction Fuzzy Hash: 0C01DBB1A48644EBCB10EF58ED46B59F3A4E704B24F2043B9E926977D0FB34EA008759
                                    Function 009E9AE0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B789AB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,-00000010,?,00000008,C310823C), ref: 00B78A0B
                                    • RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionHeapRaise
                                    • String ID:
                                    • API String ID: 3789339297-0
                                    • Opcode ID: c85e3264c83532225a52691b82e18b421e6d251dea6c9b50e79088fe2f7bbbed
                                    • Instruction ID: 1a8a18737cb38aaac3746cc57b45f6829f4d1543bdb8dc9ce0ea387b4bd1d3db
                                    • Opcode Fuzzy Hash: c85e3264c83532225a52691b82e18b421e6d251dea6c9b50e79088fe2f7bbbed
                                    • Instruction Fuzzy Hash: F5F0A771648248FFC702CF54DC01F6ABBA8FB44B10F10857DF91983B90DB36A800DA45
                                    Function 00B8EDE7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00B8E2B4,?,00B90055,?,00000000,?,00B807B5,00000000,00B8E2B4,?,?,?,?,00B8E0AE), ref: 00B8EE19
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 81e3e9450aec295d3ea034f5b9307de02ce4b9b99d85b99228a33b7f4e0bed88
                                    • Instruction ID: 56c226bf85d189fd2ffcb8485c3169bc4870e00baf37005db7413a9e28d8e8d5
                                    • Opcode Fuzzy Hash: 81e3e9450aec295d3ea034f5b9307de02ce4b9b99d85b99228a33b7f4e0bed88
                                    • Instruction Fuzzy Hash: 23E0E53110022656E6613A259C04B5B36D9EB053A2F1501E5FC74964F0DB60DC00C7E5
                                    Function 00B8E21C Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: H_prolog3
                                    • String ID:
                                    • API String ID: 431132790-0
                                    • Opcode ID: 35aeecfe271a8e60ccccaaf77ec6e46e3784a79996f8ce5bef3f42f2328f51bb
                                    • Instruction ID: 60aeafb8d2856b3fc1753331db1f889c07fabb3d58e7dde912d983873c07bd0f
                                    • Opcode Fuzzy Hash: 35aeecfe271a8e60ccccaaf77ec6e46e3784a79996f8ce5bef3f42f2328f51bb
                                    • Instruction Fuzzy Hash: 80E09AB2C8020E9EDB00EFD4C452BEFB7FCAB04310F6085A6A255E7141EA7457458BA1
                                    Function 009E8720 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 01c7a006b34601c6b37fca681c465ce41a966baa622a69433d9e609896747f07
                                    • Instruction ID: 3e847ec860f59280c52423457d0ff78b953f6a9a5d128adbae50f26172d9a8dd
                                    • Opcode Fuzzy Hash: 01c7a006b34601c6b37fca681c465ce41a966baa622a69433d9e609896747f07
                                    • Instruction Fuzzy Hash: 10C08C3020121047D7304B28B90874332DC5B04700F004409A409D3200CE70DC008654

                                    Non-executed Functions

                                    Function 009E3010 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                    • API String ID: 0-2910470256
                                    • Opcode ID: 24e248a66dd8565d696773d84f430a272412539db2fdac15f94d04fc67d8de40
                                    • Instruction ID: 96a3df4dad2f856812303a7b9394a1bdcb11d92fc05cffad411aec97173b15d5
                                    • Opcode Fuzzy Hash: 24e248a66dd8565d696773d84f430a272412539db2fdac15f94d04fc67d8de40
                                    • Instruction Fuzzy Hash: D8332BB06443C8EADB46F7E5981971F6A918BA2708F34626CF1442B6D2CFF50E04D7AD
                                    Function 009E3E25 Relevance: 156.9, Strings: 124, Instructions: 1926COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                    • API String ID: 0-1959677801
                                    • Opcode ID: bc88ea03851f92e0a80c0da018db8df2a86e96a5232db8e4a1baaf482c11772f
                                    • Instruction ID: a05a432abf9551a3bbd1cc07797da9f2aee3e4ef222fd4b0f7a8774117c790b9
                                    • Opcode Fuzzy Hash: bc88ea03851f92e0a80c0da018db8df2a86e96a5232db8e4a1baaf482c11772f
                                    • Instruction Fuzzy Hash: BC034CA46443C8E6CB0AF3F5491A75F59524BB3708F3466ACF2952B6D2CEE10F01937A
                                    Function 00A044A0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 937memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00A044FA
                                    • VariantClear.OLEAUT32(?), ref: 00A0452C
                                    • VariantClear.OLEAUT32(?), ref: 00A0464F
                                    • VariantClear.OLEAUT32(?), ref: 00A0467E
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A04685
                                    • SysAllocString.OLEAUT32(00000000), ref: 00A046D8
                                    • VariantClear.OLEAUT32(?), ref: 00A04766
                                    • VariantClear.OLEAUT32(?), ref: 00A04798
                                    • VariantClear.OLEAUT32(?), ref: 00A048F9
                                    • VariantClear.OLEAUT32(?), ref: 00A0492C
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A04937
                                    • SysAllocString.OLEAUT32(00000000), ref: 00A0497A
                                    • VariantClear.OLEAUT32(?), ref: 00A04A2F
                                    • VariantClear.OLEAUT32(?), ref: 00A04A62
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A04A70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$Free$Alloc
                                    • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                    • API String ID: 4112810936-3153392536
                                    • Opcode ID: d0853ccb90ad08cba45f309ba14ad6893ddfc174614f14753b25d4aad684a9d0
                                    • Instruction ID: ec02c17349758af6d82d868959c7b262fea7f9d70105382164dea07f87812b10
                                    • Opcode Fuzzy Hash: d0853ccb90ad08cba45f309ba14ad6893ddfc174614f14753b25d4aad684a9d0
                                    • Instruction Fuzzy Hash: 7D9259B0D0025CDBDB11DFA4C844BDEBBB4FF48314F104299E519A7281EB74AA95CF95
                                    Function 00A03890 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00A038EA
                                    • VariantClear.OLEAUT32(?), ref: 00A0391C
                                    • VariantClear.OLEAUT32(?), ref: 00A03A16
                                    • VariantClear.OLEAUT32(?), ref: 00A03A45
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A03A4C
                                    • SysAllocString.OLEAUT32(00000000), ref: 00A03A93
                                    • VariantClear.OLEAUT32(?), ref: 00A03B17
                                    • VariantClear.OLEAUT32(?), ref: 00A03B49
                                    • VariantClear.OLEAUT32(?), ref: 00A03C49
                                    • VariantClear.OLEAUT32(?), ref: 00A03C7C
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A03C87
                                    • SysAllocString.OLEAUT32(00000000), ref: 00A03CCD
                                    • VariantClear.OLEAUT32(?), ref: 00A03D4A
                                    • VariantClear.OLEAUT32(?), ref: 00A03D7C
                                    • VariantClear.OLEAUT32(?), ref: 00A03E9C
                                    • VariantClear.OLEAUT32(?), ref: 00A03ECB
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A03ED2
                                    • SysAllocString.OLEAUT32(00000000), ref: 00A03F25
                                    • VariantClear.OLEAUT32(?), ref: 00A03FAA
                                    • VariantClear.OLEAUT32(?), ref: 00A03FDC
                                    • VariantClear.OLEAUT32(?), ref: 00A040CD
                                    • VariantClear.OLEAUT32(?), ref: 00A040FA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$AllocFree
                                    • String ID:
                                    • API String ID: 1305860026-0
                                    • Opcode ID: 3b60c413cb7c8fa7972831067b0e6a220aea9e15e0841418fa3321fdf66f432a
                                    • Instruction ID: 58ca4873f3d2226c8b6dd0b1a3950bcd2cab1dfe2d6f703b916f09db7142c6ad
                                    • Opcode Fuzzy Hash: 3b60c413cb7c8fa7972831067b0e6a220aea9e15e0841418fa3321fdf66f432a
                                    • Instruction Fuzzy Hash: C5427B7190024CDFCB11DFA8D888BEEBBB8FF48314F148269E505E7291E7749A45CBA5
                                    Function 009EF1A0 Relevance: 22.9, APIs: 15, Instructions: 376memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009EF600: EnterCriticalSection.KERNEL32(00C87250,C310823C,00000000,?,?,?,?,?,?,009EEE60,00BA07AD,000000FF), ref: 009EF63D
                                      • Part of subcall function 009EF600: LoadCursorW.USER32(00000000,00007F00), ref: 009EF6B8
                                      • Part of subcall function 009EF600: LoadCursorW.USER32(00000000,00007F00), ref: 009EF75E
                                    • SysFreeString.OLEAUT32(00000000), ref: 009EF243
                                    • SysAllocString.OLEAUT32(00000000), ref: 009EF274
                                    • GetWindowLongW.USER32(?,000000EC), ref: 009EF34B
                                    • GetWindowLongW.USER32(?,000000EC), ref: 009EF35B
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009EF366
                                    • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 009EF374
                                    • GetWindowLongW.USER32(?,000000EB), ref: 009EF382
                                    • SetWindowTextW.USER32(?,00C0438C), ref: 009EF421
                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 009EF458
                                    • GlobalLock.KERNEL32(00000000), ref: 009EF466
                                    • GlobalUnlock.KERNEL32(?), ref: 009EF48A
                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 009EF515
                                    • SysFreeString.OLEAUT32(00000000), ref: 009EF52E
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 009EF575
                                    • SysFreeString.OLEAUT32(00000000), ref: 009EF595
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                    • String ID:
                                    • API String ID: 4180125975-0
                                    • Opcode ID: 067a18af819a00e74e3e08b6123d00582c88980d85d0cfbca757d1a7b92663b3
                                    • Instruction ID: d78f9724676e61ed369e7c413fafef7d7d7979a194da886b38fcd0a6e01641fa
                                    • Opcode Fuzzy Hash: 067a18af819a00e74e3e08b6123d00582c88980d85d0cfbca757d1a7b92663b3
                                    • Instruction Fuzzy Hash: 6ED1E071900649EFDB12DFA5CC58BAFBBB8EF45310F144169F911A7290DB799E00CBA1
                                    Function 009F8DF0 Relevance: 21.6, APIs: 14, Instructions: 608COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EB), ref: 009F8EA3
                                    • ShowWindow.USER32(00000000,?), ref: 009F8EC2
                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 009F8ED0
                                    • GetWindowRect.USER32(00000000,?), ref: 009F8EE7
                                    • ShowWindow.USER32(00000000,?), ref: 009F8F08
                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 009F8F1F
                                      • Part of subcall function 009F2A50: RaiseException.KERNEL32(C310823C,C310823C,00000000,00000000,00B2197B,C000008C,00000001,C310823C), ref: 009F2A5C
                                    • ShowWindow.USER32(?,?), ref: 009F905D
                                    • GetWindowLongW.USER32(?,000000EB), ref: 009F908C
                                    • ShowWindow.USER32(?,?), ref: 009F90A9
                                    • GetWindowRect.USER32(?,?), ref: 009F90CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$LongShow$Rect$ExceptionRaise
                                    • String ID:
                                    • API String ID: 777556035-0
                                    • Opcode ID: 103bee7f6ef122366f8064b9f47d3b999f15a39250d63e5c55e5d85a055121a6
                                    • Instruction ID: 5ccc20e56d441d0bf27a24909cb3434271543ac4032fcff7c1b015c0d90599c3
                                    • Opcode Fuzzy Hash: 103bee7f6ef122366f8064b9f47d3b999f15a39250d63e5c55e5d85a055121a6
                                    • Instruction Fuzzy Hash: 29423671A046189FCB24CFA8D884BAEBBF5FF88304F14855DE959EB260DB30A945CF51
                                    Function 00AECF00 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 419fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00AED2A2
                                    • FindClose.KERNEL32(00000000), ref: 00AED2D0
                                    • FindClose.KERNEL32(00000000), ref: 00AED359
                                    Strings
                                    • No acceptable version found. Operating System not supported., xrefs: 00AED73B
                                    • No acceptable version found., xrefs: 00AED749
                                    • No acceptable version found. It must be downloaded manually from a site., xrefs: 00AED734
                                    • No acceptable version found. It must be downloaded., xrefs: 00AED72D
                                    • No acceptable version found. It must be installed from package., xrefs: 00AED726
                                    • No acceptable version found. It is already downloaded and it will be installed., xrefs: 00AED742
                                    • Not selected for install., xrefs: 00AED750
                                    • An acceptable version was found., xrefs: 00AED71F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                    • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                    • API String ID: 544434140-749633484
                                    • Opcode ID: c7cefdac7baf08775f86048050c27410291e96f22c6ab033bf05525c6836cf33
                                    • Instruction ID: 1bd823df7f471f2ce3eb1b876cd9eba8431d5bd4af3a37c5fc5b18f338bb4f90
                                    • Opcode Fuzzy Hash: c7cefdac7baf08775f86048050c27410291e96f22c6ab033bf05525c6836cf33
                                    • Instruction Fuzzy Hash: 35F18C70A00646CFDB10DF29C9487AEFBF1EF45310F1482A8D9599B392DB349E45CB91
                                    Function 009EEBF0 Relevance: 16.8, APIs: 11, Instructions: 296nativememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(80070216,000000EC), ref: 009EECDB
                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 009EECEB
                                    • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 009EECF6
                                    • NtdllDefWindowProc_W.NTDLL(00000000,?,00000001,80070216,?,00000000,?,?,80070216), ref: 009EED04
                                    • GetWindowLongW.USER32(00000000,000000EB), ref: 009EED12
                                    • SetWindowTextW.USER32(00000000,00C0438C), ref: 009EEDB1
                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,00000000), ref: 009EEDE8
                                    • GlobalLock.KERNEL32(00000000), ref: 009EEDF6
                                    • GlobalUnlock.KERNEL32(?), ref: 009EEE1A
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009EEE7F
                                    • NtdllDefWindowProc_W.NTDLL(00000000,?,C310823C,00000000), ref: 009EEED1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                    • String ID:
                                    • API String ID: 3555041256-0
                                    • Opcode ID: 30e681a1a11c452754a7d5844fb6a96cf7a1ed121d0a41585f99232cfc5921c6
                                    • Instruction ID: 266435270df596f8be84f3fff003d7f40bc77c0dec5007601d79714ff5d47f70
                                    • Opcode Fuzzy Hash: 30e681a1a11c452754a7d5844fb6a96cf7a1ed121d0a41585f99232cfc5921c6
                                    • Instruction Fuzzy Hash: 13A1F271901285EBDB12DFA5CC08BAFBBBDEF84310F240618F916A7291DB759D40CBA1
                                    Function 00A062B0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 545windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00A06386
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • __Init_thread_footer.LIBCMT ref: 00A0634F
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00A0677F
                                    • SendMessageW.USER32(?,0000102B,?,?), ref: 00A067C8
                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 00A0684E
                                      • Part of subcall function 00AD7EE0: __cftof.LIBCMT ref: 00AD7F2F
                                    • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00A06994
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
                                    • String ID: AiFeatIco$Icon
                                    • API String ID: 2303580663-1280411655
                                    • Opcode ID: 961f9bc8a46c3b2613b44e37f091a74fa578e6d2919ec3659670a4e208420015
                                    • Instruction ID: 97f766fd4766880e93c8b00f8a3902ea34c6bda9bbcf54835810a4350a29bdfb
                                    • Opcode Fuzzy Hash: 961f9bc8a46c3b2613b44e37f091a74fa578e6d2919ec3659670a4e208420015
                                    • Instruction Fuzzy Hash: 0E32CE70900248DFDF25DFA8D884BDDBBB5FF58304F144169E909AF292DB70AA44CBA1
                                    Function 00B0B500 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 394COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • _wcschr.LIBVCRUNTIME ref: 00B0B5AC
                                    • _wcsrchr.LIBVCRUNTIME ref: 00B0B68B
                                    • _wcsrchr.LIBVCRUNTIME ref: 00B0B6B5
                                    • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00B0B710
                                    • GetDriveTypeW.KERNEL32(?), ref: 00B0B72A
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00B0B927
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00B0B9B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Wow64$DriveInit_thread_footerRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType_wcschr
                                    • String ID: ]%!
