Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
L7eGkXK1vw.exe

Overview

General Information

Sample name:L7eGkXK1vw.exe
renamed because original name is a hash value
Original sample name:5a7889d8d11a64a8dd380049b9e1db2c7a20e9fa7f66b4538b281cd1e5c9d0e7.exe
Analysis ID:1554993
MD5:b4826e1862bf50df8e729c8fadeb9f0b
SHA1:cc3b95c66ead4d0bc695a5c87241f6eda51febbb
SHA256:5a7889d8d11a64a8dd380049b9e1db2c7a20e9fa7f66b4538b281cd1e5c9d0e7
Tags:ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:9
Range:0 - 100
Whitelisted:false
Confidence:40%

Compliance

Score:47
Range:0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • L7eGkXK1vw.exe (PID: 2676 cmdline: "C:\Users\user\Desktop\L7eGkXK1vw.exe" MD5: B4826E1862BF50DF8E729C8FADEB9F0B)
    • msiexec.exe (PID: 6564 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\L7eGkXK1vw.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488680 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 2228 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6004 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding ACA38A334053287546358A7834586E97 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 408 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C9C4CD5A6467721AC65AAF0E4F5DEE73 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-13T10:08:19.632474+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549709TCP
2024-11-13T10:08:57.821172+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549894TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

barindex
Uses 32bit PE files
Source: L7eGkXK1vw.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: L7eGkXK1vw.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: L7eGkXK1vw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: wininet.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: L7eGkXK1vw.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01062380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_01062380
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F5AB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_00F5AB80
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01044DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_01044DA0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01045370 FindFirstFileW,GetLastError,FindClose,0_2_01045370
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01063220 FindFirstFileW,FindClose,0_2_01063220
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01028230 FindFirstFileW,FindNextFileW,FindClose,0_2_01028230
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0106C530
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106C930 FindFirstFileW,FindClose,0_2_0106C930
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010808D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_010808D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01044A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,0_2_01044A10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0104CF00 FindFirstFileW,FindClose,FindClose,0_2_0104CF00
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0105F260 FindFirstFileW,FindClose,0_2_0105F260
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106F8A0 FindFirstFileW,FindClose,0_2_0106F8A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_0106B500
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49709
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49894
Source: L7eGkXK1vw.exeString found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: L7eGkXK1vw.exe, 00000000.00000000.1991668484.0000000001159000.00000002.00000001.01000000.00000003.sdmp, L7eGkXK1vw.exe, 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: shiCF5B.tmp.0.drString found in binary or memory: http://.css
Source: shiCF5B.tmp.0.drString found in binary or memory: http://.jpg
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shiCF5B.tmp.0.drString found in binary or memory: http://html4/loose.dtd
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://t2.symcb.com0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://tl.symcd.com0&
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: https://www.advancedinstaller.com
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: https://www.thawte.com/cps0/
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01082390 NtdllDefWindowProc_W,0_2_01082390
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01002620 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,0_2_01002620
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FA0110 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00FA0110
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FE8100 NtdllDefWindowProc_W,0_2_00FE8100
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F52330 NtdllDefWindowProc_W,0_2_00F52330
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F5C750 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_00F5C750
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F58840 NtdllDefWindowProc_W,0_2_00F58840
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F589B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00F589B0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F4EBF0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00F4EBF0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FA0C9E GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00FA0C9E
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FA0C28 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00FA0C28
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FA0D5D GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00FA0D5D
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F96FA0 NtdllDefWindowProc_W,0_2_00F96FA0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F4F1A0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_00F4F1A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F4F7D0 NtdllDefWindowProc_W,0_2_00F4F7D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F6D760 NtdllDefWindowProc_W,0_2_00F6D760
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F51740 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_00F51740
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F618D0 NtdllDefWindowProc_W,0_2_00F618D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F51D70 NtdllDefWindowProc_W,0_2_00F51D70
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\44d18d.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2B6.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID48C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID4CB.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID50B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSID2B6.tmpJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0107C1200_2_0107C120
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0101C1500_2_0101C150
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F5AB800_2_00F5AB80
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01058C400_2_01058C40
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F662B00_2_00F662B0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F644A00_2_00F644A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F5E5400_2_00F5E540
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010F48010_2_010F4801
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F58DF00_2_00F58DF0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010EEF3A0_2_010EEF3A
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F430100_2_00F43010
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010DF44E0_2_010DF44E
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010234600_2_01023460
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F756800_2_00F75680
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010DF7DC0_2_010DF7DC
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F638900_2_00F63890
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F679D00_2_00F679D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F9FAD00_2_00F9FAD0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010F9D650_2_010F9D65
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F43E250_2_00F43E25
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 00F47160 appears 50 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 00F73BA0 appears 90 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 00F49990 appears 69 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 0103F720 appears 61 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 00F470D0 appears 36 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 00F487D0 appears 404 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: String function: 00F49120 appears 41 times
Source: L7eGkXK1vw.exe, 00000000.00000003.1993768846.000000000188E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDecoder.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameInstaller.exe. vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exeBinary or memory string: OriginalFileNameInstaller.exe. vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exeBinary or memory string: OriginalFilenameDecoder.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shiCF5B.tmp.0.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: clean9.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01043200 FormatMessageW,GetLastError,0_2_01043200
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106DAE0 GetDiskFreeSpaceExW,0_2_0106DAE0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01087B10 CoCreateInstance,0_2_01087B10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FDAD00 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_00FDAD00
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile created: C:\Users\user\AppData\Roaming\Customers suppliers spot reportJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile created: C:\Users\user\AppData\Local\Temp\shiCF5B.tmpJump to behavior
Source: L7eGkXK1vw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile read: C:\Users\user\Desktop\L7eGkXK1vw.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\L7eGkXK1vw.exe "C:\Users\user\Desktop\L7eGkXK1vw.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ACA38A334053287546358A7834586E97 C
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\L7eGkXK1vw.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488680 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C9C4CD5A6467721AC65AAF0E4F5DEE73
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\L7eGkXK1vw.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488680 " AI_EUIMSI=""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ACA38A334053287546358A7834586E97 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C9C4CD5A6467721AC65AAF0E4F5DEE73Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: L7eGkXK1vw.exeStatic PE information: certificate valid
Source: L7eGkXK1vw.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: L7eGkXK1vw.exeStatic file information: File size 51727144 > 1048576
Source: L7eGkXK1vw.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x217a00
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: L7eGkXK1vw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: L7eGkXK1vw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: L7eGkXK1vw.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: L7eGkXK1vw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: L7eGkXK1vw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: L7eGkXK1vw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: L7eGkXK1vw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: L7eGkXK1vw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: shiCF5B.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01080560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01080560
Source: shiCF5B.tmp.0.drStatic PE information: section name: .wpp_sf
Source: shiCF5B.tmp.0.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_0184C9A3 pushad ; iretd 0_3_0184CEA9
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_0184C9A3 pushad ; iretd 0_3_0184CEA9
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00FE60EB push ecx; mov dword ptr [esp], 3F800000h0_2_00FE62BE
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D771E push ecx; ret 0_2_010D7731
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F55CB0 push ecx; mov dword ptr [esp], ecx0_2_00F55CB1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01023D60 push ecx; mov dword ptr [esp], 3F800000h0_2_01023E96
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile created: C:\Users\user\AppData\Local\Temp\shiCF5B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID50B.tmpJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile created: C:\Users\user\AppData\Local\Temp\MSID027.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2B6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID48C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID4CB.tmpJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile created: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile created: C:\Users\user\AppData\Local\Temp\MSID0A5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID50B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2B6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID48C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID4CB.tmpJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiCF5B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID50B.tmpJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID027.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID2B6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID48C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID4CB.tmpJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID0A5.tmpJump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-69211
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile Volume queried: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile Volume queried: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01062380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_01062380
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F5AB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_00F5AB80
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01044DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_01044DA0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01045370 FindFirstFileW,GetLastError,FindClose,0_2_01045370
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01063220 FindFirstFileW,FindClose,0_2_01063220
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01028230 FindFirstFileW,FindNextFileW,FindClose,0_2_01028230
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0106C530
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106C930 FindFirstFileW,FindClose,0_2_0106C930
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010808D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_010808D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01044A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,0_2_01044A10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0104CF00 FindFirstFileW,FindClose,FindClose,0_2_0104CF00
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0105F260 FindFirstFileW,FindClose,0_2_0105F260
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106F8A0 FindFirstFileW,FindClose,0_2_0106F8A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_0106B500
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D411D VirtualQuery,GetSystemInfo,0_2_010D411D
Source: Installer.msi.0.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: L7eGkXK1vw.exeBinary or memory string: VmCI_
Source: L7eGkXK1vw.exeBinary or memory string: pVMCI
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D6437 IsDebuggerPresent,OutputDebugStringW,0_2_010D6437
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01078A50 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_01078A50
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_01080560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01080560
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D674C mov esi, dword ptr fs:[00000030h]0_2_010D674C
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010F8A0E mov eax, dword ptr fs:[00000030h]0_2_010F8A0E
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010ED840 mov ecx, dword ptr fs:[00000030h]0_2_010ED840
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D67B8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_010D67B8
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_00F72530 __set_se_translator,SetUnhandledExceptionFilter,0_2_00F72530
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D71E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_010D71E8
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010DBEA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010DBEA3
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\customers suppliers spot report\aiedit 1.0.0\install\adbbe7b\installer.msi" ai_setupexepath=c:\users\user\desktop\l7egkxk1vw.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488680 " ai_euimsi=""
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\customers suppliers spot report\aiedit 1.0.0\install\adbbe7b\installer.msi" ai_setupexepath=c:\users\user\desktop\l7egkxk1vw.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488680 " ai_euimsi=""Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0106FD20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_0106FD20
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,0_2_01064F10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_010F4D50
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: EnumSystemLocalesW,0_2_010F0DD9
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,0_2_010F4F4B
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: EnumSystemLocalesW,0_2_010F4FF2
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_010F5163
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: EnumSystemLocalesW,0_2_010F503D
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: EnumSystemLocalesW,0_2_010F50D8
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,0_2_010F1356
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,0_2_010F53B6
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,0_2_010F55E5
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_010F54DF
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_010F56B4
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0107C8F0 CreateNamedPipeW,CreateFileW,0_2_0107C8F0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_010D63AD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_010D63AD
Source: C:\Users\user\Desktop\L7eGkXK1vw.exeCode function: 0_2_0107B490 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,0_2_0107B490