                                    • API String ID: 1522321474-1069524040
                                    • Opcode ID: d2684cad6e3d5d2d889ca34ed6023d9dfe502ed8af4c11ce5c95f09ef923ca0e
                                    • Instruction ID: 64d5cc04e9268200e384fd9650add5e9b417fee955b28a18914963a2ef886c0e
                                    • Opcode Fuzzy Hash: d2684cad6e3d5d2d889ca34ed6023d9dfe502ed8af4c11ce5c95f09ef923ca0e
                                    • Instruction Fuzzy Hash: A7F19C71900659CBDB25DB68C884FADFBF4EF44310F1582E9E51AAB291DB709E84CF90
                                    Function 00A3FAD0 Relevance: 12.3, APIs: 8, Instructions: 289windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000432,00000000,?), ref: 00A3FD0C
                                    • SendMessageW.USER32(00000000,00000439,00000000,?), ref: 00A3FD1C
                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00A3FD2E
                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00A3FD3F
                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00A3FD52
                                    • GetWindowRect.USER32(?,?), ref: 00A3FD80
                                      • Part of subcall function 00A41310: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A4136F
                                      • Part of subcall function 00A41310: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00A3FEE9,00000000,C310823C,?,?), ref: 00A41388
                                      • Part of subcall function 009F0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 009F0E96
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00A3FDE2
                                    • SendMessageW.USER32(00000000,00000411,00000001,?), ref: 00A3FDF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateLongRect
                                    • String ID:
                                    • API String ID: 1954517558-0
                                    • Opcode ID: 9c0a76f70daab1018694a4b514722b472c7adf3dcb64304bf75826b7e4a7d81f
                                    • Instruction ID: 704851bbc7c53cd5af1d563a25c0492f82a2015f02a6ccc30c386cf3a07fc70d
                                    • Opcode Fuzzy Hash: 9c0a76f70daab1018694a4b514722b472c7adf3dcb64304bf75826b7e4a7d81f
                                    • Instruction Fuzzy Hash: 2FB1D8B1A10219AFDB04CF69C985AAE7BF5FB48300F40862AFD19E7291D774E954CB90
                                    Function 00AC3460 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 313windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00AC3690
                                    • SendMessageW.USER32(?,00000443,00000000), ref: 00AC36FA
                                    • MulDiv.KERNEL32(?,00000000), ref: 00AC3731
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow
                                    • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                    • API String ID: 701072176-2319862951
                                    • Opcode ID: 4063491eae3fc9be66b461232bf67d88f12e0a47b41301e5cc9d7a96319657bb
                                    • Instruction ID: dc08b82d9cef2c192dab1ac3d85e46832ede62a72df8991bc4c6109370d480ee
                                    • Opcode Fuzzy Hash: 4063491eae3fc9be66b461232bf67d88f12e0a47b41301e5cc9d7a96319657bb
                                    • Instruction Fuzzy Hash: AFC1AC71A00709AFEB14CF64CC55BEEB7B1EB89300F00829DE556A72D1DB74AA45CB91
                                    Function 00B94D50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • GetACP.KERNEL32(?,?,?,?,?,?,00B8A53E,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B94E11
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00B8A53E,?,?,?,00000055,?,-00000050,?,?), ref: 00B94E3C
                                    • _wcschr.LIBVCRUNTIME ref: 00B94ED0
                                    • _wcschr.LIBVCRUNTIME ref: 00B94EDE
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00B94F9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                    • String ID: utf8
                                    • API String ID: 4147378913-905460609
                                    • Opcode ID: 409c2ae364e872fc3c99f02eacf3080ca4a4a01a6bc6ceffb85096bebfba4a4c
                                    • Instruction ID: d996656c9caa2e662b959366ba2105d4a88240ff5433729f7829bde2ead8b947
                                    • Opcode Fuzzy Hash: 409c2ae364e872fc3c99f02eacf3080ca4a4a01a6bc6ceffb85096bebfba4a4c
                                    • Instruction Fuzzy Hash: C871AF75600606ABDF28AB74CC86FAA73E8EF45740F1484F9F619DB191EB70E942C760
                                    Function 00B99D65 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 9fe0aae7e87b31159c20f1c655e96a7a0a8305d0f45a98bb3055d4c51610a269
                                    • Instruction ID: 34fb9582dff71867a8c19c5e42e8c149e4b74ef9f41dfa94a7d4ce85e14fe7e0
                                    • Opcode Fuzzy Hash: 9fe0aae7e87b31159c20f1c655e96a7a0a8305d0f45a98bb3055d4c51610a269
                                    • Instruction Fuzzy Hash: 07D2F571E086298BDF65CE28DD807EAB7F5EB45305F1441EAD40DE7240EB78AE858F81
                                    Function 00AE4A10 Relevance: 9.3, APIs: 6, Instructions: 321fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AE4A68
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00AE4B68
                                    • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00AE4C05
                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00AE4C2B
                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00AE4C75
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AE4CF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirstInit_thread_footer_wcsrchr$HeapProcess
                                    • String ID:
                                    • API String ID: 2593539128-0
                                    • Opcode ID: 1d21eb3c4e36fb5075f7e6ba04379bdd5c020bca738ce9a5704c1a4750708a30
                                    • Instruction ID: 73ca3d3938f985c447267636720b3ee77bc53645522b3caf60d763387b507ef8
                                    • Opcode Fuzzy Hash: 1d21eb3c4e36fb5075f7e6ba04379bdd5c020bca738ce9a5704c1a4750708a30
                                    • Instruction Fuzzy Hash: C1A1A371A00249DBDB10DF6ACC45BAEB7F8FF88724F24866DE415D7280EB759904CB50
                                    Function 00B208D0 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,C310823C,?,00000000,00000000), ref: 00B209A1
                                    • FindNextFileW.KERNEL32(?,00000000), ref: 00B209BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: FileFind$FirstNext
                                    • String ID:
                                    • API String ID: 1690352074-0
                                    • Opcode ID: 3f6f4f0d7bf8ac3804fffe9d83821b1e54094d895c690ba68085f22b848b3ff8
                                    • Instruction ID: 14080c03830a440043661382c3a2931993256d367f06d0a5c665106387194034
                                    • Opcode Fuzzy Hash: 3f6f4f0d7bf8ac3804fffe9d83821b1e54094d895c690ba68085f22b848b3ff8
                                    • Instruction Fuzzy Hash: 13716C71901289DFDB10EFA8D948BEEB7B4FF49314F148169E819A7292DB349E44CB50
                                    Function 00B7674C Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000C,00B76668,00000000,?,00B76800,00000000,?,?,009F0C24,?), ref: 00B7674E
                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,009F0C24,?), ref: 00B76775
                                    • HeapAlloc.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B7677C
                                    • InitializeSListHead.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B76789
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,009F0C24,?), ref: 00B7679E
                                    • HeapFree.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B767A5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                    • String ID:
                                    • API String ID: 1475849761-0
                                    • Opcode ID: 63c0f64fc1ca72a6c05d2460672a3d26b7c7419326ceb773dfa8aff2afcb2378
                                    • Instruction ID: a4b48a8b65a013ae08f8fe5c948b06c8391020fc5fcb2f383d3a1e24fdbe53a6
                                    • Opcode Fuzzy Hash: 63c0f64fc1ca72a6c05d2460672a3d26b7c7419326ceb773dfa8aff2afcb2378
                                    • Instruction Fuzzy Hash: F7F04931600A11AFEB259F78AC48B2A77E8FB88B56F044468E95AD3250EF70C801CB60
                                    Function 00B954DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00B957FD,00000002,00000000,?,?,?,00B957FD,?,00000000), ref: 00B95578
                                    • GetLocaleInfoW.KERNEL32(?,20001004,00B957FD,00000002,00000000,?,?,?,00B957FD,?,00000000), ref: 00B955A1
                                    • GetACP.KERNEL32(?,?,00B957FD,?,00000000), ref: 00B955B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 53161fe04469354de74d52bc411d3894e963af8a7f2cb5cf1cca661cd76c6d19
                                    • Instruction ID: 6568261a9d189aecf1a08911508a2afc86e55bb51ab7c699186cf7cd779aa0ae
                                    • Opcode Fuzzy Hash: 53161fe04469354de74d52bc411d3894e963af8a7f2cb5cf1cca661cd76c6d19
                                    • Instruction Fuzzy Hash: 4F21B022681905AADF369B24C904BAB73E7EB64B20B5784B4E94AD7212F732DE40C750
                                    Function 00B956B4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00B957C0
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00B95809
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00B95818
                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B95860
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B9587F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID:
                                    • API String ID: 415426439-0
                                    • Opcode ID: 0e78f454f96b85ac47d251ab9eb78721798643f9882eaff6f93bb6b3f94aedbd
                                    • Instruction ID: 2761cf03803b40d3de3bb09330c8194ee050c95050ef30735874728382d4727c
                                    • Opcode Fuzzy Hash: 0e78f454f96b85ac47d251ab9eb78721798643f9882eaff6f93bb6b3f94aedbd
                                    • Instruction Fuzzy Hash: 44515E71A40A09EBDF22DFA5CC81ABE77F8EF44700F1444B9A515EB251EB749E04CB61
                                    Function 00B8EF3A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 241f84bb112c11c5fb2f49daa3222531d8b45c597fd7bbd776db9f8d97f6aed0
                                    • Instruction ID: 524ca6c2a6a38a02d806e736102a489f43d0b8db4492c9427d1fff958bd56d4e
                                    • Opcode Fuzzy Hash: 241f84bb112c11c5fb2f49daa3222531d8b45c597fd7bbd776db9f8d97f6aed0
                                    • Instruction Fuzzy Hash: 57B12432904256DFDB11EF68C881BFEBBE5EF59310F1481BAE815AB262D235DD01C7A0
                                    Function 00B0C530 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7349945be5f3985e587b4af136563fe222495924c7d24050417ecc301e301785
                                    • Instruction ID: ba14b24c432f9d4222abb7699abf959889489cbeb09f9e4ca44cb6a05612be59
                                    • Opcode Fuzzy Hash: 7349945be5f3985e587b4af136563fe222495924c7d24050417ecc301e301785
                                    • Instruction Fuzzy Hash: 27817CB09012589FDB50DF68CC89BA9BBF4EF45314F1482D9E419AB292DB709E84CF91
                                    Function 00A7AD00 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceW.KERNEL32(00000000,?,00000017,C310823C,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00A7AD49
                                    • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00A7AD58
                                    • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00A7AD63
                                    • SizeofResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00A7AD74
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID:
                                    • API String ID: 3473537107-0
                                    • Opcode ID: bb508e6c5fd92cc7a6183c3f85811b6de1b102c07fec1e5203eab0c6e528282b
                                    • Instruction ID: 5bc90d1ed647448363c07be7c8c95843b40aa18953525ca9a7240fe7181e1040
                                    • Opcode Fuzzy Hash: bb508e6c5fd92cc7a6183c3f85811b6de1b102c07fec1e5203eab0c6e528282b
                                    • Instruction Fuzzy Hash: DE31E371D04704ABD7209F74DC05BBFBBB8EB98710F008229E819E3681EF309904C7A2
                                    Function 00A40D5D Relevance: 6.1, APIs: 4, Instructions: 80nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A40DB5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A40DD3
                                    • NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00A40DE5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A40DF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: 68199cbb6492f786b6eb368348acbce7c208ff956d09e9708102e67fd72fa891
                                    • Instruction ID: 80d85bc8d3d22ebc4577d139dc04a8451cfdb9203f3805d7e857ce4a3436a384
                                    • Opcode Fuzzy Hash: 68199cbb6492f786b6eb368348acbce7c208ff956d09e9708102e67fd72fa891
                                    • Instruction Fuzzy Hash: 0731BA34908219EFCB11CFA8CC84B5DBBF1FF85320F10429AE411AB2E1CBB5A904CB50
                                    Function 00A40C28 Relevance: 6.0, APIs: 4, Instructions: 50nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A40C40
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A40C5E
                                    • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?,?,000000F0,00000000,?,000000F0), ref: 00A40C71
                                    • SetWindowLongW.USER32(FFFFFFFF,000000F0,00000000), ref: 00A40C89
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: b7561dcc8ac04228bd696873be88f7cee1531030dbb4676e6ea8a75bae5af1fe
                                    • Instruction ID: a74f319afcdfa904209767a372d30caeb87c0dcdddd2fd3e029449d7932d84f0
                                    • Opcode Fuzzy Hash: b7561dcc8ac04228bd696873be88f7cee1531030dbb4676e6ea8a75bae5af1fe
                                    • Instruction Fuzzy Hash: 6B110976A04219EFDB159F98DC45B9DBBB1FB88320F21472AF925A73E0CB7159109B40
                                    Function 00A40C9E Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A40CB5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A40CD3
                                    • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?,?,000000F0,00000000,?,000000F0), ref: 00A40CE9
                                    • SetWindowLongW.USER32(FFFFFFFF,000000F0,00000000), ref: 00A40D01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: a78d9adeb569917d0d43cf5aa3338de0d2ad94c9241f8adf9a75887d409ea02b
                                    • Instruction ID: 1ab3983e043ce3bb68cb70e38d786cbc4c1402e49aac213a822ed1b1e371b3d8
                                    • Opcode Fuzzy Hash: a78d9adeb569917d0d43cf5aa3338de0d2ad94c9241f8adf9a75887d409ea02b
                                    • Instruction Fuzzy Hash: BF115B76A04219EFDB119F98DC45B9DBBB1FB88320F20432AF865A33E0CB725910DB40
                                    Function 00B0C930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00B0C9EC
                                    • FindClose.KERNEL32(00000000), ref: 00B0CB37
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$AllocateCloseFileFirstHeap
                                    • String ID: %d.%d.%d.%d
                                    • API String ID: 1673784098-3491811756
                                    • Opcode ID: bc333bd592a0c05fe768c96ff55f8719e884f7a971b860b1fe0ab325c74af174
                                    • Instruction ID: c4ea779aa5eb8a901ca63a7aca74102ddd2f9fbc1c9974875b894fd47b61b270
                                    • Opcode Fuzzy Hash: bc333bd592a0c05fe768c96ff55f8719e884f7a971b860b1fe0ab325c74af174
                                    • Instruction Fuzzy Hash: 546139709052599FDB20DF68C849BADBBB4EF44314F1082D9E819AB291DB369E84CF90
                                    Function 009FE540 Relevance: 5.3, Strings: 4, Instructions: 346COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                    • API String ID: 0-932585912
                                    • Opcode ID: 810489f05d7c15e9453817b0a68c13233b64276de529584900104397c70951cb
                                    • Instruction ID: 59f18b8bdf2fb61ec5adc8691258877aacabd2cb7dd2217f9823873fe99dbaf7
                                    • Opcode Fuzzy Hash: 810489f05d7c15e9453817b0a68c13233b64276de529584900104397c70951cb
                                    • Instruction Fuzzy Hash: 64D1A170D00258DFDB04DFA9C885BADBBB5FF84304F1081A9E455AB395D778AA09CBA1
                                    Function 00B7411D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • VirtualQuery.KERNEL32(80000000,00B74062,0000001C,00B74257,00000000,?,?,?,?,?,?,?,00B74062,00000004,00C858EC,00B742E7), ref: 00B7412E
                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00B74062,00000004,00C858EC,00B742E7), ref: 00B74149
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: InfoQuerySystemVirtual
                                    • String ID: D
                                    • API String ID: 401686933-2746444292
                                    • Opcode ID: 0e370ccd7a91954ab64c444a00a03575c02778fa4c782d1f0123e4f3ca825cca
                                    • Instruction ID: 0674cbe6a6d1051565642d4b33acb23be00cde27bbb248a0cf772eb950d100e9
                                    • Opcode Fuzzy Hash: 0e370ccd7a91954ab64c444a00a03575c02778fa4c782d1f0123e4f3ca825cca
                                    • Instruction Fuzzy Hash: 6801D432600109ABCB14EE29DC05BEE7BEDEFD4335F08C260AD6DE7150DB34D9518680
                                    Function 00B76437 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009F3730: InitializeCriticalSectionAndSpinCount.KERNEL32(00C85C5C,00000000,C310823C,009E0000,Function_001BE9A0,000000FF,?,00B76466,?,?,?,009E6508), ref: 009F3755
                                      • Part of subcall function 009F3730: GetLastError.KERNEL32(?,00B76466,?,?,?,009E6508), ref: 009F375F
                                    • IsDebuggerPresent.KERNEL32(?,?,?,009E6508), ref: 00B7646A
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009E6508), ref: 00B76479
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B76474
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 450123788-631824599
                                    • Opcode ID: 5cf392dacb213f923799892e7d697fb725897867f8be28b400efb06e009f27f0
                                    • Instruction ID: 16939e30b28cdc36cefb4862be758988a7820658e38f6189d8427098612fb286
                                    • Opcode Fuzzy Hash: 5cf392dacb213f923799892e7d697fb725897867f8be28b400efb06e009f27f0
                                    • Instruction Fuzzy Hash: 38E092B0200B528BD3749F74E508362BBE4AF04705F00C8ADE59AD3B50DBF4E548CB92
                                    Function 00B95163 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B951B7
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B95201
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B952C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: InfoLocale$ErrorLast
                                    • String ID:
                                    • API String ID: 661929714-0
                                    • Opcode ID: c3162396b05887f9d64e66c6586fac8b7feb083875302bcce90ea08d076798a9
                                    • Instruction ID: 6809b3db95400db77d0b96b6c298353f899b5abb02ee159c45d7ae4eced3924e
                                    • Opcode Fuzzy Hash: c3162396b05887f9d64e66c6586fac8b7feb083875302bcce90ea08d076798a9
                                    • Instruction Fuzzy Hash: A1617F71594A079FDF3ADF28CC82BAA77E8EF04340F1441B9E906C6282E774D981CB54
                                    Function 00AC8230 Relevance: 4.7, APIs: 3, Instructions: 193fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,C310823C,?), ref: 00AC82FC
                                    • FindNextFileW.KERNEL32(000000FF,00000010,?,C310823C,?), ref: 00AC8455
                                    • FindClose.KERNEL32(000000FF,?,?,C310823C,?), ref: 00AC84B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: b217cd7d6c68d88ce0a76b9e59635833ec298d7daf4164e4eacef8da20a8185a
                                    • Instruction ID: 88d228b067f14240ada6985d8f60c07d1037cb55ff425b30a9f2882aa2b3014e
                                    • Opcode Fuzzy Hash: b217cd7d6c68d88ce0a76b9e59635833ec298d7daf4164e4eacef8da20a8185a
                                    • Instruction Fuzzy Hash: 38819A70D04249DBDB24DFA8C999BEEB7B8BB14304F508298D419A7291DB74AE85CB90
                                    Function 009F89B0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000004), ref: 009F89FE
                                    • GetWindowLongW.USER32(00000004,000000FC), ref: 009F8A17
                                    • SetWindowLongW.USER32(00000004,000000FC,?), ref: 009F8A29
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: c055cfa08e0af48216dd0829b9a6fdc22719c60b03c5acc54a4775661ea29533
                                    • Instruction ID: f1baaa922e1e22b8f937f7baa1c97c66fad7cc44ccbd3a3ecd9efb84bfaadc1e
                                    • Opcode Fuzzy Hash: c055cfa08e0af48216dd0829b9a6fdc22719c60b03c5acc54a4775661ea29533
                                    • Instruction Fuzzy Hash: F24172B0601A46EFDB10DF65C908B5AFBF8FF04314F108269E525D7AA0DBB6E914CB91
                                    Function 009FC750 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(00000003,000000FC), ref: 009FC7A6
                                    • SetWindowLongW.USER32(00000003,000000FC,?), ref: 009FC7B8
                                    • DeleteCriticalSection.KERNEL32(?,C310823C,?,?,?,?,00BA2AE4,000000FF), ref: 009FC7E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: LongWindow$CriticalDeleteSection
                                    • String ID:
                                    • API String ID: 1978754570-0
                                    • Opcode ID: 1c8c853fbcf777681b3a7679b118dcddc9d9405e81d6b115b71df7e963709307
                                    • Instruction ID: e43b0dd356b7540b4c1f4408cf1806724304cffc8713515cf632f0407f14d62c
                                    • Opcode Fuzzy Hash: 1c8c853fbcf777681b3a7679b118dcddc9d9405e81d6b115b71df7e963709307
                                    • Instruction Fuzzy Hash: 3A31AFB190464ABBCB11DF68DD44B5ABBF8FF05320F148269F824A76D1D7B1E914CB90
                                    Function 00B7BEA3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B7BF9B
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B7BFA5
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B7BFB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: d39383fe998b020af81237914364431d845392614fb6b8d61bd4f0fd65ccaa75
                                    • Instruction ID: fd2f02d4d6377a9d23f4b63e73e831e75bc3f8098501c67a36dc0ae298d7e980
                                    • Opcode Fuzzy Hash: d39383fe998b020af81237914364431d845392614fb6b8d61bd4f0fd65ccaa75
                                    • Instruction Fuzzy Hash: C3319775901219ABCB21DF68DD89B9DB7F8EF08710F5081DAE41CA7291EB709B858F44
                                    Function 009F1740 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000FC), ref: 009F1759
                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 009F1767
                                    • DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,00C0484C), ref: 009F1793
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$Destroy
                                    • String ID:
                                    • API String ID: 3055081903-0
                                    • Opcode ID: def1dde2529bb84c55f7570705a1f11126a3da94eb5301597d08dfd44f265598
                                    • Instruction ID: e30464418a72b6dfcf75f2fcac6f2573aa22b39ab59dbd9ca49e5128f9092d0b
                                    • Opcode Fuzzy Hash: def1dde2529bb84c55f7570705a1f11126a3da94eb5301597d08dfd44f265598