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Peripheral Device Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync25
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554993 Sample: L7eGkXK1vw.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 9 5 msiexec.exe 3 7 2->5         started        8 L7eGkXK1vw.exe 38 2->8         started        file3 16 C:\Windows\Installer\MSID50B.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSID4CB.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSID48C.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSID2B6.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shiCF5B.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSID0A5.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSID027.tmp, PE32 8->30 dropped 14 msiexec.exe 3 8->14         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
L7eGkXK1vw.exe0%ReversingLabs
L7eGkXK1vw.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSID027.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID027.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSID0A5.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID0A5.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\shiCF5B.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shiCF5B.tmp0%VirustotalBrowse
C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\decoder.dll0%ReversingLabs
C:\Windows\Installer\MSID2B6.tmp0%ReversingLabs
C:\Windows\Installer\MSID48C.tmp0%ReversingLabs
C:\Windows\Installer\MSID4CB.tmp0%ReversingLabs
C:\Windows\Installer\MSID50B.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdshiCF5B.tmp.0.drfalse
    		high
    https://www.advancedinstaller.comL7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drfalse
      		high
      https://www.thawte.com/cps0/L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drfalse
        		high
        http://.cssshiCF5B.tmp.0.drfalse
          		high
          http://.jpgshiCF5B.tmp.0.drfalse
            		high
            https://www.thawte.com/repository0WL7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.drfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1554993
              Start date and time:2024-11-13 10:07:14 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 21s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:L7eGkXK1vw.exe
              renamed because original name is a hash value
              Original Sample Name:5a7889d8d11a64a8dd380049b9e1db2c7a20e9fa7f66b4538b281cd1e5c9d0e7.exe
              Detection:CLEAN
              Classification:clean9.winEXE@8/13@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 57%
              • Number of executed functions: 70
              • Number of non-executed functions: 191
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\MSID027.tmpfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                0n25lfPJxD.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                  SecuriteInfo.com.BackDoor.Siggen2.4873.19832.17135.msiGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.BackDoor.Siggen2.4873.19471.19549.msiGet hashmaliciousUnknownBrowse
                      zoQOIWTCDJ.msiGet hashmaliciousUnknownBrowse
                        EjhVO5YaYI.msiGet hashmaliciousUnknownBrowse
                          QuickBooks JAWANI.msiGet hashmaliciousUnknownBrowse
                            QuickBooks Setup.msiGet hashmaliciousUnknownBrowse
                              QuickBooks Setup.msi.zipGet hashmaliciousUnknownBrowse
                                Honeygain_install.exeGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\MSI4d566.LOG

                                  Download File
                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):270
                                  Entropy (8bit):3.4283355313121593
                                  Encrypted:false
                                  SSDEEP:6:QkD6RfXcOYrsfc/okjxaaOEqQbr62avKpnKBlv2K84UlUlzlXH:Qw6ZXWsc/7aFEVbr62aInKT8AH
                                  MD5:878ACF1A62462F8F2DCE176FC0D06A25
                                  SHA1:2ECFFF9375680E3DC7CB86F6E7C9E5F719A05642
                                  SHA-256:E8361A711A6D268667B12DBD91DF23BF92E248F883D79F4D3CCB57CDF50553BC
                                  SHA-512:1CDA588D4DE956A7C47B15F3D606D453474292858AE7B5FDF8DC6F1F369BFB5D0F623A741352165BF34C5A2CEBEC4DFCB9C1E86B0894BEA1D85D186CBC7E2A8C
                                  Malicious:false
                                  Reputation:low
                                  Preview:..A.i.E.d.i.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.3./.1.1./.2.0.2.4. . .0.4.:.0.8.:.1.2. .=.=.=.....

                                  C:\Users\user\AppData\Local\Temp\MSID027.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:6144:3SGhsSlnJc5xR+yGjNUaPkp8u84XLyJ+8zLCAONOmXNfnZRAF3U+Hj1:3SGXc5Seas8uDELCeGNPZh+Hj1
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Joe Sandbox View:
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: 0n25lfPJxD.exe, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.BackDoor.Siggen2.4873.19832.17135.msi, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.BackDoor.Siggen2.4873.19471.19549.msi, Detection: malicious, Browse
                                  • Filename: zoQOIWTCDJ.msi, Detection: malicious, Browse
                                  • Filename: EjhVO5YaYI.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks JAWANI.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks Setup.msi, Detection: malicious, Browse
                                  • Filename: QuickBooks Setup.msi.zip, Detection: malicious, Browse
                                  • Filename: Honeygain_install.exe, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\MSID0A5.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):934880
                                  Entropy (8bit):6.463468533833365
                                  Encrypted:false
                                  SSDEEP:24576:FmCzCf7c4yQ8xtgIZROly4aNXVW+hv+Ahi:8Rc4yQ8xtoly4aNXVW+hv+Ahi
                                  MD5:B15DBF4B35CD1460BA283795E24878C8
                                  SHA1:327812BE4BFDCE7A87CB00FAB432ECC0D8C38C1E
                                  SHA-256:0AC07DB6140408E9586D46727EB32AF8F8048CAD535ECA9052B6EF1149E63147
                                  SHA-512:95EDC60C9658E0E8631604459969A406414902F297B7A14F2BE6D3BC18878636167D202530D4EE3B4D7AF189A9139A2183929250920196C48C08EDA3D6DFDCA4
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:bu.[.&.[.&.[.&7).'.[.&7).'Q[.&.#.'.[.&.#.'.[.&.#.'.[.&7).'.[.&7).'.[.&.[.&.Z.&d".'.[.&d".'.[.&d".&.[.&.[.&.[.&d".'.[.&Rich.[.&................PE..L....8b.........."!................ ........................................p......$.....@.........................0|..t....|.......`...............*.......p.......,..p...................@-.......+..@............................................text............................... ..`.rdata..T...........................@..@.data...T............x..............@....rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\shiCF5B.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):5038592
                                  Entropy (8bit):6.043058205786219
                                  Encrypted:false
                                  SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                  MD5:11F7419009AF2874C4B0E4505D185D79
                                  SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                  SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                  SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi

                                  Download File
                                  Process:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {78879585-F815-46D3-A8F3-19D63E9AA515}, Number of Words: 0, Subject: AiEdit, Author: Customers suppliers spot report, Name of Creating Application: AiEdit, Template: ;1033, Comments: This installer database contains the logic and data required to install AiEdit., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):2493440
                                  Entropy (8bit):6.592320212340308
                                  Encrypted:false
                                  SSDEEP:49152:fjgYW67SAZhAjMApRc4yQ8xtoly4aNXVW+hv+AhilHovZ2V9SH+0Jd0NQ:sYWsVAEtoTo
                                  MD5:7078F6C5EE51B59A30863C6066823109
                                  SHA1:E7B65E3E4249370AC9B79F200B1DA254AD8F0AE5
                                  SHA-256:9BCDC57EC45AE100EF4F6600A7A4AF0786022A379A40E829C70CA7C2B6D06140
                                  SHA-512:BE4DBC615E1C7FB1CCFBBD3C94BE60527A63E13AE260531E7F1B21F9159F19CB7D46EACDEA17F24591B038E3D486347CD13FDD885AAF6622043DBEBBFF86103F
                                  Malicious:false
                                  Preview:......................>...................'...................................N.......{.......4...5...6...7...8...9...:...;..."...#...$...%...&...'...(...)...*...+...,...-......./...R...S...T...U...V...W...X...Y...Z...[...............................................................................................................................................................................................................................................................................................................h...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C...9...E...M...G...H...I...J...K...L...E...P.......P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                  C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\decoder.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):211456
                                  Entropy (8bit):6.450220092257771
                                  Encrypted:false
                                  SSDEEP:3072:iltFwoJxZQ4fK70l5DqKtRnBBjGd4uM4h0lntiEnc2xMe4fyyERt:iaU87+3nHy6n0NF5ERt
                                  MD5:899944FB96CCC34CFBD2CCB9134367C5
                                  SHA1:7C46AA3F84BA5DA95CEFF39CD49185672F963538
                                  SHA-256:780D10EDA2B9A0A10BF844A7C8B6B350AA541C5BBD24022FF34F99201F9E9259
                                  SHA-512:2C41181F9AF540B4637F418FC148D41D7C38202FB691B56650085FE5A9BDBA068275FF07E002E1044760754876C62D7B4FC856452AF80A02C5F5A9A7DC75B5E0
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+(..oI..oI..oI..;..eI..;...I...1..JI...1...I...1..yI..;..zI..;..hI..oI...I...0..3I...0..nI...0..nI..oIe.nI...0..nI..RichoI..................PE..L.....8b.........."!.....f................................................................@.................................\...<....... .......................@ ......p...............................@...............t............................text....d.......f.................. ..`.rdata...............j..............@..@.data...dV... ......................@....rsrc... ...........................@..@.reloc..@ ......."..................@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\holder0.aiph

                                  Download File
                                  Process:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):162295024
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:B47D8C692406DFFE88C5FB9BA813E9AC
                                  SHA1:3A79C5117006D42A15B097C79B590C7FE4E32093
                                  SHA-256:F2AD58324E8E8EC3E799C262B07EA33976FBFD419D0CBFCBB5C02DC28E0CCA64
                                  SHA-512:29C754590D6A7ED79C6160E41EA39E246B1B86F921F632C463C2C160074F79BBD9C6B65D788CA143DEDB0E923605C8784A3E7F57912CA90B9F4ED8C20F6915B0
                                  Malicious:false
                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\44d18d.msi