                                    • Instruction Fuzzy Hash: EFF03031405B11DBD7606F28ED04B967BE5BF44722F008B1DF4AE825E0C774E884DB44
                                    Function 00B867E0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe00726064c4781be53a5f95343334d0c88b69ae3b43e3ddceb108eab983eed0
                                    • Instruction ID: 066e5adbfa01f9a49b75937cb055c7675c9fb0d16d97422be6aa6c138fa77793
                                    • Opcode Fuzzy Hash: fe00726064c4781be53a5f95343334d0c88b69ae3b43e3ddceb108eab983eed0
                                    • Instruction Fuzzy Hash: 0DF11C71E012199FDF14DF69D980AADB7F1FF88314F1582A9E819AB390D730AD05CB90
                                    Function 00A079D0 Relevance: 3.2, APIs: 2, Instructions: 241windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00A07ABB
                                    • SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00A07CA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: e2c753641847cd6331e324a84a6c835372b7520fb6dd2461354c0b2b9d782a08
                                    • Instruction ID: c86998c45bfad47580e50adb1defe2a53286a910de4c0f69ebbb4595ad0aa96d
                                    • Opcode Fuzzy Hash: e2c753641847cd6331e324a84a6c835372b7520fb6dd2461354c0b2b9d782a08
                                    • Instruction Fuzzy Hash: 79A1C071A0424AAFDB18DF24D995BADFBB5FF45304F148269E81ADB281D734B940CB90
                                    Function 00AFF260 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,C310823C,00000000,?,00000000), ref: 00AFF34E
                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 00AFF399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: f8fdaa7d458f9e66717c5e4478ad7f7731f823334477c926eabc3e73e48af627
                                    • Instruction ID: 1bf9ac2796431c7d85d0a9b9cf65948bd9e5bf4209144c49980a60d3ed0f4568
                                    • Opcode Fuzzy Hash: f8fdaa7d458f9e66717c5e4478ad7f7731f823334477c926eabc3e73e48af627
                                    • Instruction Fuzzy Hash: F851B370900649DFEB21DFA8C848BAEBBF4FF44314F104269E925AB381D7749A04CF90
                                    Function 00AE3200 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,C310823C,?,00000000), ref: 00AE324B
                                    • GetLastError.KERNEL32(?,00000000), ref: 00AE3255
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 80afa0118e60256fcb979072d80f64b0fb9de30a37a5853f22583b68cd2efcc9
                                    • Instruction ID: 8e2812f2e53d5cf724ce830d56f783b34b2c0c7ce67e0d2ae91687d5a2fb1759
                                    • Opcode Fuzzy Hash: 80afa0118e60256fcb979072d80f64b0fb9de30a37a5853f22583b68cd2efcc9
                                    • Instruction Fuzzy Hash: DB31C372A00249ABDB10DF99DC09BAEBBF8EF44714F10412EE519E73C0DBB59A008B91
                                    Function 00A40110 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(00000000,000000FC), ref: 00A4017F
                                    • SetWindowLongW.USER32(00000000,000000FC,?), ref: 00A4018D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 7d9e1f7955d3870e2f02c894bc8731ac9ca2369e9ba458168764755700135e29
                                    • Instruction ID: 5819f40378f3c91f703edf6220ec670a39d3e9e462c718968d94af7b2087ccdd
                                    • Opcode Fuzzy Hash: 7d9e1f7955d3870e2f02c894bc8731ac9ca2369e9ba458168764755700135e29
                                    • Instruction Fuzzy Hash: B9318771901605EFCB10DF69C984B9EFBF4FB44720F148369E425AB6D1D771AA50CB90
                                    Function 00B0F8A0 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,C310823C,?,00000000,00000000,00000000,00BE45DD,000000FF), ref: 00B0F908
                                    • FindClose.KERNEL32(00000000,?,C310823C,?,00000000,00000000,00000000,00BE45DD,000000FF), ref: 00B0F952
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: a1e794084643f9ab0197aa63fd8035a23d284c829ddce4403d4ea4a42a16d669
                                    • Instruction ID: cf58d1f449fc134102563fca4f58c46541fc24360f7ecfedded4285081fd43d6
                                    • Opcode Fuzzy Hash: a1e794084643f9ab0197aa63fd8035a23d284c829ddce4403d4ea4a42a16d669
                                    • Instruction Fuzzy Hash: 7921B271900549DFDB20DF68CC49BEEBBB8FF44724F104269E825972D0DB309A08CB90
                                    Function 00B763AD Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,00B75DF9,?,?,?,?,00AF73F1), ref: 00B763C6
                                    • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,00B75DF9,?,?,?,?,00AF73F1), ref: 00B763CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem$Precise
                                    • String ID:
                                    • API String ID: 743729956-0
                                    • Opcode ID: 2671a937df6a8430f9ee23d1a14ced1bf8ac384101b080690d928fddc12d6269
                                    • Instruction ID: af75e193296c9064d79c93ae40f510e87f61c44ee137627900ad1f6d47d432cd
                                    • Opcode Fuzzy Hash: 2671a937df6a8430f9ee23d1a14ced1bf8ac384101b080690d928fddc12d6269
                                    • Instruction Fuzzy Hash: 64D01232541938F78A012F9DEC486FD7B98EB08B617058051F91957160CFA15C51DFD9
                                    Function 00A15680 Relevance: 1.9, Strings: 1, Instructions: 614COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 2
                                    • API String ID: 0-450215437
                                    • Opcode ID: 0437e34b730eec8d2fb3705a567f45550560cd8cf97c07d38687c4c42e26a72c
                                    • Instruction ID: 8baff233ef38e53a8d4c0d08e66b8098a301af3cf80205a95981e55267df256f
                                    • Opcode Fuzzy Hash: 0437e34b730eec8d2fb3705a567f45550560cd8cf97c07d38687c4c42e26a72c
                                    • Instruction Fuzzy Hash: 9A32AFB1A047558BCB14DF66D9815ABB7E6AFD4308F00493EF4CBC7281E635E988C792
                                    Function 00B919A0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B9199B,?,?,00000008,?,?,00B9CAFF,00000000), ref: 00B91BCD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 2a8c67717f26abe38587455c8387f953ff6fe65428aebd0f677e162c59a5f91d
                                    • Instruction ID: caaccf8d69f98935595098d94b804b871e182999fe532777edc3899e58b2e614
                                    • Opcode Fuzzy Hash: 2a8c67717f26abe38587455c8387f953ff6fe65428aebd0f677e162c59a5f91d
                                    • Instruction Fuzzy Hash: 62B14D3121060A9FDB14CF2CC486B647BE1FF05365F258AA8E899CF2A1C335ED92DB40
                                    Function 00B953B6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B9540A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: d334256b60c2977a7742442f795f74157c10661a7e51d2c1b5afb942e9f61d18
                                    • Instruction ID: 910ba0aa29a723d0d4cb323a5d4b7acd05b33fc49d1d8e1eaa4fd71eb2f464f9
                                    • Opcode Fuzzy Hash: d334256b60c2977a7742442f795f74157c10661a7e51d2c1b5afb942e9f61d18
                                    • Instruction Fuzzy Hash: 0D21AC32651606ABDF39AB25DC42BBA73ECEB44306B1040BAED06C6355EA34E981CB50
                                    Function 00B9503D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • EnumSystemLocalesW.KERNEL32(00B95163,00000001,00000000,?,-00000050,?,00B95794,00000000,?,?,?,00000055,?), ref: 00B950AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 4159b73421dc43cd3dfcd512d6f2830df30672791f34bfa4d7b8250bf5c4ddef
                                    • Instruction ID: 336dd5b6b29a65da6e9873e0032b42756523949e3ea59d2e496abd3f1b3354cd
                                    • Opcode Fuzzy Hash: 4159b73421dc43cd3dfcd512d6f2830df30672791f34bfa4d7b8250bf5c4ddef
                                    • Instruction Fuzzy Hash: 891129366007059FDF289F39C8956BAB7D1FF80358B14443CE58687A40E371B902CB80
                                    Function 00B955E5 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B9537F,00000000,00000000,?), ref: 00B95611
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: b9347516614c371b45a14dd9453d7aa84fc0d0d1c483802dbf53a7595204c430
                                    • Instruction ID: d8f33ce94e15bff7a73257c77251e0e020ed053700765e0c4c5d2912d46042d7
                                    • Opcode Fuzzy Hash: b9347516614c371b45a14dd9453d7aa84fc0d0d1c483802dbf53a7595204c430
                                    • Instruction Fuzzy Hash: DEF0F432A40512BBDF395F24C809BBA77E8EB40754F4444B8EC16B3180EA70FE01CB90
                                    Function 00B94F4B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00B94F9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID: utf8
                                    • API String ID: 3736152602-905460609
                                    • Opcode ID: 9a00dc22e82f65b3587d88a40db6898db02c900d3cfbfabfc6bf1cad6d44ee2d
                                    • Instruction ID: d78dadacf26cfa6b8ac589fd1122cf21681d40fc0ddef51666a3bbf7fc38dac5
                                    • Opcode Fuzzy Hash: 9a00dc22e82f65b3587d88a40db6898db02c900d3cfbfabfc6bf1cad6d44ee2d
                                    • Instruction Fuzzy Hash: 5AF02832A00105ABCB24EB74DC49FFE33ECDB44715F0041B9B616D7241EA34AD05C750
                                    Function 00B950D8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • EnumSystemLocalesW.KERNEL32(00B953B6,00000001,00000000,?,-00000050,?,00B95758,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00B95122
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 8eabc120ae7505b0632d7b7b6c86d01ecee249bcc3ff16e1319ffc5035951da1
                                    • Instruction ID: fae1569611bb1f2bab225e3a375ce065c4710e28c9ce8639ddd540eafbd17925
                                    • Opcode Fuzzy Hash: 8eabc120ae7505b0632d7b7b6c86d01ecee249bcc3ff16e1319ffc5035951da1
                                    • Instruction Fuzzy Hash: EFF022362407046FCB25AF349C81A7A7BD1EB80368F0480BDF9454B690D6B1AC02CB50
                                    Function 00B90DD9 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8BA2A: EnterCriticalSection.KERNEL32(-00C86108,?,00B8DFE9,009E9F26,00C7A8F8,0000000C,00B8E2B4,?), ref: 00B8BA39
                                    • EnumSystemLocalesW.KERNEL32(00B90DCC,00000001,00C7AA38,0000000C,00B911FB,00000000), ref: 00B90E11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 2ca2b8e9f18cf238d4e663b3bde8bad95fb775dab97e4eda61ebcc663a2b7520
                                    • Instruction ID: 37d0119403b01ff1cb96de63a32b61260a9531ae0aae382c31708a2b1f48c9b3
                                    • Opcode Fuzzy Hash: 2ca2b8e9f18cf238d4e663b3bde8bad95fb775dab97e4eda61ebcc663a2b7520
                                    • Instruction Fuzzy Hash: BEF03772A10205DFDB00EF98E842BAC77F0EB48721F10816AE4199B2E0DB75A900CB50
                                    Function 00B94FF2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B8EA06: GetLastError.KERNEL32(?,00000008,00B90623), ref: 00B8EA0A
                                      • Part of subcall function 00B8EA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B8EAAC
                                    • EnumSystemLocalesW.KERNEL32(00B94F4B,00000001,00000000,?,?,00B957B6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B95029
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: c0fec690795edbfe2711b579c8b40e0b1055b800e1f0b7d710e6ce44cf1e0212
                                    • Instruction ID: 72269581e419c53148797e98b7a485d8ac1bd893abce3ff22c19208c3b0f9fbc
                                    • Opcode Fuzzy Hash: c0fec690795edbfe2711b579c8b40e0b1055b800e1f0b7d710e6ce44cf1e0212
                                    • Instruction Fuzzy Hash: 2DF0E53634020597CF15AF35D859B7A7FD4EFC2754B0640AAEA098B651D671D843C790
                                    Function 00A018D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,009FFFA7,?,?,?,?,?,?,?,?,009FFE18,?,?), ref: 00A01920
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 3aa60a042df92e1e300a5d523d58fbab3c0b6e9b056439fb42b7cf4ba8d0e6eb
                                    • Instruction ID: 8fe12af67a44e377f32076e006bb24f59c1b6ef9881fc05ba2dff0ee075386de
                                    • Opcode Fuzzy Hash: 3aa60a042df92e1e300a5d523d58fbab3c0b6e9b056439fb42b7cf4ba8d0e6eb
                                    • Instruction Fuzzy Hash: EBF0A034105149DFE3008B68E868BE9BBB6FB44392F8845F5F088CA5A5C339CE86DF10
                                    Function 00B91356 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B8B0A4,?,20001004,00000000,00000002,?,?,00B8A6A6), ref: 00B9138A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 2af3550651b8dae0f180bae4d17057c1b36dc55e2fe529a8775698810887ce90
                                    • Instruction ID: 3d41f1e248f823d7b6d8673ab39f6e6a29e0f31f4249ce0904072ca31e5a00a2
                                    • Opcode Fuzzy Hash: 2af3550651b8dae0f180bae4d17057c1b36dc55e2fe529a8775698810887ce90
                                    • Instruction Fuzzy Hash: EEE04F31500219BBCF126F64DC08BAE7E6AEF54760F014460FD1967121CB319921EAA4
                                    Function 00ABC150 Relevance: .5, Instructions: 507COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48fb43549432997741116e403d14c89ab7e5dcc9d76added99d5e61c2ba0ce9d
                                    • Instruction ID: 00b1924340ec8d90b2d41ec54cbabcb5745dc24bf652063f23ce85535353dcb3
                                    • Opcode Fuzzy Hash: 48fb43549432997741116e403d14c89ab7e5dcc9d76added99d5e61c2ba0ce9d
                                    • Instruction Fuzzy Hash: 3302B671A006159FCB19DF68D885BEEB7B9FB48720F14822DE819E7391E730AD45CB90
                                    Function 00B7F7DC Relevance: .4, Instructions: 388COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 802826c450b7aed92c1c1b6f2de402fb93419228651b4b5d7d99f5a7a437350a
                                    • Instruction ID: 4cca4556117b5bcdef0f14edc44281c096cb92dc64673cf2b2faadf9832e91be
                                    • Opcode Fuzzy Hash: 802826c450b7aed92c1c1b6f2de402fb93419228651b4b5d7d99f5a7a437350a
                                    • Instruction Fuzzy Hash: 20E19E70A00606CFCB24DF68C590A7AB7F2FF48314B2485A9D56E9B3A1D730ED46CB59
                                    Function 009EF7D0 Relevance: .1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e761c63ae77c1e56d450b6790d2afc60be8ec5c9d74bc96c7f62caba62ab4b8
                                    • Instruction ID: da722a009e9c05500e1e057525ceb24d71665f34363807f2b19db330e39b24f0
                                    • Opcode Fuzzy Hash: 0e761c63ae77c1e56d450b6790d2afc60be8ec5c9d74bc96c7f62caba62ab4b8
                                    • Instruction Fuzzy Hash: 047108B1801B48CFE761CF78C94478ABBF0BB05324F14865DD4A99B3D1D3B96648CB91
                                    Function 00A88100 Relevance: .1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aa6513618f84b29fb0afd42887642603218ee0972d9ddf2b9523b54f9836a910
                                    • Instruction ID: 3c02e309d2cef5368f36ec3739e58fae5b71588d194ead1b7ea1c2895655de6e
                                    • Opcode Fuzzy Hash: aa6513618f84b29fb0afd42887642603218ee0972d9ddf2b9523b54f9836a910
                                    • Instruction Fuzzy Hash: 8541F4B0901B49EED704CF69C50878AFBF0BB09318F20825DD4589B781D3BAA659CFD5
                                    Function 009F8840 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1961e6a52c37aba6845aea9378e43d08788ab94f4f8307c3f281151fecd29e00
                                    • Instruction ID: 6e6ff8710d936fc3555042d838564c3f561113759d00ab612c72fdb5d1446217
                                    • Opcode Fuzzy Hash: 1961e6a52c37aba6845aea9378e43d08788ab94f4f8307c3f281151fecd29e00
                                    • Instruction Fuzzy Hash: 6031CFB0405B84CEE721CF29C55834BBFF0BB15718F108A4DD4A64BB91C3BAA648CB91
                                    Function 009F2330 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c599d5e5b81bb649a13b5fcd33d3050b64d06fce9628d546871b468084a51b17
                                    • Instruction ID: 18145a8b7b77245c82edc26564fefe01055b9ddb16767287d16805cf68a3fb5b
                                    • Opcode Fuzzy Hash: c599d5e5b81bb649a13b5fcd33d3050b64d06fce9628d546871b468084a51b17
                                    • Instruction Fuzzy Hash: 37216AB1804748DFD710CF58C94478ABBF4FB09314F1186AED4559B791E3B9AA44CF90
                                    Function 009F1D70 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67ecb4f79991fe185c64cd2149fbdf408fa46c9ec593ccd6c6846592bae87b90
                                    • Instruction ID: fa230d72cfb105465ae18e0501a43d4ef3074b1ba7bef38e828458db887c8bd1
                                    • Opcode Fuzzy Hash: 67ecb4f79991fe185c64cd2149fbdf408fa46c9ec593ccd6c6846592bae87b90
                                    • Instruction Fuzzy Hash: C72158B1804788DFD710CF58C944B8ABBF4FB09324F1186AED455AB791E3B9AA44CB90
                                    Function 00A0D760 Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4a12222f5635aa252b36b316acd6c05434fe27fd0917eee643142220373912c3
                                    • Instruction ID: a884b90906fe3125d5fed7fdd64869b89ea467dc18bc3853a388a192c5865e34
                                    • Opcode Fuzzy Hash: 4a12222f5635aa252b36b316acd6c05434fe27fd0917eee643142220373912c3
                                    • Instruction Fuzzy Hash: 93110CF1905648DFCB40CF58D544789BBF4FB09328F2086AEE8189B381D3769A06CF84
                                    Function 00B98A0E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                    • Instruction ID: 53ba974ce3752116f4e0352ddbf9550ee2c000f08e1f2145006e2f4a634dbeca
                                    • Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                    • Instruction Fuzzy Hash: 2FE08C32911278EBCB25DB9CC904D8AF3ECEB45B80B1104ABF501D3200C670DE00D7D0
                                    Function 00B8D840 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 196375293714f82e9c99ca5bb7d726515ed7690d3670f28b5cdcddecd6e68249
                                    • Instruction ID: f318d2e8fa5d7a992a646aee8728ace83bf8a04688f51c98adf3a8008d4655bf
                                    • Opcode Fuzzy Hash: 196375293714f82e9c99ca5bb7d726515ed7690d3670f28b5cdcddecd6e68249
                                    • Instruction Fuzzy Hash: 5BC08C3440094047CE29BA1082713A433E7F393782F8005CEC41B0BAA3DD5EDC82E700
                                    Function 00ACB0F0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 238libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • GetModuleHandleW.KERNEL32(kernel32,C310823C,?,?,00000000), ref: 00ACB1F3
                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00ACB23B
                                    • __Init_thread_footer.LIBCMT ref: 00ACB24E
                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00ACB296
                                    • __Init_thread_footer.LIBCMT ref: 00ACB2A9
                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00ACB2F1
                                    • __Init_thread_footer.LIBCMT ref: 00ACB304
                                      • Part of subcall function 00AA2620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AA2661
                                      • Part of subcall function 00AA2620: _wcschr.LIBVCRUNTIME ref: 00AA271F
                                    Strings
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00ACB180, 00ACB18F
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00ACB187
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00ACB167, 00ACB16F
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00ACB162
                                    • SetDllDirectory, xrefs: 00ACB290
                                    • kernel32, xrefs: 00ACB1EE
                                    • SetDefaultDllDirectories, xrefs: 00ACB2EB
                                    • SetSearchPathMode, xrefs: 00ACB235
                                    • kernel32.dll, xrefs: 00ACB44D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
                                    • String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
                                    • API String ID: 1258094593-3455668873
                                    • Opcode ID: 5c94a62b43343b7361c27f18118e012e51a43582277e07eefbc12cc7405a9236
                                    • Instruction ID: 8428b82deea2a6ee0afaec0a4f63068873fb68818c9575cadd6d92098192c519
                                    • Opcode Fuzzy Hash: 5c94a62b43343b7361c27f18118e012e51a43582277e07eefbc12cc7405a9236
                                    • Instruction Fuzzy Hash: 82A14BF09082199FDF10DF94D889BDEBBB4EF06318F504299E4196B380DBB15988DFA5
                                    Function 00AEE980 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • OutputDebugStringW.KERNEL32(?,C310823C,?,?,?,00BDD4D5,000000FF,?,00B2127F,?,?,?,00000000), ref: 00AEEB18
                                    • GetActiveWindow.USER32 ref: 00AEEA7A
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    Strings
                                    • .mst, xrefs: 00AEF5D7, 00AEF63E, 00AEFAFE
                                    • REINSTALL=ALL REINSTALLMODE=vomus , xrefs: 00AEFBD3
                                    • TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1, xrefs: 00AEF6F7
                                    • "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00AEFB1F
                                    • .msi, xrefs: 00AEF587, 00AEFA80
                                    • TRANSFORMS=:%s.mst MSINEWINSTANCE=1 , xrefs: 00AEF750
                                    • TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 , xrefs: 00AEF73F
                                    • AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00AEF9D5
                                    • %s , xrefs: 00AEF88C, 00AEFBC1
                                    • majorupgrade-content.mst, xrefs: 00AEF596, 00AEFA8F
                                    • MSINEWINSTANCE=1 , xrefs: 00AEF726
                                    • "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00AEF658
                                    • "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00AEF5F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
                                    • String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$majorupgrade-content.mst
                                    • API String ID: 758407959-743168453
                                    • Opcode ID: 2fb5306d45cd95c8cb5531befa1b0631fcd67256b511c4a618cb92d218041658
                                    • Instruction ID: 6f9f47e84f49449dbcfa30d8d726a2b451ac5e4a5537aa183aeefbb6f6b26dc5
                                    • Opcode Fuzzy Hash: 2fb5306d45cd95c8cb5531befa1b0631fcd67256b511c4a618cb92d218041658
                                    • Instruction Fuzzy Hash: 9C51E075A002459FDB11DB6DC8447AEBBF5EF45321F1482ADE816AB391EB309D00CB91
                                    Function 009F17A0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 361stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ParentWindowlstrcmp
                                    • String ID: #32770
                                    • API String ID: 3676684576-463685578
                                    • Opcode ID: 87b385d943bdd015b529528c963f836399f9aecc845890a1731cec84423bd665
                                    • Instruction ID: bfd9a33b076415cd107f69795765d8665f1417368d1bdcd67688c8c7c967221a
                                    • Opcode Fuzzy Hash: 87b385d943bdd015b529528c963f836399f9aecc845890a1731cec84423bd665
                                    • Instruction Fuzzy Hash: E0E17C74A00219EFDB15CFA8C844BBDBBB9EF49714F148159F901AB2A0DB75AD44CBA0
                                    Function 00A1DAD0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 246libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,C310823C,?,?,00000000,?,?,?,?,?,?,C310823C,00BA9E15,000000FF), ref: 00A1DB3D
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A1DB43
                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,C310823C,00BA9E15,000000FF,?,00A345FA,00C0C86C,C310823C,C310823C), ref: 00A1DB73