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {78879585-F815-46D3-A8F3-19D63E9AA515}, Number of Words: 0, Subject: AiEdit, Author: Customers suppliers spot report, Name of Creating Application: AiEdit, Template: ;1033, Comments: This installer database contains the logic and data required to install AiEdit., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):2493440
                                  Entropy (8bit):6.592320212340308
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:7078F6C5EE51B59A30863C6066823109
                                  SHA1:E7B65E3E4249370AC9B79F200B1DA254AD8F0AE5
                                  SHA-256:9BCDC57EC45AE100EF4F6600A7A4AF0786022A379A40E829C70CA7C2B6D06140
                                  SHA-512:BE4DBC615E1C7FB1CCFBBD3C94BE60527A63E13AE260531E7F1B21F9159F19CB7D46EACDEA17F24591B038E3D486347CD13FDD885AAF6622043DBEBBFF86103F
                                  Malicious:false
                                  Preview:......................>...................'...................................N.......{.......4...5...6...7...8...9...:...;..."...#...$...%...&...'...(...)...*...+...,...-......./...R...S...T...U...V...W...X...Y...Z...[...............................................................................................................................................................................................................................................................................................................h...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C...9...E...M...G...H...I...J...K...L...E...P.......P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                  C:\Windows\Installer\MSID2B6.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSID48C.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSID4CB.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):507360
                                  Entropy (8bit):6.416174396827717
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:CFAB78AC0D042A1D8AD7085A94328EF6
                                  SHA1:B3070CC847BA2739450DC9BD05040DF83E7D85D2
                                  SHA-256:17B10DF05B4B92735B673914FE2BF0C0D7BBDA5B4A8F9A7FC81A0EFAA4380168
                                  SHA-512:647B909F1E833DD08D99AAA29A3404E64C58356DFA0A3ABEB788768D74ABB0948D2B612A6DA62F2617270CD85110E8AA2B26E5E4558AF0D0B84F920C40533438
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......alV_%.8.%.8.%.8...;.(.8...=...8.Gu<.4.8.Gu;.=.8.Gu=.l.8...<.<.8...>.$.8...9...8.%.9...8..t1.x.8..t8.$.8..t..$.8.%...$.8..t:.$.8.Rich%.8.................PE..L.....8b.........."!.....0..........Uv.......@...........................................@..................................!.......p..........................$V..8...p...........................x...@............@...............................text...F........0.................. ..`.rdata.......@.......4..............@..@.data...d"...@.......0..............@....rsrc........p.......D..............@..@.reloc..$V.......X...L..............@..B................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSID50B.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:modified
                                  Size (bytes):934880
                                  Entropy (8bit):6.463468533833365
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:B15DBF4B35CD1460BA283795E24878C8
                                  SHA1:327812BE4BFDCE7A87CB00FAB432ECC0D8C38C1E
                                  SHA-256:0AC07DB6140408E9586D46727EB32AF8F8048CAD535ECA9052B6EF1149E63147
                                  SHA-512:95EDC60C9658E0E8631604459969A406414902F297B7A14F2BE6D3BC18878636167D202530D4EE3B4D7AF189A9139A2183929250920196C48C08EDA3D6DFDCA4
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:bu.[.&.[.&.[.&7).'.[.&7).'Q[.&.#.'.[.&.#.'.[.&.#.'.[.&7).'.[.&7).'.[.&.[.&.Z.&d".'.[.&d".'.[.&d".&.[.&.[.&.[.&d".'.[.&Rich.[.&................PE..L....8b.........."!................ ........................................p......$.....@.........................0|..t....|.......`...............*.......p.......,..p...................@-.......+..@............................................text............................... ..`.rdata..T...........................@..@.data...T............x..............@....rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................................................................

                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):364484
                                  Entropy (8bit):5.365491012451442
                                  Encrypted:false
                                  SSDEEP:
                                  MD5:1DA4753E080BCC3F8D005B4EC8DFD6E2
                                  SHA1:4761F829A0D0068F6B25979510A8B9609AEC0BB6
                                  SHA-256:1458376EBFAFC66FD8074A81A95C8ADAF72E6AE68D7C95D2CB4D19395332F3A6
                                  SHA-512:728E91DC31F3314250BEC448CE745B0899CFF54C54C0DA19B0538752FEBCF141C3C56ADAF5F686F80A32B592D50B2248BFAE39BD4F9AC234F970268CC44FB6C2
                                  Malicious:false
                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.977849771596478
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:L7eGkXK1vw.exe
                                  File size:51'727'144 bytes
                                  MD5:b4826e1862bf50df8e729c8fadeb9f0b
                                  SHA1:cc3b95c66ead4d0bc695a5c87241f6eda51febbb
                                  SHA256:5a7889d8d11a64a8dd380049b9e1db2c7a20e9fa7f66b4538b281cd1e5c9d0e7
                                  SHA512:36cc8162fa6b05bc2c6de448cd003ee5a1d666ab3d5e612947d0f15bf2b0f0795236459d0427197dde02c5c72349647671c9b115384bc06013801435283b8a92
                                  SSDEEP:1572864:iws7oQONlPVOJfmKRG6x21ZOs8CwaiIgUgHIkZQ:ipoQyVOMOlCwaiIIoOQ
                                  TLSH:D4B72330364EC52BDA6615B0693C869F511D6F750B7288C7B3DC7D6E2AB48C31632E2B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.....t...t...t...w.#.t...q...t...r./.t.L.p.=.t.L.w.6.t.L.q.M.t...p.4.t...u.-.t...s./.t...u...t...}.c.t...../.t...../.t...v./.t

                                  File Icon

                                  Icon Hash:ffb7c95954e6bdff

                                  Static PE Info

                                  General

                                  Entrypoint:0x597714
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6238823F [Mon Mar 21 13:48:47 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:836688c7d21e39394af41ce9a8c2d728

                                  Authenticode Signature

                                  Signature Valid:true
                                  Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 30/08/2024 08:25:00 30/08/2025 08:25:00
                                  Subject Chain
                                  • OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=ConsolHQ LTD, SERIALNUMBER=12800651, O=ConsolHQ LTD, L=Erith, C=GB
                                  Version:3
                                  Thumbprint MD5:E4ED28FFAC43E82D3DB5467DE244B770
                                  Thumbprint SHA-1:787863161875446360E7486D3CF5E34E15DC8009
                                  Thumbprint SHA-256:CA814262219EF4B9EF1CC76050E02D41B34F87AEF05D34FA378DAE913F4C784C
                                  Serial:740833F89CC52CAE8CEA1984A66DBB66