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A1DB79
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                    • API String ID: 2574300362-2454113998
                                    • Opcode ID: dd3b7cbb8e0144d9f252cd8ac04103ee6a4171472c042f217176a654b5351b6c
                                    • Instruction ID: ddee9cebf71c607191884a0fa6e96f0d6e05aca0b04d5a01b8c3301be0bc3d6d
                                    • Opcode Fuzzy Hash: dd3b7cbb8e0144d9f252cd8ac04103ee6a4171472c042f217176a654b5351b6c
                                    • Instruction Fuzzy Hash: 46A17DB1A04209EFDF15DFA8D895BEEBBF4EF48710F144069E415B7290DB709A84CB91
                                    Function 00A13790 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 222libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,C310823C,?,?,?,?,?,?,?,C310823C,00BA74D5,000000FF,?,00A13AAA,00C084E0), ref: 00A137F7
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A137FD
                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,C310823C,00BA74D5,000000FF,?,00A13AAA,00C084E0,C310823C,C310823C), ref: 00A1382E
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A13834
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                    • API String ID: 2574300362-2454113998
                                    • Opcode ID: 0a7e7c6c1ab76d1e4b288b2727fdd3506d4ebd0ce3a2de142dd15dfe8db0a742
                                    • Instruction ID: 517a631d69ef08d2d772b594d3ca306eb4444a0a5225627b0bf8135e459e0059
                                    • Opcode Fuzzy Hash: 0a7e7c6c1ab76d1e4b288b2727fdd3506d4ebd0ce3a2de142dd15dfe8db0a742
                                    • Instruction Fuzzy Hash: C6815CB2900248EFDF15DFA8C895BEEBBB4EF08710F144169E415B72D1DBB19A84CB61
                                    Function 00B0FE90 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,C310823C,?,?), ref: 00B0FEF3
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 00B10089
                                    • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00B100E5
                                    • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 00B10135
                                    • RegCloseKey.ADVAPI32(?), ref: 00B10175
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: OpenQueryValue$Close
                                    • String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                    • API String ID: 2529929805-1079072530
                                    • Opcode ID: 31757829f975ddf217186277dffc837e1ea0399c7beb395225f0a72e20960849
                                    • Instruction ID: dee4f907eda3899c8f6de2d5c6410bdf828b553f0a89108a984cf2bd31f1d7bc
                                    • Opcode Fuzzy Hash: 31757829f975ddf217186277dffc837e1ea0399c7beb395225f0a72e20960849
                                    • Instruction Fuzzy Hash: 40024A719152699BDB20EB28CC88BEEB7F4EF45304F5042D9E409A7291DBB5AEC4CF50
                                    Function 00AE91D0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 286threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(00C8711C,C310823C,?,?,00000000), ref: 00AE92F3
                                    • EnterCriticalSection.KERNEL32(?,C310823C,?,?,00000000,?,?,?,?,?,00000000,00BDC417,000000FF), ref: 00AE9305
                                    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00BDC417,000000FF), ref: 00AE9312
                                    • GetCurrentThread.KERNEL32 ref: 00AE931D
                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00C0438C,00000000), ref: 00AE94FE
                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 00AE95DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                    • String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
                                    • API String ID: 3051236879-1086252000
                                    • Opcode ID: 239d34c399b1eeff8f973ffe74b8da42d21aa5ac69a9231e8599061b080b9b1e
                                    • Instruction ID: a998cde7242ad7554f28a9a7a422c0ce84a9ca44aafa48ba668da9d9c62af8af
                                    • Opcode Fuzzy Hash: 239d34c399b1eeff8f973ffe74b8da42d21aa5ac69a9231e8599061b080b9b1e
                                    • Instruction Fuzzy Hash: CCC17B71504388AFDB26DFA4CC55BEEBBB8FF44304F504168E9199B281DBB55B08CBA1
                                    Function 00A0CBB0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,C310823C), ref: 00A0CC38
                                      • Part of subcall function 009F0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 009F0E96
                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00A0CD3B
                                    • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00A0CD4F
                                    • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00A0CD64
                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00A0CD79
                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00A0CD90
                                    • GetWindowRect.USER32(?,?), ref: 00A0CDC2
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00A0CE24
                                    • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00A0CE34
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateLongRect
                                    • String ID: ,$tooltips_class32
                                    • API String ID: 1954517558-3856767331
                                    • Opcode ID: 7141c2842ec5c6fc062fa35f638ce3771d40680c8f768ce740e1d836fd79d926
                                    • Instruction ID: 22011c38d3a8efd6a53f3d12207b4efee403e52ac8e2a4d082d8c393b4eb7462
                                    • Opcode Fuzzy Hash: 7141c2842ec5c6fc062fa35f638ce3771d40680c8f768ce740e1d836fd79d926
                                    • Instruction Fuzzy Hash: 04913B71A00608AFEB14CFA4DD95BAEBBF9FB48300F10852AE556EB290D774A904CB50
                                    Function 00AE9280 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 223threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(00C8711C,C310823C,?,?,00000000), ref: 00AE92F3
                                    • EnterCriticalSection.KERNEL32(?,C310823C,?,?,00000000,?,?,?,?,?,00000000,00BDC417,000000FF), ref: 00AE9305
                                    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00BDC417,000000FF), ref: 00AE9312
                                    • GetCurrentThread.KERNEL32 ref: 00AE931D
                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00C0438C,00000000), ref: 00AE94FE
                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 00AE95DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                    • String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
                                    • API String ID: 3051236879-1086252000
                                    • Opcode ID: a7c899427976b367355c77d567362531d2c3279faba8038e9529fb9a6f5f2189
                                    • Instruction ID: a52b02ffb1b9b1044553f0bbd2a56703e77b291840b244bb7cac7b6358202aa5
                                    • Opcode Fuzzy Hash: a7c899427976b367355c77d567362531d2c3279faba8038e9529fb9a6f5f2189
                                    • Instruction Fuzzy Hash: 96A16C71904388AFDF26DFA4CC55BEE7BB8BF45304F404168E909AB291EB755B08CB51
                                    Function 00AE62D0 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00AE646E
                                    • __Init_thread_footer.LIBCMT ref: 00AE65C7
                                    • GetStdHandle.KERNEL32(000000F5,?,C310823C,?,?), ref: 00AE664F
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00AE6656
                                    • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00AE666A
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00AE6671
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,00C068B8,00000002,?,?), ref: 00AE6700
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00AE6707
                                    • IsWindow.USER32(00000000), ref: 00AE6920
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                    • String ID: Error
                                    • API String ID: 2811146417-2619118453
                                    • Opcode ID: 736db7b7e373cec6944d7055a6ccab9cba6215218d1774a9432cd8681b9a1034
                                    • Instruction ID: 0de9f3199898dcfefb73ebca1ca98be1898afb1f86dcdf69efd8966e9b0f63b8
                                    • Opcode Fuzzy Hash: 736db7b7e373cec6944d7055a6ccab9cba6215218d1774a9432cd8681b9a1034
                                    • Instruction Fuzzy Hash: CA228C70E00358DFDB10DFA5C844BDEBBB4BF55314F208698E419AB291EB75AA88CF51
                                    Function 009EF600 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00C87250,C310823C,00000000,?,?,?,?,?,?,009EEE60,00BA07AD,000000FF), ref: 009EF63D
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 009EF6B8
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 009EF75E
                                    • LeaveCriticalSection.KERNEL32(00C87250), ref: 009EF7B3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalCursorLoadSection$EnterLeave
                                    • String ID: v$0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
                                    • API String ID: 3727441302-556780245
                                    • Opcode ID: eb9720237286c1c1be56e1803392b633f8b3cbe686547b737da56e0929049934
                                    • Instruction ID: 33d2c77c798e8a2fdb2f66615fd6128e3e9da3bfceae1dad2ab0c603f2892508
                                    • Opcode Fuzzy Hash: eb9720237286c1c1be56e1803392b633f8b3cbe686547b737da56e0929049934
                                    • Instruction Fuzzy Hash: 345111B0C01259EFDB11DFA8D844B9EBFF8AB08314F10012AE904B7290EBB55A45CFA4
                                    Function 00A45A70 Relevance: 16.7, APIs: 11, Instructions: 170COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A45AB7
                                    • GetParent.USER32 ref: 00A45ACD
                                    • GetWindowRect.USER32(?,?), ref: 00A45AD8
                                    • GetParent.USER32(?), ref: 00A45AE0
                                    • GetWindow.USER32(?,00000004), ref: 00A45B12
                                    • GetWindowRect.USER32(?,?), ref: 00A45B20
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00A45B2D
                                    • MonitorFromWindow.USER32(?,00000002), ref: 00A45B45
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00A45B5F
                                    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00A45C0D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$LongMonitorParentRect$FromInfo
                                    • String ID:
                                    • API String ID: 1820395375-0
                                    • Opcode ID: 34475f55e20aa624f9fbf8d61d9030bb8edea49c50e93c684a5fe2d293fb4a29
                                    • Instruction ID: 56b44ed908bb78e2b6aa4ab48213d426883040bb756bdefe8de5214c7b052d50
                                    • Opcode Fuzzy Hash: 34475f55e20aa624f9fbf8d61d9030bb8edea49c50e93c684a5fe2d293fb4a29
                                    • Instruction Fuzzy Hash: 11516D76D005199FDB20CFB8CD45BAEBBB9FB88710F244229E815E3295DB30AD45CB94
                                    Function 00B33930 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
                                    • API String ID: 0-2691827946
                                    • Opcode ID: 2c4c1025dd6058214fae92bb0c9def05339818efde8f45177b6f9ded36d5a3c0
                                    • Instruction ID: dfd35a1759ded57d6508b92c00f0815fe1dc4e01778bc8b570643d418dbdd7bd
                                    • Opcode Fuzzy Hash: 2c4c1025dd6058214fae92bb0c9def05339818efde8f45177b6f9ded36d5a3c0
                                    • Instruction Fuzzy Hash: FEB192B1A04344DFDB14CF58D845B5EBBE1FB85720F2082AEE8699B3D0D7769A00CB91
                                    Function 00B0E920 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: _wcschr
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
                                    • API String ID: 2691759472-1956487666
                                    • Opcode ID: cabfe73caf142dc9bcf85542659335fbeeded2c3186143a53eef56f1a392d519
                                    • Instruction ID: 5999ac46cfd25e3d1a6a444d7684ed16fde545142d7305fb0237a90debffd35e
                                    • Opcode Fuzzy Hash: cabfe73caf142dc9bcf85542659335fbeeded2c3186143a53eef56f1a392d519
                                    • Instruction Fuzzy Hash: 5E41EA72F40206ABDF10DA64DC02B9ABBE8FB45721F144AB9BC25E22E1E771DC10C761
                                    Function 00A12BD0 Relevance: 15.4, APIs: 10, Instructions: 404memorysynchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • CreateThread.KERNEL32(00000000,00000000,00A12D20,00C08468,00000000,?), ref: 00A12C9A
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A12CB3
                                    • CloseHandle.KERNEL32(00000000), ref: 00A12CC9
                                    • CoInitializeEx.COMBASE(00000000,00000000), ref: 00A12D79
                                    • GetProcessHeap.KERNEL32(?,00000000), ref: 00A12E7B
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 00A12E81
                                    • GetProcessHeap.KERNEL32(?,00000000), ref: 00A12F00
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 00A12F06
                                    • CoUninitialize.COMBASE ref: 00A1305A
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00A130DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
                                    • String ID:
                                    • API String ID: 1779960141-0
                                    • Opcode ID: 62aaf5b11be6a6affc815c3ec4415d9d0c342e99f6eec52164ecaccbf316cf62
                                    • Instruction ID: be817cd6929706c5e00a2e415410f570a2668bb8ba3c68f9c71e41ab8c5efffb
                                    • Opcode Fuzzy Hash: 62aaf5b11be6a6affc815c3ec4415d9d0c342e99f6eec52164ecaccbf316cf62
                                    • Instruction Fuzzy Hash: DAF15DB1D01218DFDF14CFA8C944BEEBBF4BF44304F248199E415AB291DB749A85CBA1
                                    Function 00A03480 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00A034DA
                                    • VariantClear.OLEAUT32(?), ref: 00A0350C
                                    • VariantClear.OLEAUT32(?), ref: 00A03606
                                    • VariantClear.OLEAUT32(?), ref: 00A03635
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A0363C
                                    • SysAllocString.OLEAUT32(00000000), ref: 00A03683
                                    • VariantClear.OLEAUT32(?), ref: 00A0370A
                                    • VariantClear.OLEAUT32(?), ref: 00A0373C
                                    • VariantClear.OLEAUT32(?), ref: 00A03817
                                    • VariantClear.OLEAUT32(?), ref: 00A03846
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$AllocFree
                                    • String ID:
                                    • API String ID: 1305860026-0
                                    • Opcode ID: 3b91998a66c33118d092be354612863f0742ae1ea223b32431998b8b219af8c3
                                    • Instruction ID: e3eafc6dc1361a9b3d0e9c576b66263f216ed228a679b19589cd5cf7a1fc759e
                                    • Opcode Fuzzy Hash: 3b91998a66c33118d092be354612863f0742ae1ea223b32431998b8b219af8c3
                                    • Instruction Fuzzy Hash: 08C17B7290024CDFCF11DFA8D844BDEBBB8EF48710F148269E405E7291E779AA45CBA5
                                    Function 00B04B50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLangID.KERNEL32 ref: 00B04B8C
                                    • GetUserDefaultLangID.KERNEL32 ref: 00B04B99
                                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00B04BAB
                                    • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00B04BBF
                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00B04BD4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                    • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                    • API String ID: 667524283-3528650308
                                    • Opcode ID: 3f35ed1595feba22d9812ee03035dbbab93c92e4be90feb0f755fcdb3a12eb70
                                    • Instruction ID: b17e13034b4e39d95835cbad1eb4c23379d64000a6f841656a8883a0c45ae67f
                                    • Opcode Fuzzy Hash: 3f35ed1595feba22d9812ee03035dbbab93c92e4be90feb0f755fcdb3a12eb70
                                    • Instruction Fuzzy Hash: AD41CFB06053019FD764EF28E8507BABBE1EFD8340F81096EE986C3280EB31D845CB52
                                    Function 00B7A990 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00B7A9C7
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00B7A9CF
                                    • _ValidateLocalCookies.LIBCMT ref: 00B7AA58
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00B7AA83
                                    • _ValidateLocalCookies.LIBCMT ref: 00B7AAD8
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00B7AAEE
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00B7AB03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                    • String ID: csm
                                    • API String ID: 1385549066-1018135373
                                    • Opcode ID: c148b689ecbf49bfa3a8fe3228a23160bcf4d433e33b3672181ae6532ad13e9a
                                    • Instruction ID: 31ec98ebaba2c0a201eaeeba167c3a6118eb138495d28d909aadb367800ac69c
                                    • Opcode Fuzzy Hash: c148b689ecbf49bfa3a8fe3228a23160bcf4d433e33b3672181ae6532ad13e9a
                                    • Instruction Fuzzy Hash: B5419134A00209AFCF50DF68C985AAE7BE5EF85314F14C0E5E82D5B392DB359A15CF92
                                    Function 00A3A6C0 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A3A6E0
                                    • SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00A3A70E
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00A3A53C), ref: 00A3A71F
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00A3A753
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A3A77F
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00A3A53C), ref: 00A3A796
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A3A7BA
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A3A7D2
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00A3A53C), ref: 00A3A7E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: af2e604c3ed857da227f79290f604cbe4d76dadd1410931677c4a4d4af9e0ea4
                                    • Instruction ID: 81cadfc8078d3e92b2492ba969e94dd9d79443b6ba857c790675de3af6fb26e8
                                    • Opcode Fuzzy Hash: af2e604c3ed857da227f79290f604cbe4d76dadd1410931677c4a4d4af9e0ea4
                                    • Instruction Fuzzy Hash: 4B31F631A44229BFEF258F24CC85FED3722EBC4360F244229F959AB2E1DBB59D409744
                                    Function 00ACAE10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 232fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 00ACAEA9
                                    • CloseHandle.KERNEL32(00000000), ref: 00ACAED0
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                      • Part of subcall function 00ACCA40: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00AF4C1A,80070057,C310823C,?,?,?,00B9E7D0,000000FF,?,00ACC8D7), ref: 00ACCA7D
                                      • Part of subcall function 00ACCA40: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00ACCAAE
                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 00ACAF45
                                    • CloseHandle.KERNEL32(00000000), ref: 00ACAF97
                                      • Part of subcall function 00ACC860: WideCharToMultiByte.KERNEL32(00000003,00000000,00AF4C1A,000000FF,00000000,00000000,00000000,00000000,?,?,?,00AF4C1A,?,?), ref: 00ACC87C
                                      • Part of subcall function 00ACC860: WideCharToMultiByte.KERNEL32(00000003,00000000,00AF4C1A,000000FF,?,-00000001,00000000,00000000,?,?,?,00AF4C1A,?,?), ref: 00ACC8B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
                                    • String ID: .bat$EXE$open
                                    • API String ID: 4275363648-2898749727
                                    • Opcode ID: 1e849d80b848c9d9f9a81998d5350fb70274d2bcc9d2d27933c7969964c0134b
                                    • Instruction ID: 37b22bea21f3c1a6337a69ab5a0bee93a7b77668b6517d16ef59e7e5ba90b902
                                    • Opcode Fuzzy Hash: 1e849d80b848c9d9f9a81998d5350fb70274d2bcc9d2d27933c7969964c0134b
                                    • Instruction Fuzzy Hash: 1DA18A70901648EFEB10CFA8C948B9EFBB4FF45314F248299E414AB2A1DB749D44CF90
                                    Function 009F6CD0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 009F6DBF
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 009F6E13
                                    • CloseHandle.KERNEL32(00000000), ref: 009F6E70
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 009F6ED4
                                    • CloseHandle.KERNEL32(00000000,?), ref: 009F6EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                    • String ID: aix$html
                                    • API String ID: 2030708724-2369804267
                                    • Opcode ID: 37c25b5da554cc67c2b6c9782da149856401d7617eeb3312829befe646de67a3
                                    • Instruction ID: bda47122d0e7116801033800dbf71abda79e61ff4445587ac3528d8caa93220b
                                    • Opcode Fuzzy Hash: 37c25b5da554cc67c2b6c9782da149856401d7617eeb3312829befe646de67a3
                                    • Instruction Fuzzy Hash: D2618EB0904348DFDB10CFA4DD59B9EBBF4FB45308F204259E105AB2D1EBB9A908CB95
                                    Function 009E2860 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00C87028,00000000,C310823C,00000000,00BD7533,000000FF,?,C310823C), ref: 009E29D3
                                    • GetLastError.KERNEL32(?,C310823C), ref: 009E29DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CountCriticalErrorInitializeLastSectionSpin
                                    • String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
                                    • API String ID: 439134102-34576578
                                    • Opcode ID: 39cf4d928aac67b8d5a69738a7e6ccd3add39fc1c5242ee1ed4ff5d22718403f
                                    • Instruction ID: 44beffafb2da4f65d4dff8cd65ca66466de672384884d1bddeadb8e6cf5aeac5
                                    • Opcode Fuzzy Hash: 39cf4d928aac67b8d5a69738a7e6ccd3add39fc1c5242ee1ed4ff5d22718403f
                                    • Instruction Fuzzy Hash: 225134B1804648CBCB11CF65DD057EEBBF8FB04324F20476AD429A7391E7759A08CBA5
                                    Function 00AC2E80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00AC2F10
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    • GetProcAddress.KERNEL32(SetWindowTheme), ref: 00AC2F4D
                                    • __Init_thread_footer.LIBCMT ref: 00AC2F64
                                    • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00AC2F8F
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                      • Part of subcall function 00AA2620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AA2661
                                      • Part of subcall function 00AA2620: _wcschr.LIBVCRUNTIME ref: 00AA271F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
                                    • String ID: SetWindowTheme$UxTheme.dll$explorer
                                    • API String ID: 3852524043-3123591815
                                    • Opcode ID: 6d863a73a7c2e814d22518251dad85e5e431c127bfcb2943d88af5b3e44c59fa