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F8C31552B5Fh
                                  jmp 00007F8C3155239Fh
                                  mov ecx, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], ecx
                                  pop ecx
                                  pop edi
                                  pop edi
                                  pop esi
                                  pop ebx
                                  mov esp, ebp
                                  pop ebp
                                  push ecx
                                  ret
                                  mov ecx, dword ptr [ebp-10h]
                                  xor ecx, ebp
                                  call 00007F8C315519F3h
                                  jmp 00007F8C31552502h
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [0069F01Ch]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], esp
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x29de240x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a80000x4b6fc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x3152b100x2018
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f40000x257cc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2478480x70.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x2478c00x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21af380x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x2190000x2c0.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x29b2180x260.rdata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x21791f0x217a00c49c101070a1945156e31ccb8b4c699funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x2190000x85e1c0x860000bc20f46e2242997255f9f9e7ecca899False0.31188236065764924data4.604766709480219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x29f0000x89f00x6a00718c6ac2ba6bcb374d818e1d67c3a166False0.1418410966981132DOS executable (block device driver \340kY)2.877738466626911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x2a80000x4b6fc0x4b800ee37f85b0eeef512b9dab9a467ba6806False0.18434072330298013data5.801172865448925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x2f40000x257cc0x25800341590d742eebeddce717893413cf78eFalse0.44703125data6.513825531591639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  IMAGE_FILE0x2a8cb00x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                  IMAGE_FILE0x2a8cb80x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                  RTF_FILE0x2a8cc00x2e9Rich Text Format data, version 1, ANSI, code page 1252EnglishUnited States0.5503355704697986
                                  RTF_FILE0x2a8fac0xa1Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033EnglishUnited States0.906832298136646
                                  RT_BITMAP0x2a90500x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                  RT_BITMAP0x2a91900x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                  RT_BITMAP0x2a99b80x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                  RT_BITMAP0x2ae2600xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                  RT_BITMAP0x2aeccc0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                  RT_BITMAP0x2aee200x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                  RT_ICON0x2af6480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 39 x 39 px/mEnglishUnited States0.7065602836879432
                                  RT_ICON0x2afab00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 39 x 39 px/mEnglishUnited States0.5618852459016394
                                  RT_ICON0x2b04380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 39 x 39 px/mEnglishUnited States0.3968105065666041
                                  RT_ICON0x2b14e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 39 x 39 px/mEnglishUnited States0.28526970954356845
                                  RT_ICON0x2b3a880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 39 x 39 px/mEnglishUnited States0.2151629664619745
                                  RT_ICON0x2b7cb00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 39 x 39 px/mEnglishUnited States0.1788354898336414
                                  RT_ICON0x2bd1380x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 39 x 39 px/mEnglishUnited States0.1355371032163128
                                  RT_ICON0x2c65e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 39 x 39 px/mEnglishUnited States0.10163551401869159
                                  RT_ICON0x2d6e080x2d05PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9739696312364425
                                  RT_MENU0x2d9b100x5cdataEnglishUnited States0.8478260869565217
                                  RT_MENU0x2d9b6c0x2adataEnglishUnited States1.0714285714285714
                                  RT_DIALOG0x2d9b980xacdataEnglishUnited States0.7151162790697675
                                  RT_DIALOG0x2d9c440x2a6dataEnglishUnited States0.5132743362831859
                                  RT_DIALOG0x2d9eec0x3b4dataEnglishUnited States0.43248945147679324
                                  RT_DIALOG0x2da2a00xbcdataEnglishUnited States0.7180851063829787
                                  RT_DIALOG0x2da35c0x204dataEnglishUnited States0.560077519379845
                                  RT_DIALOG0x2da5600x282dataEnglishUnited States0.48598130841121495
                                  RT_DIALOG0x2da7e40xccdataEnglishUnited States0.6911764705882353
                                  RT_DIALOG0x2da8b00x146dataEnglishUnited States0.5736196319018405
                                  RT_DIALOG0x2da9f80x226dataEnglishUnited States0.4690909090909091
                                  RT_DIALOG0x2dac200x388dataEnglishUnited States0.45464601769911506
                                  RT_DIALOG0x2dafa80x1b4dataEnglishUnited States0.5458715596330275
                                  RT_DIALOG0x2db15c0x136dataEnglishUnited States0.6064516129032258
                                  RT_DIALOG0x2db2940x4cdataEnglishUnited States0.8289473684210527
                                  RT_STRING0x2db2e00x45cdataEnglishUnited States0.3844086021505376
                                  RT_STRING0x2db73c0x344dataEnglishUnited States0.37320574162679426
                                  RT_STRING0x2dba800x2f8dataEnglishUnited States0.4039473684210526
                                  RT_STRING0x2dbd780x598dataEnglishUnited States0.2807262569832402
                                  RT_STRING0x2dc3100x3aaStarOffice Gallery theme i, 1627418368 objects, 1st nEnglishUnited States0.4211087420042644
                                  RT_STRING0x2dc6bc0x5c0dataEnglishUnited States0.3498641304347826
                                  RT_STRING0x2dcc7c0x568dataEnglishUnited States0.32875722543352603
                                  RT_STRING0x2dd1e40x164dataEnglishUnited States0.5421348314606742
                                  RT_STRING0x2dd3480x520dataEnglishUnited States0.39176829268292684
                                  RT_STRING0x2dd8680x1a0dataEnglishUnited States0.45913461538461536
                                  RT_STRING0x2dda080x18adataEnglishUnited States0.5228426395939086
                                  RT_STRING0x2ddb940x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                  RT_STRING0x2dddac0x624dataEnglishUnited States0.3575063613231552
                                  RT_STRING0x2de3d00x660dataEnglishUnited States0.3474264705882353
                                  RT_STRING0x2dea300x2e2dataEnglishUnited States0.4037940379403794
                                  RT_GROUP_ICON0x2ded140x84dataEnglishUnited States0.7196969696969697
                                  RT_VERSION0x2ded980x318dataEnglishUnited States0.44065656565656564
                                  RT_HTML0x2df0b00x37c8ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08291316526610644
                                  RT_HTML0x2e28780x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                  RT_HTML0x2e3b900x4faHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3626373626373626
                                  RT_HTML0x2e408c0x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                  RT_HTML0x2eab5c0x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                  RT_HTML0x2eb2000x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                  RT_HTML0x2ec24c0x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                  RT_HTML0x2ed8000x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                  RT_HTML0x2ef85c0x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                  RT_MANIFEST0x2f2eec0x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

                                  Imports

                                  DLLImport
                                  KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:04:07:59
                                  Start date:13/11/2024
                                  Path:C:\Users\user\Desktop\L7eGkXK1vw.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\L7eGkXK1vw.exe"
                                  Imagebase:0xf40000
                                  File size:51'727'144 bytes
                                  MD5 hash:B4826E1862BF50DF8E729C8FADEB9F0B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:04:08:03
                                  Start date:13/11/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                  Imagebase:0x7ff72cb50000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:04:08:03
                                  Start date:13/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding ACA38A334053287546358A7834586E97 C
                                  Imagebase:0x130000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:08:03
                                  Start date:13/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\L7eGkXK1vw.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488680 " AI_EUIMSI=""
                                  Imagebase:0x130000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:04:08:04
                                  Start date:13/11/2024
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C9C4CD5A6467721AC65AAF0E4F5DEE73
                                  Imagebase:0x130000
                                  File size:59'904 bytes
                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.7%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:23.3%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:81
                                    execution_graph 66481 1002620 GetSystemDirectoryW 66482 100272b 66481->66482 66483 100266f 66481->66483 66648 10d6c0a 66482->66648 66483->66482 66506 f49e20 66483->66506 66486 100277b 66488 1002783 66623 f49ae0 66488->66623 66489 1002689 66493 10026a5 66489->66493 66498 10026b3 66489->66498 66491 100278d 66627 10d6c49 66491->66627 66646 f49120 41 API calls 66493->66646 66497 10026b1 66521 f5ab80 66497->66521 66647 f49990 33 API calls 3 library calls 66498->66647 66499 100292a 66502 10026f2 66503 f5ab80 108 API calls 66502->66503 66504 1002719 _wcschr 66503->66504 66504->66482 66505 100272f LoadLibraryExW 66504->66505 66505->66482 66507 f49e58 66506->66507 66518 f49eac 66506->66518 66655 10d7112 EnterCriticalSection 66507->66655 66509 10d7112 4 API calls 66511 f49ec6 66509->66511 66520 f49f37 66511->66520 66661 10d6fca 34 API calls 66511->66661 66512 f49e6e GetProcessHeap 66659 10d6fca 34 API calls 66512->66659 66515 f49e9b 66660 10d70c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 66515->66660 66517 f49f26 66662 10d70c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 66517->66662 66518->66509 66518->66520 66520->66488 66520->66489 66522 f5ac04 66521->66522 66524 f5aba2 std::_Locinfo::_Locinfo_dtor 66521->66524 66523 f49ae0 2 API calls 66522->66523 66533 f5ac0e 66522->66533 66525 f5ac2b 66523->66525 66524->66522 66526 f5abe7 66524->66526 66681 f49870 33 API calls 66524->66681 66528 f5acae 66525->66528 66530 f5aca1 FindClose 66525->66530 66682 f498e0 31 API calls 4 library calls 66526->66682 66664 f496e0 66528->66664 66530->66528 66533->66502 66536 f5af47 FindFirstFileW 66538 f5af5f GetFullPathNameW 66536->66538 66583 f5b01c 66536->66583 66537 f5ad02 PathIsUNCW 66539 f5ad17 66537->66539 66540 f5ae4e 66537->66540 66541 f5af78 66538->66541 66603 f5b0b1 std::_Locinfo::_Locinfo_dtor 66538->66603 66683 f4e830 66539->66683 66542 f4e830 92 API calls 66540->66542 66544 f5af93 GetFullPathNameW 66541->66544 66721 f49870 33 API calls 66541->66721 66563 f5ae56 66542->66563 66548 f5afaf std::_Locinfo::_Locinfo_dtor 66544->66548 66545 f49ae0 2 API calls 66547 f5b12c 66545->66547 66726 f49620 66547->66726 66551 f5b056 66548->66551 66559 f5afe6 66548->66559 66548->66603 66549 f5ad1f 66549->66536 66693 f4eae0 66549->66693 66558 f5b068 _wcsrchr 66551->66558 66722 f49790 33 API calls 66551->66722 66552 f5b16d 66553 f5b181 66552->66553 66574 f5b1cd 66552->66574 66554 f49620 33 API calls 66553->66554 66562 f5b189 66554->66562 66555 f5b480 66560 f49ae0 2 API calls 66555->66560 66571 f5b088 _wcsrchr 66558->66571 66723 f49790 33 API calls 66558->66723 66561 f5b014 SetLastError 66559->66561 66566 f5b00b FindClose 66559->66566 66584 f5b4a8 66560->66584 66561->66583 66562->66502 66563->66536 66564 f5aeed 66563->66564 66563->66603 66718 f49870 33 API calls 66563->66718 66719 f5b5f0 31 API calls 3 library calls 66564->66719 66565 f5ad9e 66707 f5b580 66565->66707 66566->66561 66569 f5b1fe 66738 f5b660 45 API calls 66569->66738 66579 f5b0b5 66571->66579 66580 f5b09b 66571->66580 66572 f5b55e 66572->66502 66573 f5ae3d 66720 f569c0 31 API calls 4 library calls 66573->66720 66574->66555 66574->66569 66737 f5b710 33 API calls 66574->66737 66578 f5b209 66582 f5ab80 100 API calls 66578->66582 66579->66603 66725 f49790 33 API calls 66579->66725 66580->66583 66580->66603 66724 f49790 33 API calls 66580->66724 66587 f5b21b 66582->66587 66583->66502 66584->66572 66591 f5b518 66584->66591 66607 f5b54d 66584->66607 66744 f49870 33 API calls 66584->66744 66585 f5adb1 66586 f5ae19 66585->66586 66585->66603 66716 f49870 33 API calls 66585->66716 66717 f5b5f0 31 API calls 3 library calls 66586->66717 66590 f5b24a PathIsUNCW 66587->66590 66618 f5b45c 66587->66618 66595 f5b386 66590->66595 66596 f5b25f 66590->66596 66745 f5b5f0 31 API calls 3 library calls 66591->66745 66592 f49ae0 2 API calls 66597 f5b57e 66592->66597 66602 f4e830 92 API calls 66595->66602 66604 f4e830 92 API calls 66596->66604 66600 f49620 33 API calls 66600->66555 66601 f5af23 66601->66536 66601->66603 66608 f5b38e 66602->66608 66603->66545 66603->66583 66609 f5b267 66604->66609 66605 f5b53e 66746 f569c0 31 API calls 4 library calls 66605->66746 66607->66572 66607->66592 66608->66555 66611 f5b426 66608->66611 66608->66618 66741 f49870 33 API calls 66608->66741 66610 f4eae0 92 API calls 66609->66610 66609->66618 66612 f5b2dd 66610->66612 66742 f5b5f0 31 API calls 3 library calls 66611->66742 66615 f5b580 33 API calls 66612->66615 66619 f5b2f0 66615->66619 66616 f5b375 66743 f569c0 31 API calls 4 library calls 66616->66743 66618->66555 66618->66600 66619->66555 66620 f5b354 66619->66620 66739 f49870 33 API calls 66619->66739 66740 f5b5f0 31 API calls 3 library calls 66620->66740 66624 f49aed 66623->66624 66754 10d89ab 66624->66754 66626 f49afa RtlAllocateHeap 66626->66491 66628 