                                    • Instruction ID: c78b137a06f7f2e9ce643818f89a3636808c973865a78d70e7c55d34bec66c09
                                    • Opcode Fuzzy Hash: 6d863a73a7c2e814d22518251dad85e5e431c127bfcb2943d88af5b3e44c59fa
                                    • Instruction Fuzzy Hash: 1921A2B0A48604ABC710DF64EC06F9DB7A0EB05720F204369F425A77D0EB70AE41DB98
                                    Function 009F9A20 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 009F9A4A
                                    • GetWindow.USER32(?,00000005), ref: 009F9A57
                                    • GetWindow.USER32(00000000,00000002), ref: 009F9B92
                                      • Part of subcall function 009F98A0: GetWindowRect.USER32(?,?), ref: 009F98CC
                                      • Part of subcall function 009F98A0: GetWindowRect.USER32(?,?), ref: 009F98DC
                                    • GetWindowRect.USER32(?,?), ref: 009F9AEB
                                    • GetWindowRect.USER32(00000000,?), ref: 009F9AFB
                                    • GetWindowRect.USER32(00000000,?), ref: 009F9B15
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Rect
                                    • String ID:
                                    • API String ID: 3200805268-0
                                    • Opcode ID: 2307eddf0fa6f9d5915ed2614ed3defcadf67319cec316aeeec14187068e1086
                                    • Instruction ID: 8ca33c3d9c082e43c34476cb608a044932de73b73bc4cbc17e718a91201da580
                                    • Opcode Fuzzy Hash: 2307eddf0fa6f9d5915ed2614ed3defcadf67319cec316aeeec14187068e1086
                                    • Instruction Fuzzy Hash: D24178315087059BC721DF29C980B7BF7E9AF9A704F504A1DF28693561EB30E989CB52
                                    Function 00B76656 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00B76800,00000000,?,?,009F0C24,?), ref: 00B7667A
                                    • HeapAlloc.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B76681
                                      • Part of subcall function 00B7674C: IsProcessorFeaturePresent.KERNEL32(0000000C,00B76668,00000000,?,00B76800,00000000,?,?,009F0C24,?), ref: 00B7674E
                                    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00B76800,00000000,?,?,009F0C24,?), ref: 00B76691
                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,009F0C24,?), ref: 00B766B8
                                    • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,009F0C24,?), ref: 00B766CC
                                    • InterlockedPopEntrySList.KERNEL32(00000000,?,?,009F0C24,?), ref: 00B766DF
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,009F0C24,?), ref: 00B766F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                    • String ID:
                                    • API String ID: 2460949444-0
                                    • Opcode ID: 1722b7795164e5e243deb6b7214091870a2613a50f6ade4d2ebb1095455242cf
                                    • Instruction ID: 9f4226b8642fbc4382cc1759de8221c3b47b4aa8aecf5df4e0ae91410d4da852
                                    • Opcode Fuzzy Hash: 1722b7795164e5e243deb6b7214091870a2613a50f6ade4d2ebb1095455242cf
                                    • Instruction Fuzzy Hash: 7F11B275600E21BBEB215B68AC48F7A77EDEB48784F508465FD19E7190DE60DC00CBA4
                                    Function 00B114F0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 454synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B13390: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00B1152A,?,C310823C,?,?,?,000000FF,?,00B10EF4), ref: 00B1339D
                                      • Part of subcall function 00B13390: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B1152A,?,C310823C,?,?,?,000000FF,?,00B10EF4,?), ref: 00B133BE
                                      • Part of subcall function 00B13390: GetLastError.KERNEL32(?,C310823C,?,?,?,000000FF,?,00B10EF4,?,?,00000000,00000000,C310823C,?,?), ref: 00B1341E
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • ResetEvent.KERNEL32(?,00000000,00BE499D), ref: 00B115FA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B11619
                                    • WaitForSingleObject.KERNEL32(C310823C,000000FF), ref: 00B11620
                                      • Part of subcall function 009E9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,009F6AC0,-00000010,?,00B21897,00000008,C310823C), ref: 009E9143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
                                    • String ID: GET$attachment$filename
                                    • API String ID: 818129584-3911147371
                                    • Opcode ID: 518d64f1221a31d5eff1556ae71f935582c066bc9c12507f12c4786aacc89e55
                                    • Instruction ID: 84d374bf9b15a0e92282fe6908ddb81c6ca0d0fbbd6a9d14922288a61e723af7
                                    • Opcode Fuzzy Hash: 518d64f1221a31d5eff1556ae71f935582c066bc9c12507f12c4786aacc89e55
                                    • Instruction Fuzzy Hash: 4002A9B0901249DFDB00DFA8C948BEEBBF4EF15314F1485ADE515AB291EB749E44CBA0
                                    Function 00B27C60 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 365COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • _wcschr.LIBVCRUNTIME ref: 00B27D2B
                                    • _wcschr.LIBVCRUNTIME ref: 00B27DD2
                                    • _wcschr.LIBVCRUNTIME ref: 00B27DF1
                                      • Part of subcall function 009E9120: FindResourceW.KERNEL32(00000000,?,00000006,-00000010,?,?,009F6AC0,-00000010,?,00B21897,00000008,C310823C), ref: 009E9143
                                    • _wcschr.LIBVCRUNTIME ref: 00B27E93
                                    • GetTickCount.KERNEL32 ref: 00B2803A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
                                    • String ID: 0123456789AaBbCcDdEeFf
                                    • API String ID: 2181188311-3822820098
                                    • Opcode ID: 40a5d9410e114961c529fe42a2b1569215e9fb7c77214426b116c4487322d4c7
                                    • Instruction ID: a9004e17b49ed59ce22894547f152f651fdd2c6b10cb0a43e5d3efd9d396cb14
                                    • Opcode Fuzzy Hash: 40a5d9410e114961c529fe42a2b1569215e9fb7c77214426b116c4487322d4c7
                                    • Instruction Fuzzy Hash: CDD12470A04A158FDB10DF68D888BAEB7F5FF48320F14829DE45997291DB34ED45CBA4
                                    Function 00AE1A30 Relevance: 10.8, APIs: 7, Instructions: 294fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,C310823C,?,00000000), ref: 00AE1AB9
                                    • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00AE1B29
                                    • CloseHandle.KERNEL32(?), ref: 00AE1D2E
                                    • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00AE1DB5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$Read$CloseCreateHandle
                                    • String ID:
                                    • API String ID: 1724936099-0
                                    • Opcode ID: 5bf8bbb67a4bfee5a3522efa9edc3e723bde2a7c3fb5fa664a8c3d54947c83e9
                                    • Instruction ID: bb3f7477e5d56750ba50c48f3490fd95c12838a77feea3b14825906592db306a
                                    • Opcode Fuzzy Hash: 5bf8bbb67a4bfee5a3522efa9edc3e723bde2a7c3fb5fa664a8c3d54947c83e9
                                    • Instruction Fuzzy Hash: E7C18D71E00358DBDB20CFA5CD89BAEBBB5EF44304F208659E415AB281E770AE45CB91
                                    Function 009F4F10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00C87008,C310823C,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00BA1605), ref: 009F4F7A
                                    • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00BA1605), ref: 009F4FFA
                                    • EnterCriticalSection.KERNEL32(00C87024,?,?,?,?,?,?,?,?,?,?,?,00000000,00BA1605,000000FF), ref: 009F51B3
                                    • LeaveCriticalSection.KERNEL32(00C87024,?,?,?,?,?,?,?,?,?,?,00000000,00BA1605,000000FF), ref: 009F51D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Enter$FileLeaveModuleName
                                    • String ID: v
                                    • API String ID: 1807155316-3261393531
                                    • Opcode ID: 4fc553b02c245f64a85efe144a7210a226f5efe56b29189faad7d6eb05b8e049
                                    • Instruction ID: df6e0a61d3c3e95f259e99c67b6f87f623ed031470ffbbcba94f8ff6a72216c3
                                    • Opcode Fuzzy Hash: 4fc553b02c245f64a85efe144a7210a226f5efe56b29189faad7d6eb05b8e049
                                    • Instruction Fuzzy Hash: 5AB18270A04648DFDB10CFA4C888BBEBBB8BF05314F194158EA14EB291CB75ED45CBA0
                                    Function 009F0ED0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00C0480C,00000000,00000001,00C04E94,?), ref: 009F0FA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CreateInstance
                                    • String ID: :${
                                    • API String ID: 542301482-3766677574
                                    • Opcode ID: 5cd469fea2f7efe5f1f38592ec104a41fd9c8d906b834d45c564759bc46435d0
                                    • Instruction ID: c3e72c133cf6edfe5d2da51fcafd7bb4aceb72b66627965fd6bf493139a7d6c1
                                    • Opcode Fuzzy Hash: 5cd469fea2f7efe5f1f38592ec104a41fd9c8d906b834d45c564759bc46435d0
                                    • Instruction Fuzzy Hash: 5C619374A00259DBDF248F95CC54BBEB7E8EB49714F184469FA05EB2C1DB759C80CBA0
                                    Function 00A15053 Relevance: 10.7, APIs: 7, Instructions: 184memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(?), ref: 00A150E4
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A15159
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00A151BF
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00A151C5
                                    • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00A151F5
                                    • HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00A151FB
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A15213
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Free$Heap$String$Process
                                    • String ID:
                                    • API String ID: 2680101141-0
                                    • Opcode ID: fcbfab3ccd3128fced6c2acef7f63a04d3008da7064619581eefe47c115556c0
                                    • Instruction ID: 4203883442df016fec154d65feeaabe9acec8df42fd855db4f82f24ca3c243da
                                    • Opcode Fuzzy Hash: fcbfab3ccd3128fced6c2acef7f63a04d3008da7064619581eefe47c115556c0
                                    • Instruction Fuzzy Hash: AA61AEB1D01619DFDF11EFB8C845BEEBBB4BF54310F144198E821AB281C7789A45CBA1
                                    Function 009F25E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00C87250,C310823C,00000000,00C8726C), ref: 009F2653
                                    • LeaveCriticalSection.KERNEL32(00C87250), ref: 009F26B8
                                    • LoadCursorW.USER32(009E0000,?), ref: 009F2714
                                    • LeaveCriticalSection.KERNEL32(00C87250), ref: 009F27AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Leave$CursorEnterLoad
                                    • String ID: v$ATL:%p
                                    • API String ID: 2080323225-109518622
                                    • Opcode ID: fc52bf873900674c452535ea7d876bde3e645f9b810a92150abd272b215efd91
                                    • Instruction ID: 4fb0a48c22f2f13393ea1fcd864a10b8fbf4b65ee913622f3a9ad54da59257e8
                                    • Opcode Fuzzy Hash: fc52bf873900674c452535ea7d876bde3e645f9b810a92150abd272b215efd91
                                    • Instruction Fuzzy Hash: 4651AB70D04B48CBDB20DF68C944BAABBF4FF58324F00461DE996A3690EB70B984CB50
                                    Function 00A0BC60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00A0BCD5
                                    • lstrcpynW.KERNEL32(?,?,00000020), ref: 00A0BD4B
                                    • MulDiv.KERNEL32(?,00000048,00000000), ref: 00A0BD88
                                    • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00A0BDBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$lstrcpyn
                                    • String ID: ?$t
                                    • API String ID: 3928028829-1995845436
                                    • Opcode ID: 0eb77a655f08a7950522185210a42b030b8c49c90014b5eb61c1e9b6b0842f75
                                    • Instruction ID: cddc130b15fb313a00796f4c9b73d811afece07499302523d5f81fff46ca9dea
                                    • Opcode Fuzzy Hash: 0eb77a655f08a7950522185210a42b030b8c49c90014b5eb61c1e9b6b0842f75
                                    • Instruction Fuzzy Hash: 78516E71908744AFE721DF60DC49B9BBBE8EB88700F00492DF69AD6191DBB4D508CB62
                                    Function 00B0F550 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,C310823C,?,?), ref: 00B0F597
                                    • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,C310823C,00BE450D), ref: 00B0F60F
                                    • GetLastError.KERNEL32 ref: 00B0F620
                                    • WaitForSingleObject.KERNEL32(00BE450D,000000FF), ref: 00B0F63C
                                    • GetExitCodeProcess.KERNEL32(00BE450D,00000000), ref: 00B0F64D
                                    • CloseHandle.KERNEL32(00BE450D), ref: 00B0F657
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B0F672
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
                                    • String ID:
                                    • API String ID: 1153077990-0
                                    • Opcode ID: 11394958e7af6c2df362538dd78472e8d97cf60b395fa1ac9019c5bebf976611
                                    • Instruction ID: 74ea323ef2029527563eab898e179e6a79a7aaddb6ea9348a8190a9a6fa374ac
                                    • Opcode Fuzzy Hash: 11394958e7af6c2df362538dd78472e8d97cf60b395fa1ac9019c5bebf976611
                                    • Instruction Fuzzy Hash: 43416F31E0438AABDB10CFA5CD087EEBBF4EF49714F148669E425A7290DB759A40CF50
                                    Function 00B21C40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,00B07731,00000000,C310823C,?,00000010,00000000), ref: 00B21C5B
                                    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00B21C71
                                    • FreeLibrary.KERNEL32(00000000), ref: 00B21CAA
                                    • FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,00B07731,00000000,C310823C,?,00000010,00000000), ref: 00B21CC6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Library$Free$AddressLoadProc
                                    • String ID: DllGetVersion$Shlwapi.dll
                                    • API String ID: 1386263645-2240825258
                                    • Opcode ID: 5ba1bb7afbd2be58c2d47fdca0b2865185a96fcc888ca2eaba5385fa87cf1da8
                                    • Instruction ID: e9f58f27bd03112810ec9f93370f4146025647cdf721fa8f32e1de9d66ff4b7f
                                    • Opcode Fuzzy Hash: 5ba1bb7afbd2be58c2d47fdca0b2865185a96fcc888ca2eaba5385fa87cf1da8
                                    • Instruction Fuzzy Hash: BA2180766046114BC704AF2DEC41A7BB7E4FFE9610B80096EF899C7201EF25984586A2
                                    Function 00B90FA2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,00B910AF,00B8E2B4,0000000C,?,00000000,00000000,?,00B912D9,00000021,FlsSetValue,00BFDF90,00BFDF98,?), ref: 00B91063
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 3664257935-537541572
                                    • Opcode ID: 3825583ba23aaccdb57381352a53584bab4d9863910d3790ce73e6ee7e5206c6
                                    • Instruction ID: 2cd165bd58167f1a9496879da0ad0684cb2ce4a32603f4f85e007fc4cd96f9e0
                                    • Opcode Fuzzy Hash: 3825583ba23aaccdb57381352a53584bab4d9863910d3790ce73e6ee7e5206c6
                                    • Instruction Fuzzy Hash: 4B21E735A01256ABCF32AB38DC80B6E37E9EB417A0F1409B0E915A72D0DB71ED40DBD0
                                    Function 00B74068 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00B740E3,00B74046,00B742E7), ref: 00B7407F
                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B74095
                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B740AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                    • API String ID: 667068680-1718035505
                                    • Opcode ID: fa8d64f1ac4b71c71265e54beb35e1914a79575fa74735ccb1cea0c3cf64c138
                                    • Instruction ID: 445bc882e86eee1f705ecb8766ebbe6889d9bfabef67ecdcd4b3f3d2ba7ad3ac
                                    • Opcode Fuzzy Hash: fa8d64f1ac4b71c71265e54beb35e1914a79575fa74735ccb1cea0c3cf64c138
                                    • Instruction Fuzzy Hash: FCF0C271740762AB8F315E704C8437B62ECDA0535331181BAEB2AE3290EB91CC49EFD0
                                    Function 00A0E350 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00A0E3B7
                                    • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00A0E3DF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0E3F7
                                    • SendMessageW.USER32(?,0000130A,00000000,?), ref: 00A0E428
                                    • GetParent.USER32(?), ref: 00A0E504
                                    • SendMessageW.USER32(00000000,00000136,?,?), ref: 00A0E515
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$Parent
                                    • String ID:
                                    • API String ID: 1020955656-0
                                    • Opcode ID: 1bb084927e62aa990559802357b6d8d17e3c11b19183a3960ed597a87011ebe0
                                    • Instruction ID: 58161299a5d387737bc0b9790ff225858235a93a8772c711cbe091ee84548e24
                                    • Opcode Fuzzy Hash: 1bb084927e62aa990559802357b6d8d17e3c11b19183a3960ed597a87011ebe0
                                    • Instruction Fuzzy Hash: EC610672900618AFDB119FE4DC49FEEBBB9FF49710F140119F619AB2A0CBB16940CB54
                                    Function 00AC2C50 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00AC2CBB
                                    • GetParent.USER32(00000000), ref: 00AC2D0E
                                    • GetWindowRect.USER32(00000000), ref: 00AC2D11
                                    • GetParent.USER32(00000000), ref: 00AC2D20
                                      • Part of subcall function 00A7FEF0: GetWindowRect.USER32(?,?), ref: 00A7FF82
                                      • Part of subcall function 00A7FEF0: GetWindowRect.USER32(?,?), ref: 00A7FF9A
                                    • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00AC2E10
                                    • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00AC2E23
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageRectSendWindow$Parent
                                    • String ID:
                                    • API String ID: 425339167-0
                                    • Opcode ID: f0bef6804058d3b8d98bc6c7697fd12e6956233cada4c13cd60cb18450a2bc48
                                    • Instruction ID: 6306715167b73adae8d2786330408935bab3317cef7adbe7b5259f2a0eef7ffc
                                    • Opcode Fuzzy Hash: f0bef6804058d3b8d98bc6c7697fd12e6956233cada4c13cd60cb18450a2bc48
                                    • Instruction Fuzzy Hash: 4D513871D00708ABDB11DFA8CD45BDEBBF8EF59710F144319E815A7291EBB06A81CB54
                                    Function 00AD6F60 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AD6FAA
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AD6FCC
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00AD6FF4
                                    • __Getctype.LIBCPMT ref: 00AD70D5
                                    • std::_Facet_Register.LIBCPMT ref: 00AD7137
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00AD7161
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                    • String ID:
                                    • API String ID: 1102183713-0
                                    • Opcode ID: 749dd00fd3cd620f925d2261a76d73ab77f01fed8f978a40ade86cb82a8713e0
                                    • Instruction ID: 683d90b337c28acf8bd59f549ae95f9dabeb0c1dfca5c6fbd5d1092af2be1ead
                                    • Opcode Fuzzy Hash: 749dd00fd3cd620f925d2261a76d73ab77f01fed8f978a40ade86cb82a8713e0
                                    • Instruction Fuzzy Hash: 6061CDB1C05649CFDB14CF68C941BAEBBF0FF14310F14829AD859AB392E774AA44CB91
                                    Function 00A0FCA0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 370windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A0FCED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$`Dialog_`='
                                    • API String ID: 3850602802-1655181372
                                    • Opcode ID: 8543ac461bf85c8c58e2c03b5d4720694b49297aa75a61d1839d1d318733b8cb
                                    • Instruction ID: 423a660adc39ffe0466ccabd0acc8aa6b4d212d199b0e753ad5dc64c526abcb8
                                    • Opcode Fuzzy Hash: 8543ac461bf85c8c58e2c03b5d4720694b49297aa75a61d1839d1d318733b8cb
                                    • Instruction Fuzzy Hash: B5F16971900288DFDF14DF68C889BDEBBB5FF58304F1441A8E914AB292DB75AE44CB91
                                    Function 00B78769 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00B78760,00B7872C,?,?,00A1254D,00AE1180,?,00000008), ref: 00B78777
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B78785
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B7879E
                                    • SetLastError.KERNEL32(00000000,00B78760,00B7872C,?,?,00A1254D,00AE1180,?,00000008), ref: 00B787F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: eb1b839a5e35d12ee5dbd9f6726f87bd14a10d73a576971eb78c8b7fb0339aa5
                                    • Instruction ID: 0b1f70b2f212635124c751f9c7c51051d1fd13f3328b1c6ed9cbab31f9ec7494
                                    • Opcode Fuzzy Hash: eb1b839a5e35d12ee5dbd9f6726f87bd14a10d73a576971eb78c8b7fb0339aa5
                                    • Instruction Fuzzy Hash: C001B1322493116EA7283678ACCDB3B2BE4EB0277473082BEF43D966F1EF114C419651
                                    Function 00AF4B10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 287COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetShortPathNameW.KERNEL32(C310823C,00000000,00000000), ref: 00AF4B6F
                                    • GetShortPathNameW.KERNEL32(?,?,?), ref: 00AF4BDD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: NamePathShort
                                    • String ID: neutral$x64$x86
                                    • API String ID: 1295925010-1541741584
                                    • Opcode ID: fdedb3a6b3ddf6e09d9e244cf6af427a8ebdcf674548c817ee4fdd2b0b6ee2ad
                                    • Instruction ID: 3b90b1581032c1f7a7786875c551a1d16c6a49f783e8ef4c1b323082d95a4a32
                                    • Opcode Fuzzy Hash: fdedb3a6b3ddf6e09d9e244cf6af427a8ebdcf674548c817ee4fdd2b0b6ee2ad
                                    • Instruction Fuzzy Hash: CDB1B271A01248EFDB00DFA8C849BEEFBB4EF48324F148159E515AB391DB74AA44CB95
                                    Function 00AEA570 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 266COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 00AEA85B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID: Close$Copy$Details >>$Send Error Report
                                    • API String ID: 4139908857-113472931
                                    • Opcode ID: 9c759375d87e8f51e109aab05d6ac124650e73e1ba861e478579516f315e8ede
                                    • Instruction ID: c97df15221393a4ad76264aaf111f89cde41d514e79c626e55b631cb686d49db
                                    • Opcode Fuzzy Hash: 9c759375d87e8f51e109aab05d6ac124650e73e1ba861e478579516f315e8ede
                                    • Instruction Fuzzy Hash: A8A19F70A50246ABEB24DF61CC56FAEB7B5BF54700F044229F611BB2C0EBB0A945CB91
                                    Function 00B210D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsrchr.LIBVCRUNTIME ref: 00B21104
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • DeleteFileW.KERNEL32(?), ref: 00B211AA
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 00B212DF
                                      • Part of subcall function 00B10510: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,C310823C,00000001,75A8EB20,00000000), ref: 00B1055F
                                      • Part of subcall function 00B10510: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,C310823C,00000001,75A8EB20,00000000), ref: 00B10595
                                      • Part of subcall function 00B0D930: LoadStringW.USER32(000000CA,?,00000514,C310823C), ref: 00B0D986
                                    • _wcsrchr.LIBVCRUNTIME ref: 00B21219
                                    Strings
                                    • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00B2115E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: File$DeleteInit_thread_footer_wcsrchr$CreateHeapLoadProcessReadString
                                    • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                    • API String ID: 675357196-3685554107
                                    • Opcode ID: 176a9f5f1ccd6457d93be542b1b6e3632515ca1555eb843a88d06ca412e3b8d7
                                    • Instruction ID: f266098b9ea6c9297059e31476a098265d2339178dd4315a5fa177aa1a6d879e
                                    • Opcode Fuzzy Hash: 176a9f5f1ccd6457d93be542b1b6e3632515ca1555eb843a88d06ca412e3b8d7
                                    • Instruction Fuzzy Hash: D991AE31A00649DFDB00DBADC844B9EBBF5EF55321F1486A9E819DB2A2DB31DD04CB90
                                    Function 009E8860 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 009E8945
                                    • __Init_thread_footer.LIBCMT ref: 009E89BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: </a>$<a href="$<a>
                                    • API String ID: 1385522511-4210067781
                                    • Opcode ID: d6c55d8b9d00bcc4c3de4a2dba97e6796ac189a4f4a6dceafe7f3bf2013c5146
                                    • Instruction ID: f690a4b6dede42bdb037aa4ca8dea13791cb0f69b81544c293519f7387fdd4a0
                                    • Opcode Fuzzy Hash: d6c55d8b9d00bcc4c3de4a2dba97e6796ac189a4f4a6dceafe7f3bf2013c5146
                                    • Instruction Fuzzy Hash: 7EA1D3B0A04204EFCB05DFA4D889BAEB7B5FF44314F244769E419AB6D1EB30AD45CB54
                                    Function 00A0E140 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00A0E23D
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00A0E252
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00A0E25A
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                      • Part of subcall function 00A0FCA0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A0FCED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateCreateHeapWindow
                                    • String ID: SysTabControl32$TabHost
                                    • API String ID: 2359350451-2872506973
                                    • Opcode ID: d35bcc20c665eed356f586866e4049a2f1e164df3852c11fd6c9e25c5bdee0e8
                                    • Instruction ID: 2f9d4f95a4e7719ab2722b14cc958f884435cd67bfab6c179316ef0992513655
                                    • Opcode Fuzzy Hash: d35bcc20c665eed356f586866e4049a2f1e164df3852c11fd6c9e25c5bdee0e8
                                    • Instruction Fuzzy Hash: 52518D71A006099FDB14DF69C844BAEBBF9FF89310F14466DE815A7391DB71AD00CBA0
                                    Function 009F6F40 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,C310823C), ref: 009F6FE1
                                    • GetLastError.KERNEL32 ref: 009F700A
                                    • RegCloseKey.ADVAPI32(?,00000000,00000000,?,00C0438C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 009F7153
                                    Strings
                                    • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 009F6FD6
                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 009F704A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorEventLast
                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                    • API String ID: 1713683948-2079760225
                                    • Opcode ID: 3d069d2f8407f902f06e2ecdf9d3d0fe127ba14b8ff4e80f39a25d6b741c44fe
                                    • Instruction ID: 04a1ce044643e8fe2e728979695d1b9c26981849fbe9213371185fbbf56309e5
                                    • Opcode Fuzzy Hash: 3d069d2f8407f902f06e2ecdf9d3d0fe127ba14b8ff4e80f39a25d6b741c44fe
                                    • Instruction Fuzzy Hash: 7C615CB0D05748EFDB11CFA8C945B9EFBF4AF14304F108699E559A7281DBB4AA08CB91
                                    Function 00B076D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
                                    • API String ID: 0-3551742416
                                    • Opcode ID: 6a8167805b341ad2a1d0a78a143e4a3c95f3d9f7638074341103e25fec26ce87
                                    • Instruction ID: 112c806ae0ba8bada9f9a9fe791e56eb8b4a5736715379aa3717276b78af94df
                                    • Opcode Fuzzy Hash: 6a8167805b341ad2a1d0a78a143e4a3c95f3d9f7638074341103e25fec26ce87
                                    • Instruction Fuzzy Hash: A321F072A44205ABCB149F68D844BBAF7E9FB45B60F5046AAE825D73D0EF31ED40C790
                                    Function 00B7B91C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00B7B9DF,?,?,00000000,?,?,00B7BA91,00000002,FlsGetValue,00BFB0D0,00BFB0D8), ref: 00B7B9AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-
                                    • API String ID: 3664257935-2084034818
                                    • Opcode ID: 0a45ca8b14f7a1e9be5ac7a28b3488414da0e4b2400e37620ccee9d834ad9828
                                    • Instruction ID: 32cf4223aad0317cdb3656cba168f9cb68cce567855b5c70d7125f1c509d95e3
                                    • Opcode Fuzzy Hash: 0a45ca8b14f7a1e9be5ac7a28b3488414da0e4b2400e37620ccee9d834ad9828
                                    • Instruction Fuzzy Hash: F1117332A01225ABCB229B689C44F6E73E4EF41760F254590EB79EB280DB60ED00CED5
                                    Function 00B8D862 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C310823C,?,?,00000000,00BF7106,000000FF,?,00B8D7F2,?,?,00B8D7C6,?), ref: 00B8D897
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B8D8A9
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00BF7106,000000FF,?,00B8D7F2,?,?,00B8D7C6,?), ref: 00B8D8CB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: f656f72a4a57b534a56f532480aaf03c8471311ca4d941c8bb1546a52fb6f9f0
                                    • Instruction ID: f04fef2fce9ec5cac059c51da5b7ca983e149f9ba9e76e2c15dccc2caa87fe67
                                    • Opcode Fuzzy Hash: f656f72a4a57b534a56f532480aaf03c8471311ca4d941c8bb1546a52fb6f9f0
                                    • Instruction Fuzzy Hash: A0016D32A44629EFDB119B54DC05FBEBBF9FB04B10F00856AE921A36E0DF749904CB90
                                    Function 00AE8850 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00AE88AE
                                    • GetProcAddress.KERNEL32(00000000), ref: 00AE88B5
                                    • __Init_thread_footer.LIBCMT ref: 00AE88CC
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                    • String ID: Dbghelp.dll$SymFromAddr
                                    • API String ID: 3268644551-642441706
                                    • Opcode ID: 99b10ed9ed2fe94823da04abe57d91e09828953cbe524647eac1416c632e4874
                                    • Instruction ID: 0eac284edc46a693af478c7ce9c2c1e37defb60f3752358746d603537ca84f3b
                                    • Opcode Fuzzy Hash: 99b10ed9ed2fe94823da04abe57d91e09828953cbe524647eac1416c632e4874
                                    • Instruction Fuzzy Hash: 3401B171A48644EFC710DF58ED46B5AB3A4E708720F2083B5E829937E0EB34A800CB15
                                    Function 00B7719A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • SleepConditionVariableCS.KERNELBASE(?,00B77137,00000064), ref: 00B771BD
                                    • LeaveCriticalSection.KERNEL32(00C85CD8,?,?,00B77137,00000064,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C), ref: 00B771C7
                                    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00B77137,00000064,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C), ref: 00B771D8
                                    • EnterCriticalSection.KERNEL32(00C85CD8,?,00B77137,00000064,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010), ref: 00B771DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                    • String ID: v
                                    • API String ID: 3269011525-3261393531
                                    • Opcode ID: cb8e66f8710bf704172662fea74cc4059effd4357f8f62bc3f7f71d7e67950b0
                                    • Instruction ID: e6c4c1339f3fc9ef6546ab3ccef11a82c4cbcf197eb52ee424be9b5a7422497c
                                    • Opcode Fuzzy Hash: cb8e66f8710bf704172662fea74cc4059effd4357f8f62bc3f7f71d7e67950b0
                                    • Instruction Fuzzy Hash: D0E01231681734BBCB012FA5ED09BAD3F58EB08B52B514060F909B7560CFE11900DFD8
                                    Function 00A00670 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00A028C0: __Init_thread_footer.LIBCMT ref: 00A0292F
                                    • SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00A007B2
                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00A00867
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00A00906
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00A009B1
                                      • Part of subcall function 009F2A50: RaiseException.KERNEL32(C310823C,C310823C,00000000,00000000,00B2197B,C000008C,00000001,C310823C), ref: 009F2A5C
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00A00A37
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$ExceptionInit_thread_footerRaise
                                    • String ID:
                                    • API String ID: 3442259968-0
                                    • Opcode ID: bbc480a8e54071562cf97139e9799e9987127cc18d94f8fcff39b6b047997379
                                    • Instruction ID: 8c61d750d25fb364da572b189255a6209957ea83c2afcdda83a5cc43253b5d94
                                    • Opcode Fuzzy Hash: bbc480a8e54071562cf97139e9799e9987127cc18d94f8fcff39b6b047997379
                                    • Instruction Fuzzy Hash: A1B1F8B1D0175D9BEB20CF54CD54BDEBBB1BF49308F108299E9186B281E7B56A84CF90
                                    Function 00A46D80 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 227memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A46F9E
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00A46FA4
                                    • GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00A46FCF
                                    • HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00A46FD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID: _TEMP
                                    • API String ID: 3859560861-1625495653
                                    • Opcode ID: 4b67d6ea1fe4dce87752c69bcd2152b3e267db0e4c9692355fe77dfa22c9af4b
                                    • Instruction ID: b8ca9c38c8ae42e46ec184cbdef510d88bbded5f09f736b6d1ac970697f6ccb5
                                    • Opcode Fuzzy Hash: 4b67d6ea1fe4dce87752c69bcd2152b3e267db0e4c9692355fe77dfa22c9af4b
                                    • Instruction Fuzzy Hash: AF91AAB4D01248DFDB14DFA8C985BEEBBB4BF88324F2442ACE415A7291C7745A44CBA1
                                    Function 00A3A4F0 Relevance: 7.6, APIs: 5, Instructions: 144COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00A3A6C0: GetWindowLongW.USER32(?,000000F0), ref: 00A3A6E0
                                      • Part of subcall function 00A3A6C0: SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00A3A70E
                                      • Part of subcall function 00A3A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00A3A53C), ref: 00A3A71F
                                      • Part of subcall function 00A3A6C0: GetWindowLongW.USER32(?,000000EC), ref: 00A3A753
                                      • Part of subcall function 00A3A6C0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A3A77F
                                      • Part of subcall function 00A3A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00A3A53C), ref: 00A3A796
                                      • Part of subcall function 00A3A6C0: GetWindowLongW.USER32(?,000000F0), ref: 00A3A7BA
                                      • Part of subcall function 00A3A6C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A3A7D2
                                      • Part of subcall function 00A3A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00A3A53C), ref: 00A3A7E3
                                    • GetWindowRect.USER32(?,?), ref: 00A3A589
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00A3A5B0
                                    • GetWindowRect.USER32(?,00000000), ref: 00A3A5FB
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,00000000), ref: 00A3A632
                                    • SetWindowTextW.USER32(?,C310823C), ref: 00A3A674
                                      • Part of subcall function 00A45A70: GetWindowLongW.USER32(?,000000F0), ref: 00A45AB7
                                      • Part of subcall function 00A45A70: GetParent.USER32 ref: 00A45ACD
                                      • Part of subcall function 00A45A70: GetWindowRect.USER32(?,?), ref: 00A45AD8
                                      • Part of subcall function 00A45A70: GetParent.USER32(?), ref: 00A45AE0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Long$Rect$Parent$Text
                                    • String ID:
                                    • API String ID: 1351983003-0
                                    • Opcode ID: 6835721fcd8fc6aeef3918ccd5fb391dd5a2b0e2c6b47e1e3fffee1759d26798
                                    • Instruction ID: 220b576d5834fa2c8ffa494da510ed4b794aa8123be37cd0a3bea246836dbf4e
                                    • Opcode Fuzzy Hash: 6835721fcd8fc6aeef3918ccd5fb391dd5a2b0e2c6b47e1e3fffee1759d26798
                                    • Instruction Fuzzy Hash: 69512A71E00509AFDB04DFA4DD85BEEFBB8FF48314F108225E825A7290DB70A955CB90
                                    Function 009EFD30 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ItemMessageSendWindow
                                    • String ID:
                                    • API String ID: 799199299-0
                                    • Opcode ID: 1cfc3996eb7265f25d1ef78a0e4666a3c4b46d2fcbbf674a81e59255c63434ea
                                    • Instruction ID: 21727664bdacddc3d9de0fd6367c1c34eb5baaec1b7bb4d93c2addde98714102
                                    • Opcode Fuzzy Hash: 1cfc3996eb7265f25d1ef78a0e4666a3c4b46d2fcbbf674a81e59255c63434ea
                                    • Instruction Fuzzy Hash: 81416032200685EFDB168F56E8A4A66B7E9FB88311B04887FE546C6572D732FC50DB60
                                    Function 00ADCCA0 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00ADCCD4
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00ADCCF6
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADCD1E
                                    • std::_Facet_Register.LIBCPMT ref: 00ADCE07
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADCE31
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                    • String ID:
                                    • API String ID: 459529453-0
                                    • Opcode ID: 41aa58fdcf3b81772b2e73ca99a4f2bf1e60b4d0313183ec4ef67a67037e82a0
                                    • Instruction ID: 8e5c51500eaf5a83d48cbc8f616d903ea5ec39c4193146bc61290169e0d8ece7
                                    • Opcode Fuzzy Hash: 41aa58fdcf3b81772b2e73ca99a4f2bf1e60b4d0313183ec4ef67a67037e82a0
                                    • Instruction Fuzzy Hash: 0D51BF71900259DFDB11CF58C840BAEBBF0FB10724F6481AED85AAB381E775AE05CB90
                                    Function 00A37B30 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00A37B59
                                    • CoInitializeEx.COMBASE(00000000,00000002), ref: 00A37B69
                                    • SendMessageW.USER32(?,000005FA,?,00000000), ref: 00A37C81
                                      • Part of subcall function 00A46100: EnterCriticalSection.KERNEL32(C310823C,C310823C), ref: 00A46140
                                      • Part of subcall function 00A46100: GetCurrentThreadId.KERNEL32 ref: 00A46153
                                      • Part of subcall function 00A46100: LeaveCriticalSection.KERNEL32(?), ref: 00A461D1
                                      • Part of subcall function 00A40200: SetLastError.KERNEL32(0000000E,?,00A37BEF,?,?,00C0D550,00000000), ref: 00A40218
                                    • GetLastError.KERNEL32(?,?,00C0D550,00000000), ref: 00A37BF3
                                    • ShowWindow.USER32(?,0000000A,?,?,00C0D550,00000000), ref: 00A37C05
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
                                    • String ID:
                                    • API String ID: 2782539745-0
                                    • Opcode ID: 530f6c3acd88fa6dbe0a64fc16b6e1783cf1ebf850daa2c65765072275b3afc1
                                    • Instruction ID: 076270cb98fd5ec8a15262ea53b05ad0f6b99285c98d2628aea1f7078970bc57
                                    • Opcode Fuzzy Hash: 530f6c3acd88fa6dbe0a64fc16b6e1783cf1ebf850daa2c65765072275b3afc1
                                    • Instruction Fuzzy Hash: AF31CEB1D00208EBEB15EFA4C95ABEEFBB4EF50308F104259F511AB2D1DBB55A44CB91
                                    Function 009EDB80 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$Init
                                    • String ID:
                                    • API String ID: 3740757921-0
                                    • Opcode ID: c0645a5be0a5ae5c609e7a00b14f80e9e4ce634215f8e20bc680fc501b893b72
                                    • Instruction ID: 6a6e1d5566c1f296b6569b727d5c7bd1d88691811ab0e24a0ac6b3ef5e283088
                                    • Opcode Fuzzy Hash: c0645a5be0a5ae5c609e7a00b14f80e9e4ce634215f8e20bc680fc501b893b72
                                    • Instruction Fuzzy Hash: D8310771D15248EFDB01CFA8C944BDEBBF8EF49304F14819AE410E7291D7B5AA04CBA1
                                    Function 00A14A70 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A14ABA
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00A14AC0
                                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00A14AE3
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00BA7786,000000FF), ref: 00A14B0B
                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00BA7786,000000FF), ref: 00A14B11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess$FormatMessage
                                    • String ID:
                                    • API String ID: 1606019998-0
                                    • Opcode ID: d71a83ac751285d7c783df3656dfaf5defb22329b1c2ae212c9b5c2d5c8db46d
                                    • Instruction ID: ef52e50feeadc04e8f199be702e0ff732c44ca7002e46d94efa7b61dc6146099
                                    • Opcode Fuzzy Hash: d71a83ac751285d7c783df3656dfaf5defb22329b1c2ae212c9b5c2d5c8db46d
                                    • Instruction Fuzzy Hash: 9D1160B0A49219ABEB10DF98CC42FAFBBFCEB04B04F104559F514A76C1D7B59A0487A0
                                    Function 00A01090 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00A0109B
                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00A010F8
                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00A01147
                                    • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00A01158
                                    • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00A01165
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow
                                    • String ID:
                                    • API String ID: 312131281-0
                                    • Opcode ID: a403ac8dd27e184045e8cd513a9e808797b9c75871dd846176124ffe0bf025ed
                                    • Instruction ID: aec4b56bb5df93acfe5d32436cc35f8a340d4989ec7de71b172497d9daf850e7
                                    • Opcode Fuzzy Hash: a403ac8dd27e184045e8cd513a9e808797b9c75871dd846176124ffe0bf025ed
                                    • Instruction Fuzzy Hash: 88213E31918746A6D220DF11CD45B5ABBE1BFEE758F202B0EF1D4211E4E7F191848E86
                                    Function 00A06060 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                      • Part of subcall function 00AC2A60: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00A00408,00000000,80004005), ref: 00AC2AC8
                                      • Part of subcall function 00AC2A60: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AC2AF8
                                    • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00A0621D
                                    • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00A06234
                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00A06290
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateHeapWindow
                                    • String ID: QuickSelectionList
                                    • API String ID: 3168177373-3633591268
                                    • Opcode ID: 111549c292bfccc1ca35a72e51800ec987c16e332a46421a8505df9e269d1b24
                                    • Instruction ID: 1c73646f4e8b738b600dca4cd9aec3c07de21d4c181202b2e595b4b177783ddd
                                    • Opcode Fuzzy Hash: 111549c292bfccc1ca35a72e51800ec987c16e332a46421a8505df9e269d1b24
                                    • Instruction Fuzzy Hash: E481AB71A002099FDB14DF68C884BEEF7F5FF88314F148269E515A7291CB75AD00CBA0
                                    Function 00A39A90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AE1F70: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00AE1FB4
                                      • Part of subcall function 00AE1F70: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AE1FBF
                                    • GetCurrentThreadId.KERNEL32 ref: 00A39BFC
                                    • SendMessageW.USER32(?,00000127,00030003,00000000), ref: 00A39C85
                                    Strings
                                    • AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 00A39B29
                                    • AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00A39BA0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$CurrentThread
                                    • String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                    • API String ID: 2377075789-1831360935
                                    • Opcode ID: 6d173b7be06d358d702778e6a02c03708b02de3870ed3ea4ee1c2b6d9602bc4a
                                    • Instruction ID: dc1891705f250e1be79d5a680709d5208cc2c2ff96e4ee9c36ba7921544451e2
                                    • Opcode Fuzzy Hash: 6d173b7be06d358d702778e6a02c03708b02de3870ed3ea4ee1c2b6d9602bc4a
                                    • Instruction Fuzzy Hash: B3819471A04248DFCF05EF74C995BAEBBB5AF55300F1441A9E906AB293DB70AE04CB91