10d6c4e std::_Facet_Register 66627->66628 66629 10028e2 66628->66629 66631 10d6c6a std::_Facet_Register 66628->66631 66757 10ed3d3 EnterCriticalSection std::_Facet_Register 66628->66757 66634 f57990 66629->66634 66632 10d89ab Concurrency::cancel_current_task RaiseException 66631->66632 66633 10d78d8 66632->66633 66635 f579b0 66634->66635 66644 f57a23 std::ios_base::_Ios_base_dtor 66634->66644 66636 f57a6f 66635->66636 66638 f579c7 66635->66638 66639 f579ee 66635->66639 66763 f47730 66636->66763 66638->66636 66641 10d6c49 std::_Facet_Register 2 API calls 66638->66641 66642 10d6c49 std::_Facet_Register 2 API calls 66639->66642 66643 f579d8 66639->66643 66640 f57a74 66641->66643 66642->66643 66643->66644 66758 10dc0af 66643->66758 66644->66499 66644->66644 66646->66497 66647->66497 66649 10d6c13 IsProcessorFeaturePresent 66648->66649 66650 10d6c12 66648->66650 66652 10d7225 66649->66652 66650->66486 66782 10d71e8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 66652->66782 66654 10d7308 66654->66486 66656 10d7126 66655->66656 66657 f49e62 66656->66657 66663 10d719a SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 66656->66663 66657->66512 66657->66518 66659->66515 66660->66518 66661->66517 66662->66520 66663->66656 66665 f49713 66664->66665 66666 f49722 66664->66666 66665->66666 66667 f49ae0 2 API calls 66665->66667 66669 f56a60 66666->66669 66668 f4977c 66667->66668 66670 f49e20 43 API calls 66669->66670 66671 f56a8f 66670->66671 66672 f56a95 66671->66672 66673 f56aff 66671->66673 66676 f56ac2 66672->66676 66677 f56ab5 66672->66677 66674 f49ae0 2 API calls 66673->66674 66675 f56b09 66674->66675 66748 f49990 33 API calls 3 library calls 66676->66748 66747 f49120 41 API calls 66677->66747 66680 f56ac0 66680->66536 66680->66537 66680->66583 66681->66526 66682->66522 66684 f4e8a2 66683->66684 66685 f4e872 66683->66685 66688 f49e20 43 API calls 66684->66688 66690 f4e8b6 66684->66690 66687 f49620 33 API calls 66685->66687 66689 f4e877 66687->66689 66688->66690 66689->66549 66749 f4ebf0 80 API calls 4 library calls 66690->66749 66692 f4e8c9 66692->66549 66694 f4eb37 66693->66694 66695 f4ebde 66693->66695 66696 f4eb8a 66694->66696 66699 f4eb5a 66694->66699 66697 f49ae0 2 API calls 66695->66697 66701 f49e20 43 API calls 66696->66701 66703 f4eb9f 66696->66703 66700 f4ebe8 66697->66700 66702 f49620 33 API calls 66699->66702 66701->66703 66704 f4eb62 66702->66704 66750 f4ebf0 80 API calls 4 library calls 66703->66750 66704->66565 66706 f4ebb9 66706->66565 66708 f5b596 66707->66708 66709 f5b5e3 66707->66709 66710 f5b5d0 66708->66710 66711 f5b5a6 66708->66711 66709->66585 66751 f49990 33 API calls 3 library calls 66710->66751 66714 f49620 33 API calls 66711->66714 66713 f5b5db 66713->66585 66715 f5b5ac 66714->66715 66715->66585 66716->66586 66717->66573 66718->66564 66719->66573 66720->66601 66721->66544 66722->66558 66723->66571 66724->66603 66725->66603 66727 f4962b 66726->66727 66728 f4963a 66727->66728 66729 f49672 66727->66729 66730 f49653 66727->66730 66728->66552 66753 f49820 33 API calls 66729->66753 66752 f498e0 31 API calls 4 library calls 66730->66752 66733 f4966a 66733->66552 66734 f49677 66735 f49620 33 API calls 66734->66735 66736 f496b6 66735->66736 66736->66552 66737->66569 66738->66578 66739->66620 66740->66616 66741->66611 66742->66616 66743->66618 66744->66591 66745->66605 66746->66607 66747->66680 66748->66680 66749->66692 66750->66706 66751->66713 66752->66733 66753->66734 66755 10d89c5 66754->66755 66756 10d89f2 RaiseException 66754->66756 66755->66756 66756->66626 66757->66628 66780 10dbfeb 31 API calls 2 library calls 66758->66780 66760 10dc0be 66781 10dc0cc 11 API calls std::locale::_Setgloballocale 66760->66781 66762 10dc0cb 66764 f4773b std::_Facet_Register 66763->66764 66765 10d89ab Concurrency::cancel_current_task RaiseException 66764->66765 66766 f4774a 66765->66766 66767 f47796 66766->66767 66769 f47764 66766->66769 66770 f47786 66766->66770 66767->66640 66768 f47730 32 API calls 66767->66768 66771 f47771 66768->66771 66769->66767 66773 f4776b 66769->66773 66770->66767 66772 f4778a 66770->66772 66774 10dc0af 31 API calls 66771->66774 66779 f4777a 66771->66779 66775 10d6c49 std::_Facet_Register 2 API calls 66772->66775 66776 10d6c49 std::_Facet_Register 2 API calls 66773->66776 66777 f477a5 66774->66777 66778 f47790 66775->66778 66776->66771 66778->66640 66779->66640 66780->66760 66781->66762 66782->66654 66783 1028dc0 66784 1028df7 66783->66784 66790 1028e37 66783->66790 66785 10d7112 4 API calls 66784->66785 66786 1028e01 66785->66786 66786->66790 66791 10d6fca 34 API calls 66786->66791 66788 1028e23 66792 10d70c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 66788->66792 66791->66788 66792->66790 66793 102ebe0 66794 102ec82 RegCreateKeyExW 66793->66794 66795 102ec19 66793->66795 66796 102ec7b 66794->66796 66797 102ec75 66795->66797 66798 102ec1e GetModuleHandleW 66795->66798 66801 102ecb4 66796->66801 66803 102ecab RegCloseKey 66796->66803 66797->66794 66797->66796 66799 102ec46 GetProcAddress 66798->66799 66800 102ec2d 66798->66800 66799->66796 66802 102ec56 66799->66802 66802->66796 66803->66801 66804 f49cf0 66805 f49cfc 66804->66805 66806 f49d34 66804->66806 66805->66806 66807 f49ae0 2 API calls 66805->66807 66807->66806 66808 f52891 66809 f52917 66808->66809 66810 f52926 CallWindowProcW 66809->66810 66811 f5293c GetWindowLongW CallWindowProcW 66809->66811 66814 f5298b 66809->66814 66810->66814 66812 f52970 GetWindowLongW 66811->66812 66811->66814 66813 f5297d SetWindowLongW 66812->66813 66812->66814 66813->66814 66815 f42770 66816 10d6c49 std::_Facet_Register 2 API calls 66815->66816 66817 f427ac 66816->66817 66822 101c150 66817->66822 66819 f42812 66866 10d6fca 34 API calls 66819->66866 66821 f42823 66823 101c176 66822->66823 66838 101c1f9 std::ios_base::_Ios_base_dtor 66822->66838 66824 101c28a 66823->66824 66825 101c1b8 66823->66825 66826 101c18d 66823->66826 66827 f47730 32 API calls 66824->66827 66832 10d6c49 std::_Facet_Register 2 API calls 66825->66832 66834 101c19e 66825->66834 66826->66824 66829 10d6c49 std::_Facet_Register 2 API calls 66826->66829 66828 101c28f 66827->66828 66830 101c300 66828->66830 66831 101c4a5 66828->66831 66829->66834 66889 f6a5e0 32 API calls 2 library calls 66830->66889 66895 f46ac0 32 API calls 66831->66895 66832->66834 66836 10dc0af 31 API calls 66834->66836 66834->66838 66835 101c3fa 66837 10dc0af 31 API calls 66835->66837 66857 101c438 std::ios_base::_Ios_base_dtor 66835->66857 66836->66824 66846 101c4af 66837->66846 66838->66819 66840 101c342 66890 f46610 66840->66890 66841 101c672 66896 f46ac0 32 API calls 66841->66896 66844 101c66d 66845 f47730 32 API calls 66844->66845 