                                    Function 00A3C560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00A3C59E
                                    • SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 00A3C778
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Rect
                                    • String ID: AiDlgHeight$AiDlgWeight
                                    • API String ID: 3200805268-871102398
                                    • Opcode ID: 89b1461dd90ee3c7958a8051c15bbc5c7a26769a9b6cc8a1121f447e926a71f8
                                    • Instruction ID: 94e78acd67593d00fcb747f2c83dec82e2da482183a7fac6456e4db6d95ea2e2
                                    • Opcode Fuzzy Hash: 89b1461dd90ee3c7958a8051c15bbc5c7a26769a9b6cc8a1121f447e926a71f8
                                    • Instruction Fuzzy Hash: 13618F71D00248DFCB14DFA9D985B9EBBB8EF48314F148269E815AB391D774AA08CF91
                                    Function 00B206F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,C310823C,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B20724
                                      • Part of subcall function 00AE6130: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,80004005,?,?,?,00000000,00BDB90D,000000FF), ref: 00AE6148
                                      • Part of subcall function 00AE6130: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,80004005,?,?,?,00000000,00BDB90D,000000FF), ref: 00AE617A
                                      • Part of subcall function 009F2A50: RaiseException.KERNEL32(C310823C,C310823C,00000000,00000000,00B2197B,C000008C,00000001,C310823C), ref: 009F2A5C
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateExceptionHeapObjectRaiseSingleWait
                                    • String ID: *.*$.jar$.pack
                                    • API String ID: 2917691982-3892993289
                                    • Opcode ID: 99526446bfea2ccc7a811c64b447246c177692fca3c18e5f93329fc3c9397faa
                                    • Instruction ID: 468d7df999a8df19e27d7a03b58a53646344aae11f798fac2bc42d21c978cc3d
                                    • Opcode Fuzzy Hash: 99526446bfea2ccc7a811c64b447246c177692fca3c18e5f93329fc3c9397faa
                                    • Instruction Fuzzy Hash: 06515370A006599FDB10EFA9D844BAEF7F4FF44314F1442A9E425AB692D734ED05CB90
                                    Function 00A45EC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(011CF5F8,C310823C,011CF5F8), ref: 00A45F01
                                    • GetCurrentThreadId.KERNEL32 ref: 00A45F11
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00A45F37
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: b1fa064d40df7cf9fe102b372826d019d364404d5f28df384a8fc89a6f338d76
                                    • Instruction ID: 6934816b44e26871411b555879080e5697bff4c2efa329e789e5aaa524fe3044
                                    • Opcode Fuzzy Hash: b1fa064d40df7cf9fe102b372826d019d364404d5f28df384a8fc89a6f338d76
                                    • Instruction Fuzzy Hash: BF41C079900A15AFDB14DF68C944BAEF7A8FB84314F108329E825D7292E731ED58CB91
                                    Function 009F2A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 009F2AA6
                                    • EnterCriticalSection.KERNEL32(00C87250), ref: 009F2AC6
                                    • LeaveCriticalSection.KERNEL32(00C87250), ref: 009F2AEA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: feefe04cb1a0cf58e2fe029d67a5945570bc87f11dc86d0de88eec4bfbea7a49
                                    • Instruction ID: c0743d994bb3390431ad4f2ff2a4bffe6fd6d10d8a38de25f362b85483895a34
                                    • Opcode Fuzzy Hash: feefe04cb1a0cf58e2fe029d67a5945570bc87f11dc86d0de88eec4bfbea7a49
                                    • Instruction Fuzzy Hash: 8621A071908748DFCB20DF68DC41B9ABBE8FB05720F10466EE82597780E775A904CB90
                                    Function 00A46100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(C310823C,C310823C), ref: 00A46140
                                    • GetCurrentThreadId.KERNEL32 ref: 00A46153
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00A461D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 199e11249d6b91bf9daaad3f6004c90303bedf5835602b8cd98cadf6f3f1739d
                                    • Instruction ID: 0732bd7be352f726d86dcd5aca1b77310d5895fd107de1ec15d4a5509f90937a
                                    • Opcode Fuzzy Hash: 199e11249d6b91bf9daaad3f6004c90303bedf5835602b8cd98cadf6f3f1739d
                                    • Instruction Fuzzy Hash: 9631BC75900244DFDB11CF6CC844BAEBBF4EF09314F144169E895A33A2E7B5AA04CB91
                                    Function 00A14EE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00A14F22
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A14F28
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoOriginateLanguageException$combase.dll
                                    • API String ID: 2574300362-3996158991
                                    • Opcode ID: ba4503f0e5d14c8a305260d5f237cd1c2e7a4aefd19b08eef7cee83a4c7f74de
                                    • Instruction ID: 78de79ca3bcda5c312aaa9a24d512c6b48cdd1de778816180a032242a1d2b408
                                    • Opcode Fuzzy Hash: ba4503f0e5d14c8a305260d5f237cd1c2e7a4aefd19b08eef7cee83a4c7f74de
                                    • Instruction Fuzzy Hash: BE318EB1904219EFDF15DFA8C945BEEB7F4EF04710F108569E824A72D0DBB49A84CB91
                                    Function 00B13390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00B1152A,?,C310823C,?,?,?,000000FF,?,00B10EF4), ref: 00B1339D
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B1152A,?,C310823C,?,?,?,000000FF,?,00B10EF4,?), ref: 00B133BE
                                    • GetLastError.KERNEL32(?,C310823C,?,?,?,000000FF,?,00B10EF4,?,?,00000000,00000000,C310823C,?,?), ref: 00B1341E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CreateEvent$ErrorLast
                                    • String ID: AdvancedInstaller
                                    • API String ID: 1131763895-1372594473
                                    • Opcode ID: d4aba8cfbeeb5ec12f34ba37f2362cac77dcf4a94a707f3557d9043615d82374
                                    • Instruction ID: 0548a91fb335f59adfac2804803c88b7b6a408fe4545117bd29777270506d06b
                                    • Opcode Fuzzy Hash: d4aba8cfbeeb5ec12f34ba37f2362cac77dcf4a94a707f3557d9043615d82374
                                    • Instruction Fuzzy Hash: A1115B71340602ABD325CF31DC89F9ABBE4FB84B14F604468F5159B290EBB1F991CB98
                                    Function 00AC2970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00AC2E80: __Init_thread_footer.LIBCMT ref: 00AC2F10
                                      • Part of subcall function 00AC2E80: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00AC2F4D
                                      • Part of subcall function 00AC2E80: __Init_thread_footer.LIBCMT ref: 00AC2F64
                                      • Part of subcall function 00AC2E80: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00AC2F8F
                                    • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AC29C2
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AC29E0
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AC29E8
                                      • Part of subcall function 009F0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 009F0E96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                    • String ID: SysListView32
                                    • API String ID: 605634508-78025650
                                    • Opcode ID: c0dd933eb3f0e770dfcb1807a0b137e9a76beb991c4056f6db651b5bdacddb1f
                                    • Instruction ID: 54f832ec3b9e1c4b3620ce3793903dd7d24834f0020280ee70ee1a679cd80d73
                                    • Opcode Fuzzy Hash: c0dd933eb3f0e770dfcb1807a0b137e9a76beb991c4056f6db651b5bdacddb1f
                                    • Instruction Fuzzy Hash: D1117C31301210BBD6149B15CC05F5BFFAAEBC9750F014619FA44AB2A1C6B1AC00CB90
                                    Function 009F27E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00C87250), ref: 009F281C
                                    • GetCurrentThreadId.KERNEL32 ref: 009F2830
                                    • LeaveCriticalSection.KERNEL32(00C87250), ref: 009F286F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 6146467c8a57f0387cdadc5e1f023209c05fc90be1ff46c6878789b6d54be951
                                    • Instruction ID: 2af2867f623d35e7e8227090cd8d1f3a0424985da4a3d9fe2099dade514467b3
                                    • Opcode Fuzzy Hash: 6146467c8a57f0387cdadc5e1f023209c05fc90be1ff46c6878789b6d54be951
                                    • Instruction Fuzzy Hash: 0311C831D08344DBCB20CF65C84476ABBF4EB55B24F24466EE825A3390D7759C04C790
                                    Function 00AC33D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00AC341B
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AC3433
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AC343B
                                      • Part of subcall function 009F0E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 009F0E96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$CreateLong
                                    • String ID: RichEdit20W
                                    • API String ID: 4015368215-4173859555
                                    • Opcode ID: 2fd818632fd48b33f6f7264f89491eed2194520325dd28d82f51ac1ccb4c91b1
                                    • Instruction ID: 48dde8ccce2e149766485a500481ea9d3e340cb04bb006679b89537faa64565a
                                    • Opcode Fuzzy Hash: 2fd818632fd48b33f6f7264f89491eed2194520325dd28d82f51ac1ccb4c91b1
                                    • Instruction Fuzzy Hash: 80016935301214BFD6149B15DC04F6BFBEAFBC9B60F158219FA48A72A0C6B1EC00CBA5
                                    Function 00A448F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 00A44941
                                    • GetParent.USER32(?), ref: 00A4494A
                                    • SendMessageW.USER32(?,00000411,00000000,?), ref: 00A4495F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Parent$MessageSend
                                    • String ID: ,
                                    • API String ID: 2251359880-3772416878
                                    • Opcode ID: dacd3a81c6c9279939505b115468590a6e57d627c963115994178e9e8d458b59
                                    • Instruction ID: ab9ded5d84a1fcd81483eec3e6e31eca8b762c233a77eed0ade4583b26bae929
                                    • Opcode Fuzzy Hash: dacd3a81c6c9279939505b115468590a6e57d627c963115994178e9e8d458b59
                                    • Instruction Fuzzy Hash: 3D1187B1504300AFD720DF28D844B1BFBE4FB8D310F00492AF56992662C7B1E854CF96
                                    Function 00AFB670 Relevance: 6.4, APIs: 4, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                      • Part of subcall function 00AFB460: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00AFB48D
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AFB6DE
                                    • _wcsrchr.LIBVCRUNTIME ref: 00AFB73E
                                    • _wcschr.LIBVCRUNTIME ref: 00AFB9D2
                                    • _wcschr.LIBVCRUNTIME ref: 00AFBA5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer_wcschr_wcsrchr$FileHeapModuleNameProcess
                                    • String ID:
                                    • API String ID: 1360097548-0
                                    • Opcode ID: 6b0e1c0ec1b054312ed00b10534bdd1191ec7365a57146385781538596d06e11
                                    • Instruction ID: 10b4b7119d4a3f7adf4eaddd15990ecf989803c4490c39cb33f34f95edf75eaa
                                    • Opcode Fuzzy Hash: 6b0e1c0ec1b054312ed00b10534bdd1191ec7365a57146385781538596d06e11
                                    • Instruction Fuzzy Hash: 10F1927190024DDFDB00DFA8C849BAEBBF8EF44314F148269F915AB2D1EB709945CBA0
                                    Function 00A00270 Relevance: 6.3, APIs: 4, Instructions: 291windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00A003B8
                                    • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00A003CD
                                      • Part of subcall function 009E9AE0: RtlAllocateHeap.NTDLL(?,00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,?,00C7ACAC,?,009F6B09,80004005,C310823C,-00000010,?), ref: 009E9B2A
                                      • Part of subcall function 00AC2A60: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00A00408,00000000,80004005), ref: 00AC2AC8
                                      • Part of subcall function 00AC2A60: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AC2AF8
                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00A00503
                                    • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00A005FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateHeapWindow
                                    • String ID:
                                    • API String ID: 3168177373-0
                                    • Opcode ID: 5ed42cbd147a6d7ed2831adb54fa05746ca9bb367836f9a6f103890d3e69e109
                                    • Instruction ID: cfef9feceb82b4440d8d44016148911d40778826ddfa7a2bf9f502dac9ebfe2c
                                    • Opcode Fuzzy Hash: 5ed42cbd147a6d7ed2831adb54fa05746ca9bb367836f9a6f103890d3e69e109
                                    • Instruction Fuzzy Hash: C9B17C71A006099FDB18CFA8D895FEEFBB5FF48314F144219E415AB2D0DBB5A944CBA0
                                    Function 009EEFB0 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 009EF07A
                                    • SysFreeString.OLEAUT32(00000000), ref: 009EF0C6
                                    • SysFreeString.OLEAUT32(00000000), ref: 009EF0E8
                                    • SysFreeString.OLEAUT32(00000000), ref: 009EF243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: String$Free$Alloc
                                    • String ID:
                                    • API String ID: 986138563-0
                                    • Opcode ID: f78828e875fbdcb796288ac20a03e4ae123254f20f96d7f8f75adc1c7bf426f1
                                    • Instruction ID: d5f32f9fbb9f34c078173a4eae88907c369d4baed01636b8ec220e08acd749ef
                                    • Opcode Fuzzy Hash: f78828e875fbdcb796288ac20a03e4ae123254f20f96d7f8f75adc1c7bf426f1
                                    • Instruction Fuzzy Hash: B0A1BE71A00249EFDB11CFA9CC54BAFB7B8EF44714F10816AE515EB280E774AE01CB61
                                    Function 00A08500 Relevance: 6.3, APIs: 4, Instructions: 268windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00A085D8
                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00A08607
                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00A087CE
                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00A087F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 6ec29c17f29b4d562737a7a546534d40f642315c64348ddfd81e096e19f5e111
                                    • Instruction ID: 37d028c2d79247fab131f59104d7439386ef3ac4ba86fe5a490c9728456db673
                                    • Opcode Fuzzy Hash: 6ec29c17f29b4d562737a7a546534d40f642315c64348ddfd81e096e19f5e111
                                    • Instruction Fuzzy Hash: 89A17B71A00218DFCB15DF68E884BEEBBB5BF48310F154569E842AB2D5DB34EC41CBA4
                                    Function 00A04160 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 52fc9098e7fcbd6aae7963795941cc97b57ab1ca470380c6e38cf090926107d5
                                    • Instruction ID: e0bd31c4aaee99dde29e1b152fdb1135dac936d5a7f1e8866c376e7542fbe2be
                                    • Opcode Fuzzy Hash: 52fc9098e7fcbd6aae7963795941cc97b57ab1ca470380c6e38cf090926107d5
                                    • Instruction Fuzzy Hash: 40A168B4900258DFCB10DFA8C888BDEFBB4FF58314F258259E504A7391E7749A45CB95
                                    Function 00A031F0 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 729422efa3f824461ac367a82b327615f8595bbc037071be60c51b2574c26212
                                    • Instruction ID: 8c93ff27e41bfc7a50f49af4bee7d0034aaa570199fd8623bda1be0b0e937f52
                                    • Opcode Fuzzy Hash: 729422efa3f824461ac367a82b327615f8595bbc037071be60c51b2574c26212
                                    • Instruction Fuzzy Hash: 8F81E271E00348DBDB11DFA8C844B9EFBB8EF44700F148258E815AB392E775AE45CB91
                                    Function 00B0CDA0 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(00000000,C310823C), ref: 00B0CE16
                                    • _wcsrchr.LIBVCRUNTIME ref: 00B0CE40
                                    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 00B0CEC3
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B0CF0F
                                      • Part of subcall function 00B0CCC0: RegOpenKeyExW.ADVAPI32(00000000,C310823C,00000000,00020019,00000002,C310823C,00000001,00000010,00000002,00B0C00C,C310823C,00000000,?), ref: 00B0CD5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Close$OpenQueryValue_wcsrchr
                                    • String ID:
                                    • API String ID: 213811329-0
                                    • Opcode ID: c1dd705e677ffe30909b4fb2f3147b9cd345ca79a6a85c3cc6fb3b996303ab6b
                                    • Instruction ID: dfedd52bdb67601fa128421d47e5555cc7647da1bceb69df695392039e6fd78b
                                    • Opcode Fuzzy Hash: c1dd705e677ffe30909b4fb2f3147b9cd345ca79a6a85c3cc6fb3b996303ab6b
                                    • Instruction Fuzzy Hash: FB51DF72901249AFDB10CF68C848B9EBFB5EF45320F1483A9E824A73D1C7759A04CB90
                                    Function 00A7FEF0 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00A7FF82
                                    • GetWindowRect.USER32(?,?), ref: 00A7FF9A
                                    • GetWindowRect.USER32(?,?), ref: 00A80006
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00A8002A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Long
                                    • String ID:
                                    • API String ID: 3486571012-0
                                    • Opcode ID: 8d499ddf46aaadcbfc7d7c294b832443d711d33ddfae2f19cec512639a8836a5
                                    • Instruction ID: 7fc2f8cb7f7eacadf96e8323d2c347881fccdbfb7a826ada5f963a3dc990c666
                                    • Opcode Fuzzy Hash: 8d499ddf46aaadcbfc7d7c294b832443d711d33ddfae2f19cec512639a8836a5
                                    • Instruction Fuzzy Hash: 5A417C326087059FC700DF24D884B5FB7E8EF99705F05862DF94997251EB30EA858B52
                                    Function 009FCF60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(C310823C,C310823C,?), ref: 009FCF9F
                                    • EnterCriticalSection.KERNEL32(?,C310823C,?), ref: 009FCFAC
                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 009FD083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: adbf6978fd5ad9f710a3e0fdaf7fd844deed1ca415100802e4fb604002bb08ee
                                    • Instruction ID: 671e673bf0852b042d15682733c8330be60fa19b9feb120cccbb2e5db00661d4
                                    • Opcode Fuzzy Hash: adbf6978fd5ad9f710a3e0fdaf7fd844deed1ca415100802e4fb604002bb08ee
                                    • Instruction Fuzzy Hash: 1941CF7460170A8FCB21DF38C940BBABBA6EF45310F144569EA96D7391CF31A916CBA0
                                    Function 00AFD570 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 00AFD5CF
                                    • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00AFD5DC
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00AFD5F9
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00AFD61B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: 1f0f3b7452030632b4148d912e3b151a4614ca79c550e7d0f9ffa5d690174e32
                                    • Instruction ID: 62c161474d7d51d5a0fdb0597c9f74c1bd12f64ac140a48bcadb47ea9b09a5d8
                                    • Opcode Fuzzy Hash: 1f0f3b7452030632b4148d912e3b151a4614ca79c550e7d0f9ffa5d690174e32
                                    • Instruction Fuzzy Hash: BB2125B274030A7BEB116F94DC82F76B75EEB54B44F240129FB05AB1C0EBA17D15CAA4
                                    Function 00A36404 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(00000010,?,00000060), ref: 00A36432
                                    • GetWindowRect.USER32(?,?), ref: 00A36481
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00A364AA
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 00A3653C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$LongRect
                                    • String ID:
                                    • API String ID: 463821813-0
                                    • Opcode ID: fb454fbde8bb5c61f374f8da0efb9fddf06878fe8c3e2de8e49738cefbde3e39
                                    • Instruction ID: ce31514a2da22d2a703cc936a1bff6739516f0c34594883d75ddac5cc3754c03
                                    • Opcode Fuzzy Hash: fb454fbde8bb5c61f374f8da0efb9fddf06878fe8c3e2de8e49738cefbde3e39
                                    • Instruction Fuzzy Hash: 1E412571508745AFD705DF29DD85B6ABBB8FF88300F408A1AF98593260DB31E895CB92
                                    Function 00AE6130 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,80004005,?,?,?,00000000,00BDB90D,000000FF), ref: 00AE6148
                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,80004005,?,?,?,00000000,00BDB90D,000000FF), ref: 00AE617A
                                    • GetStdHandle.KERNEL32(000000F5,?,C310823C,00000000,00B9E9A0,000000FF,?,80070057,?,-00000001,?,?,?,80004005,?,?), ref: 00AE61E6
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,C310823C,00000000,00B9E9A0,000000FF,?,80070057,?,-00000001,?,?,?,80004005,?,?), ref: 00AE61ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AttributeConsoleHandleText
                                    • String ID:
                                    • API String ID: 3849414675-0
                                    • Opcode ID: d32bf569c65d7c6abfb97cb1c9e9bcbadcdecd32646ef6e06e527d7d27a41a6a
                                    • Instruction ID: 5c6279e53bc9566aadb62d32e8722b813a45a9328fd6fc06c6e1992b6eaa1fd6
                                    • Opcode Fuzzy Hash: d32bf569c65d7c6abfb97cb1c9e9bcbadcdecd32646ef6e06e527d7d27a41a6a
                                    • Instruction Fuzzy Hash: 8D21F372304251BFDB11CB99DC49F6AB769EB85761F20432EF626E72D0CB316901CBA0
                                    Function 00A399A0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 00A39A2F
                                    • GetParent.USER32(00000000), ref: 00A39A37
                                    • GetParent.USER32(00000000), ref: 00A39A3C
                                    • SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 00A39A4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Parent$MessageSend
                                    • String ID:
                                    • API String ID: 2251359880-0
                                    • Opcode ID: 4fc2be879b2cd8983c126f65d63fe5ddef8a30761403b331b7c6581b9a7202c8
                                    • Instruction ID: 7e6d08c093f8dbb0263686d3979e76756437df0608954ea11931c9543a23d0b2
                                    • Opcode Fuzzy Hash: 4fc2be879b2cd8983c126f65d63fe5ddef8a30761403b331b7c6581b9a7202c8
                                    • Instruction Fuzzy Hash: F221BE32700115AFDB249B28EC84FAFF799EF91754F444626F505C2260EBB1DD928764
                                    Function 009FCD90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,C310823C), ref: 009FCDFA
                                    • EnterCriticalSection.KERNEL32(?,C310823C), ref: 009FCE07
                                    • LeaveCriticalSection.KERNEL32(?), ref: 009FCE58
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: ba082186ede285b5c00192a55801b67be058ba6c10c5c330e5374add6450bd25
                                    • Instruction ID: 2642ad9f29e0ec00157a0931e607b27899a0d5f3b0cf9c8a159526705d23d284
                                    • Opcode Fuzzy Hash: ba082186ede285b5c00192a55801b67be058ba6c10c5c330e5374add6450bd25
                                    • Instruction Fuzzy Hash: 4621F4769002499FDF11CF24C940BEABBB4FF56324F5041A9ED59AB392C7319D09CBA0
                                    Function 009FCE80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,C310823C), ref: 009FCEEA
                                    • EnterCriticalSection.KERNEL32(?,C310823C), ref: 009FCEF7
                                    • LeaveCriticalSection.KERNEL32(?), ref: 009FCF3E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: 97a366dc07b555a6258d482f5edd1a3ea082a7fa0d41833a5660e01ac8096d7d
                                    • Instruction ID: 22649e6d20a98e288338432d2ea40716f9b42555038ed4fad504030f23c5c57b
                                    • Opcode Fuzzy Hash: 97a366dc07b555a6258d482f5edd1a3ea082a7fa0d41833a5660e01ac8096d7d
                                    • Instruction Fuzzy Hash: 5F21CF769002499FDF11CF24C940BA9BBB4FF15324F6045A9ED59AB392DB319909CBA0
                                    Function 009FCCD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,C310823C,?), ref: 009FCD2D
                                    • EnterCriticalSection.KERNEL32(?,C310823C,?), ref: 009FCD3A
                                    • LeaveCriticalSection.KERNEL32(?), ref: 009FCD62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: a032a8e2487af9c381fdc8e2ece0810d7eec0bedd4e4339141e1ea5c68e79b69
                                    • Instruction ID: 2ef51ec92f7ed1efaee9434066472fe741022b000cf2efa729820f0fd1fca419
                                    • Opcode Fuzzy Hash: a032a8e2487af9c381fdc8e2ece0810d7eec0bedd4e4339141e1ea5c68e79b69
                                    • Instruction Fuzzy Hash: 322106769042499FCF11CF24C940BEEBF74EB56324F1045A9D859A7381CB325A09CBA0
                                    Function 00B22070 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(00000001,?,C310823C,?,?,00000000,Function_001BE7D0,000000FF,?,00B22058,00000000,80004005,?,?,00B0485D,?), ref: 00B220A7
                                    • GetExitCodeThread.KERNEL32(00000001,00B22058,?,?,00000000,Function_001BE7D0,000000FF), ref: 00B220C1
                                    • TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,Function_001BE7D0,000000FF), ref: 00B220D9
                                    • CloseHandle.KERNEL32(00000001,?,?,00000000,Function_001BE7D0,000000FF,?,00B22058,00000000,80004005,?,?,00B0485D,?,C310823C,?), ref: 00B220E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                    • String ID:
                                    • API String ID: 3774109050-0
                                    • Opcode ID: 0103a7f8559f2408872fa5da6696262e423d40ae3aca455696288852b56dacd3
                                    • Instruction ID: ae667b5437f2530c261960cd2407a9ffb55acc32802206dd4cc65c395292ba26
                                    • Opcode Fuzzy Hash: 0103a7f8559f2408872fa5da6696262e423d40ae3aca455696288852b56dacd3
                                    • Instruction Fuzzy Hash: 7D015271500615EFDB208F54EC49B67B7F8FB04710F10866AE869D3AA0DB75AC40CB54
                                    Function 009ED8F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 009ED966
                                    • SendMessageW.USER32(?,00000000,00000000), ref: 009EDA62
                                      • Part of subcall function 009EF1A0: SysFreeString.OLEAUT32(00000000), ref: 009EF243
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CreateFreeMessageSendStringWindow
                                    • String ID: AtlAxWin140
                                    • API String ID: 4045344427-3842940177
                                    • Opcode ID: 2ec8d041b70e514c1c7620c5e6388f48c107a4694bfe55f8629a8d4c782226b1
                                    • Instruction ID: d391b141bffd933477dbc1637d70c06abc8cb4cbf3431e140b0fdc68d1934787
                                    • Opcode Fuzzy Hash: 2ec8d041b70e514c1c7620c5e6388f48c107a4694bfe55f8629a8d4c782226b1
                                    • Instruction Fuzzy Hash: 4C912574600249EFDB14CF69C888F6ABBB9FF49714F1085A9F9299B291C771ED01CB50
                                    Function 00A4EF10 Relevance: 5.4, APIs: 4, Instructions: 419memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00A4F126
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00A4F12C
                                      • Part of subcall function 00A50AC0: GetProcessHeap.KERNEL32(?,?,C310823C,00000000), ref: 00A50B7A
                                      • Part of subcall function 00A50AC0: HeapFree.KERNEL32(00000000,?,?,C310823C,00000000), ref: 00A50B80
                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A4F337
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A4F33D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: ce9ae7177dc91475ea9765282e98923be0119b90307f2ef038e4fdbaaa791d2e
                                    • Instruction ID: 9a5250000cf5362e062bfd373e66cd032c5f64d12199003476ae7b2e9fb54b8e
                                    • Opcode Fuzzy Hash: ce9ae7177dc91475ea9765282e98923be0119b90307f2ef038e4fdbaaa791d2e
                                    • Instruction Fuzzy Hash: DDF16974D00249DFDB04DFA8C945BEEBBB4FF55314F2042A9E815AB291DB74AE04CB91
                                    Function 00B183E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E9E20: GetProcessHeap.KERNEL32 ref: 009E9E75
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9EA7
                                      • Part of subcall function 009E9E20: __Init_thread_footer.LIBCMT ref: 009E9F32
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00BE240F,000000FF), ref: 00B18563
                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00BE240F,000000FF), ref: 00B185F1
                                    Strings
                                    • << Advanced Installer (x86) Log >>, xrefs: 00B184CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                    • String ID: << Advanced Installer (x86) Log >>
                                    • API String ID: 3699736680-396061572
                                    • Opcode ID: 495cda73bd144353922c31ef5f681170abdeca17748d9e3c9f1de29438c25394
                                    • Instruction ID: b16eea7f1b875725afeb8d3f21d74beff29eb16be959ac8aefe3dd8ea99b7f76
                                    • Opcode Fuzzy Hash: 495cda73bd144353922c31ef5f681170abdeca17748d9e3c9f1de29438c25394
                                    • Instruction Fuzzy Hash: B361ABB0905685DFDB01CFA8D948B9EBBF4FF45314F2482ADE4049B392EB759A44CB90
                                    Function 00A2D0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00B77112: EnterCriticalSection.KERNEL32(00C85CD8,-00000010,?,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?), ref: 00B7711D
                                      • Part of subcall function 00B77112: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9EC6,00C86904,C310823C,?,?,00B9EF2D,000000FF,?,009F6A8F,C310823C,-00000010,?,?,00000008), ref: 00B7715A
                                    • __Init_thread_footer.LIBCMT ref: 00A2D24D
                                      • Part of subcall function 00B770C8: EnterCriticalSection.KERNEL32(00C85CD8,?,?,009E9F37,00C86904,00BF7320), ref: 00B770D2
                                      • Part of subcall function 00B770C8: LeaveCriticalSection.KERNEL32(00C85CD8,?,009E9F37,00C86904,00BF7320), ref: 00B77105
                                      • Part of subcall function 00B770C8: RtlWakeAllConditionVariable.NTDLL ref: 00B7717C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
                                    • API String ID: 2296764815-2445763458
                                    • Opcode ID: bd2a55999595034746667bd018d5a3831c5441e6c5c90949f233393f464e68f5
                                    • Instruction ID: 7e7ad776fc060863b4ffe39dec7b21ba1cf2a0f1b2d89cbce772036aa3302403
                                    • Opcode Fuzzy Hash: bd2a55999595034746667bd018d5a3831c5441e6c5c90949f233393f464e68f5
                                    • Instruction Fuzzy Hash: A771B3B0905249EFDB01CFA8D9447DEBBF0BF14304F148269E814672D2D7B99B08DBA2
                                    Function 00AD4AB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,C310823C), ref: 00AD4B51
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Path
                                    • String ID: \\?\$\\?\UNC\
                                    • API String ID: 2875597873-3019864461
                                    • Opcode ID: 24739c16d3cf3695f7019d4c4c4ecea4f3b63b9b3ed5bae3024d3f7c82ae22c9
                                    • Instruction ID: f5fbb9e4f3588cb9eb1fc037fb0fb50f571288f534a10401d7999b1a14f3126b
                                    • Opcode Fuzzy Hash: 24739c16d3cf3695f7019d4c4c4ecea4f3b63b9b3ed5bae3024d3f7c82ae22c9
                                    • Instruction Fuzzy Hash: 4F51D470D106049BDB14DF68D885BAEF7F5FF98304F10861ED81667381EB75A948CBA1
                                    Function 009F7200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,00C0438C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,C310823C), ref: 009F7370
                                      • Part of subcall function 00ACEBE0: GetModuleHandleW.KERNEL32(Advapi32.dll,C310823C,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 00ACEC23
                                    • CloseHandle.KERNEL32(?,C310823C), ref: 009F73A9
                                    Strings
                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 009F7268
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: CloseHandle$Module
                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                    • API String ID: 1412095732-2431777889
                                    • Opcode ID: 48e980e0dbebb4f2421ab767658eeab87a4e6edad46bf7617269ff4ade8c8036
                                    • Instruction ID: 08ff11909160de06f829abaa985ec386d4755d55cd57447c8c2968982d863b9f
                                    • Opcode Fuzzy Hash: 48e980e0dbebb4f2421ab767658eeab87a4e6edad46bf7617269ff4ade8c8036
                                    • Instruction Fuzzy Hash: 4E514970D04248EBDB20DFA4D959BEEFBB8BF14304F10819DE555A7281DBB46A48CBA1
                                    Function 00AE8250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,C310823C,00C1A83C), ref: 00AE82A8
                                    • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00AE83B2
                                      • Part of subcall function 00ADAA10: std::locale::_Init.LIBCPMT ref: 00ADAAED
                                      • Part of subcall function 00AD81D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00AD82A5
                                    Strings
                                    • Failed to get Windows error message [win32 error 0x, xrefs: 00AE82C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                    • String ID: Failed to get Windows error message [win32 error 0x
                                    • API String ID: 1983821583-3373098694
                                    • Opcode ID: 32f064fee35af2569cbad6fd2199eb571e8b1e1ca7af8c6c87541e0de82971bf
                                    • Instruction ID: 916e2cbd6852d2cc86bbb0c2d24629238703eb54ac9808dacfc37da825f163a2
                                    • Opcode Fuzzy Hash: 32f064fee35af2569cbad6fd2199eb571e8b1e1ca7af8c6c87541e0de82971bf
                                    • Instruction Fuzzy Hash: B7416F71A003499BDB20DF68C909BAFBBF8FF44704F104559E459AB391DBB89A08CB91
                                    Function 00B32EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,00C1B440,00000001,C310823C,00000000), ref: 00B32F9E
                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00B32FBB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Event$CreateOpen
                                    • String ID: _pbl_evt
                                    • API String ID: 2335040897-4023232351
                                    • Opcode ID: dbd7bb049f1d7273c017e7b70f34596b916ab5b473b3ca45758217a35da2c4c7
                                    • Instruction ID: 24257aea7fc08a069132692100368675393fe22d16f8d32338b7937d0e0b5dec
                                    • Opcode Fuzzy Hash: dbd7bb049f1d7273c017e7b70f34596b916ab5b473b3ca45758217a35da2c4c7
                                    • Instruction Fuzzy Hash: 92313A71D04248EFDB11DFA8D955BEEB7B8EF14714F208159E811B7280DB746A09CBA1
                                    Function 00AD7770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00AD779B
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AD77FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 3988782225-1405518554
                                    • Opcode ID: b48442c45eccb518b239e0dca1341c8e4f6b9d18f3a50ea86870ad64bd56b91a
                                    • Instruction ID: 5b8fcb4a9a72ff72ab68e8eb5f8f1f352ba51596dd15e226311f3817a7971aec
                                    • Opcode Fuzzy Hash: b48442c45eccb518b239e0dca1341c8e4f6b9d18f3a50ea86870ad64bd56b91a
                                    • Instruction Fuzzy Hash: AD21BD70A05784DFD720CF68C90474EBFE4AF15714F14869EE49A8BB81E3B5EA04DBA1
                                    Function 00A4E3B0 Relevance: 5.3, APIs: 4, Instructions: 316memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00A4E62B
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00A4E631
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00A4E700
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00A4E706
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 06278bcf23b390710f2648c2d18ce5e0e72a77d54393bc6666519ea4fc573b80
                                    • Instruction ID: 6bd6539fabdc14347c39299681a2481cdc443289170cde7d6d44b525ba05049f
                                    • Opcode Fuzzy Hash: 06278bcf23b390710f2648c2d18ce5e0e72a77d54393bc6666519ea4fc573b80
                                    • Instruction Fuzzy Hash: 10D18A74900248DFDF14DFA8C994BEEBBB5BF94314F2441ADE005AB292DB70AE45CB91
                                    Function 00A014E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000005), ref: 00A01554
                                    Strings
                                    • d, xrefs: 00A01520
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00A01529
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                    • API String ID: 975332729-3547446826
                                    • Opcode ID: 74ea2a23ab7a59765447df24e1553fdf1307d0a333444cf97de687f62f0509d5
                                    • Instruction ID: 7aaa827fa5a79e420e45b33c606504cf9caec81b541c467c34c351ad01d1bba4
                                    • Opcode Fuzzy Hash: 74ea2a23ab7a59765447df24e1553fdf1307d0a333444cf97de687f62f0509d5
                                    • Instruction Fuzzy Hash: 9E213BB4D05298EFDF00CFE4D9487CEBBB0BF55308F148058E002AB296D7B95A08CB91
                                    Function 009ED349 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009ED395
                                    • d, xrefs: 009ED389
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 5041a87ad5f679b5b714f5c9ad2e9eec17c328e3d5906c6be7857150f7b40cc2
                                    • Instruction ID: e8b9223d807025e053b7af590995a77b36f0bbb0ebf73e5878b03556f81b3e2a
                                    • Opcode Fuzzy Hash: 5041a87ad5f679b5b714f5c9ad2e9eec17c328e3d5906c6be7857150f7b40cc2
                                    • Instruction Fuzzy Hash: 522138B4D05298EFDF05DFE4E9587DEBBB0BF15304F108058D0016B296D7B85A08CB92
                                    Function 009ECF7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • d, xrefs: 009ECFBB
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009ECFC4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: cb55ff92efe384fa5ca8dcdf9687d26ebb2524dc6ba5c7e68007b742b5e3f21f
                                    • Instruction ID: 1f40623ce9e9024bf22840402283abb95979d1b2691be4afde4c669fe098fa8e
                                    • Opcode Fuzzy Hash: cb55ff92efe384fa5ca8dcdf9687d26ebb2524dc6ba5c7e68007b742b5e3f21f
                                    • Instruction Fuzzy Hash: 15211AB4D05298EFDF05DFE4E9587DEBBB1BF15304F144058D0016B296D7B95A08CB92
                                    Function 00A015AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(0000000D), ref: 00A0161B
                                    Strings
                                    • d, xrefs: 00A015E5
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00A015EE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                    • API String ID: 975332729-3547446826
                                    • Opcode ID: 5485b1f78c2dfc3ae219d2ca9ab53d3b9227fae63f255ec87f42d61750c93e89
                                    • Instruction ID: e236ba10d967bb6172edde79e36fd2f0f3f3acab268c4ba273f65550da83b1c3
                                    • Opcode Fuzzy Hash: 5485b1f78c2dfc3ae219d2ca9ab53d3b9227fae63f255ec87f42d61750c93e89
                                    • Instruction Fuzzy Hash: 742113B4D01288EEDF01DFE4D958BDEBFB0BF15308F148058E0026B296D7B95A09DB92
                                    Function 009ED412 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • d, xrefs: 009ED44D
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009ED459
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 8c8c6c553e2385ee98c28b08af0b2675e369aabe468074f2bc95e788df4ec03a
                                    • Instruction ID: 3bf5a0144da569a2fa2a8ff37764d30287da389210a1bab31f65f800e2caefdd
                                    • Opcode Fuzzy Hash: 8c8c6c553e2385ee98c28b08af0b2675e369aabe468074f2bc95e788df4ec03a
                                    • Instruction Fuzzy Hash: C32144B0D05298EEDF05DFE4D9987CEBBB0BF54308F108158E0016B296DBB84A09DB92
                                    Function 009ED03F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • d, xrefs: 009ED07A
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009ED083
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: f515b098c8d6f2bc0d5c9e7286e93e338e18ef588719a3968eb656ae0fde0ef0
                                    • Instruction ID: e59d9f5a86a692120d1f3cbae03c548a4d24fa5445bdedae5f1a07959062d0c4
                                    • Opcode Fuzzy Hash: f515b098c8d6f2bc0d5c9e7286e93e338e18ef588719a3968eb656ae0fde0ef0
                                    • Instruction Fuzzy Hash: B12114B4D05298EEDF05DFE4E9587DEBFB0BF15308F148058E0016B296DBB94A09DB52
                                    Function 00A41310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A4136F
                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00A3FEE9,00000000,C310823C,?,?), ref: 00A41388
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Window$Create
                                    • String ID: tooltips_class32
                                    • API String ID: 870168347-1918224756
                                    • Opcode ID: 802e200031c1a55ade95bcf93a609e3099b9e5ca047c15fc747bc80d647b35e7
                                    • Instruction ID: 2cb83486914b9e830dff80d365bd7b1651c6e3de5953328f5c256e8d18f60bef
                                    • Opcode Fuzzy Hash: 802e200031c1a55ade95bcf93a609e3099b9e5ca047c15fc747bc80d647b35e7
                                    • Instruction Fuzzy Hash: 5101F0323803127AF7648664DC0AFAA3298D780B41F308238BB04FD0D0D6E6AA10C608
                                    Function 00A01671 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000013), ref: 00A016A4
                                    Strings
                                    • Unknown exception, xrefs: 00A01679
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00A01689
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                    • API String ID: 975332729-3529215713
                                    • Opcode ID: bf1378e30c0ee8c3bb0375d225bb2c87ae522ba839770ac6d83e0ed759565df0
                                    • Instruction ID: 28bb3acfb45f8186802a44793498c186f4520a034613a32f9323da5a7ab1b099
                                    • Opcode Fuzzy Hash: bf1378e30c0ee8c3bb0375d225bb2c87ae522ba839770ac6d83e0ed759565df0
                                    • Instruction Fuzzy Hash: 75015E34D0528CEFCB05DBE4D955BDDBBB0AF55304F548098E0026B296D7B55E08DB92
                                    Function 009ED4D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Unknown exception, xrefs: 009ED4E0
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009ED4F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                    • API String ID: 2558294473-1308700304
                                    • Opcode ID: b04ce06d6f627c77df2304a5b5cfa1e8425e8b77c375a7501543ddf0e2676d4b
                                    • Instruction ID: 7911e34d51c3db7cda17b98f88cc55989581605d548dfd67599e42275ee96fec
                                    • Opcode Fuzzy Hash: b04ce06d6f627c77df2304a5b5cfa1e8425e8b77c375a7501543ddf0e2676d4b
                                    • Instruction Fuzzy Hash: FB018030D0528CEBCB06EBE4D955BCEBFB56FA5300F148198D1016B386DBB45A08DB92
                                    Function 009ED100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Unknown exception, xrefs: 009ED108
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009ED118
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                    • API String ID: 2558294473-1308700304
                                    • Opcode ID: b79862c61355628a00277c90b0a6d9d1a21ce7ccab71307d226fca747dba37b2
                                    • Instruction ID: 483eb411aa8aa36f34ef10521606a51ce0393f24f5894c57b6c876b88cad5671
                                    • Opcode Fuzzy Hash: b79862c61355628a00277c90b0a6d9d1a21ce7ccab71307d226fca747dba37b2
                                    • Instruction Fuzzy Hash: 1C019230D0528CEBCF05DBE4D9547DEBFB56F65304F144098D0016B286DBB44A04D792
                                    Function 00A21EB0 Relevance: 5.2, APIs: 4, Instructions: 235memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00A220B1
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00A220B7
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00A22143
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00A22149
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 60a22f1096a8c0e86c29b3218569a7905d1b54e016e54450414fc4b7fcb6cff8
                                    • Instruction ID: e716b54ec3878f7e8c2dd04ade5600c6ce33f392a5f7c7b0cb4602553e37cd6e
                                    • Opcode Fuzzy Hash: 60a22f1096a8c0e86c29b3218569a7905d1b54e016e54450414fc4b7fcb6cff8
                                    • Instruction Fuzzy Hash: 6791EFB0D05258EFDB15DFA8E944BEEFBB4FF44314F10426AE42167291DB70AA45CBA0
                                    Function 00A20CD0 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?,?,?), ref: 00A20E11
                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00A20E17
                                    • GetProcessHeap.KERNEL32(?,?,?,?), ref: 00A20EA3
                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00A20EA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1791892865.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                    • Associated: 00000000.00000002.1791872045.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792130415.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792154217.0000000000C84000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792173386.0000000000C85000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1792191488.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e0000_dK5DtwHlOm.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 8f6be33f931e586d723a55a4b9204de4e2022eb256e34bf11fb7dc88c1722d04
                                    • Instruction ID: 46b788a407815e6f3d17dea2a1880dc55da8782752a3c5e22fd090894ce7f19e
                                    • Opcode Fuzzy Hash: 8f6be33f931e586d723a55a4b9204de4e2022eb256e34bf11fb7dc88c1722d04
                                    • Instruction Fuzzy Hash: FA61F0B0D02268EFDF19DFA8E944FDEFBB5AF00310F104569E41167282CB34AA45CBA0