66845->66841 66846->66841 66846->66844 66848 101c577 66846->66848 66849 101c54d 66846->66849 66847 10dc0af 31 API calls 66850 101c67c 66847->66850 66854 10d6c49 std::_Facet_Register 2 API calls 66848->66854 66859 101c55e std::locale::_Init 66848->66859 66849->66844 66851 101c558 66849->66851 66867 f71930 66850->66867 66853 10d6c49 std::_Facet_Register 2 API calls 66851->66853 66853->66859 66854->66859 66855 101c687 66858 10d89ab Concurrency::cancel_current_task RaiseException 66855->66858 66856 101c381 66856->66835 66856->66857 66860 f478d0 31 API calls 66856->66860 66857->66819 66865 101c690 std::ios_base::_Ios_base_dtor 66858->66865 66859->66847 66863 101c62f std::ios_base::_Ios_base_dtor 66859->66863 66860->66856 66861 101c70e 66861->66819 66863->66819 66865->66861 66872 f653c0 66865->66872 66885 f478d0 66865->66885 66866->66821 66868 f71947 66867->66868 66869 f71957 std::ios_base::_Ios_base_dtor 66867->66869 66868->66869 66870 10dc0af 31 API calls 66868->66870 66869->66855 66871 f7196b 66870->66871 66897 f68ea0 66872->66897 66874 f653fb 66875 f478d0 31 API calls 66874->66875 66876 f65407 66875->66876 66877 f478d0 31 API calls 66876->66877 66878 f65413 66877->66878 66879 f478d0 31 API calls 66878->66879 66880 f6541f 66879->66880 66881 f478d0 31 API calls 66880->66881 66882 f6542b 66881->66882 66883 f478d0 31 API calls 66882->66883 66884 f65439 66883->66884 66884->66865 66886 f4791e std::ios_base::_Ios_base_dtor 66885->66886 66888 f478fd 66885->66888 66886->66865 66887 10dc0af 31 API calls 66887->66888 66888->66865 66888->66885 66888->66886 66888->66887 66889->66840 66891 f46637 66890->66891 66892 f4663e 66891->66892 66904 f47750 66891->66904 66892->66856 66894 f46670 std::locale::_Init 66894->66856 66898 f68ed2 66897->66898 66900 f68f37 std::ios_base::_Ios_base_dtor 66897->66900 66899 f68ef9 66898->66899 66901 f478d0 31 API calls 66898->66901 66899->66900 66902 10dc0af 31 API calls 66899->66902 66900->66874 66901->66898 66903 f68f6e 66902->66903 66905 f4775b 66904->66905 66910 f47796 66904->66910 66907 f47764 66905->66907 66908 f47786 66905->66908 66906 f47730 32 API calls 66909 f47771 66906->66909 66907->66910 66912 f4776b 66907->66912 66908->66910 66911 f4778a 66908->66911 66913 10dc0af 31 API calls 66909->66913 66918 f4777a 66909->66918 66910->66894 66910->66906 66914 10d6c49 std::_Facet_Register 2 API calls 66911->66914 66915 10d6c49 std::_Facet_Register 2 API calls 66912->66915 66916 f477a5 66913->66916 66917 f47790 66914->66917 66915->66909 66917->66894 66918->66894 66919 1058c40 67218 107c850 66919->67218 66921 1058c70 66922 f49e20 43 API calls 66921->66922 66923 1058c7c 66922->66923 66924 1058f93 66923->66924 66927 1058ca4 66923->66927 66928 1058caf 66923->66928 66925 f49ae0 2 API calls 66924->66925 66926 1058f9d 66925->66926 66929 1059033 66926->66929 66931 f49e20 43 API calls 66926->66931 67516 f49120 41 API calls 66927->67516 67517 f49990 33 API calls 3 library calls 66928->67517 66934 1058fd4 66931->66934 66933 1058cad 67224 1049e30 66933->67224 66935 1059046 66934->66935 66936 1058fda 66934->66936 66938 f49ae0 2 API calls 66935->66938 66943 f5ab80 108 API calls 66936->66943 66940 1059050 66938->66940 66939 1058ce3 66941 f49e20 43 API calls 66939->66941 67292 106e0c0 66940->67292 66944 1058ceb 66941->66944 66946 1058ffb 66943->66946 66944->66924 67231 102ca40 66944->67231 67534 10656a0 119 API calls 66946->67534 66948 f56a60 53 API calls 66952 10590cb 66948->66952 66949 1059006 67535 1078750 192 API calls 66949->67535 66951 1059478 66955 105953a 66951->66955 66960 f49e20 43 API calls 66951->66960 67536 1064d00 66952->67536 67318 1064320 66955->67318 66956 1059011 66956->66929 66957 1058d1d 67244 104e2f0 66957->67244 66966 105948d 66960->66966 66962 105928a 66969 f49e20 43 API calls 66962->66969 66964 1059543 66971 10d6c0a _ValidateLocalCookies 5 API calls 66964->66971 66967 1059497 66966->66967 66968 1059586 66966->66968 66981 f5ab80 108 API calls 66967->66981 66975 f49ae0 2 API calls 66968->66975 66972 1059298 66969->66972 66974 1059560 66971->66974 66977 10592a2 66972->66977 66978 1059568 66972->66978 66976 1059590 66975->66976 66980 10595da 66976->66980 66984 f49e20 43 API calls 66976->66984 66990 102ca40 11 API calls 66977->66990 66982 f49ae0 2 API calls 66978->66982 66985 10594b8 66981->66985 66986 1059572 66982->66986 66988 1059628 66984->66988 67297 1064f10 66985->67297 66991 f49ae0 2 API calls 66986->66991 66993 1059826 66988->66993 67009 1059650 66988->67009 67010 105965b 66988->67010 66995 10592ba 66990->66995 66996 105957c 66991->66996 67000 f49ae0 2 API calls 66993->67000 66994 10594c7 66999 10594ef 66994->66999 67011 10594e1 66994->67011 67001 10592c7 66995->67001 67552 102d3d0 33 API calls 4 library calls 66995->67552 67002 f49ae0 2 API calls 66996->67002 66997 1059230 66997->66951 66997->66964 67551 105d570 38 API calls 66997->67551 67559 1078750 192 API calls 66999->67559 67004 1059830 67000->67004 67039 10592db 67001->67039 67553 10e0746 67001->67553 67002->66968 67350 f52a50 RaiseException 67004->67350 67008 10590e4 67008->66997 67550 10648d0 33 API calls 67008->67550 67560 f49120 41 API calls 67009->67560 67561 f49990 33 API calls 3 library calls 67010->67561 67016 f5ab80 108 API calls 67011->67016 67012 10594fd 67012->66955 67014 1058d4f 67021 1058e42 SetEvent 67014->67021 67022 1058ded 67014->67022 67016->66999 67018 105983c 67351 105b670 355 API calls 3 library calls 67018->67351 67019 1059659 67562 1042bd0 67019->67562 67276 107ced0 67021->67276 67519 1063960 67022->67519 67025 1059871 67030 f49e20 43 API calls 67025->67030 67026 10593bd 67026->66951 67038 10593e6 67026->67038 67029 1058ea7 67034 1058ef8 67029->67034 67040 1063960 6 API calls 67029->67040 67124 1059882 67030->67124 67031 f49e20 43 API calls 67035 105935e 67031->67035 67533 107cdf0 113 API calls 67034->67533 67035->66986 67042 1059368 67035->67042 67037 f49e20 43 API calls 67045 1058dfa 67037->67045 67558 10648d0 33 API calls 67038->67558 67039->67026 67039->67031 67048 1058eb7 67040->67048 67041 1059ace 67046 f49ae0 2 API calls 67041->67046 67059 f5ab80 108 API calls 67042->67059 67045->66924 67050 1058e02 67045->67050 67051 1059ad8 67046->67051 67054 f49e20 43 API calls 67048->67054 67049 1058f52 67289 107c9f0 67049->67289 67062 10655f0 85 API calls 67050->67062 67352 106d930 54 API calls _ValidateLocalCookies 67051->67352 67052 102d800 2 API calls 67056 1059803 67052->67056 67057 1058ebc 67054->67057 67064 102d800 2 API calls 67056->67064 67057->66924 67066 1058ec4 67057->67066 67058 105993a 67067 f49e20 43 API calls 67058->67067 67069 1059386 67059->67069 67061 1058f7d 67071 1058e24 67062->67071 67063 1059b21 67072 f49e20 43 API calls 67063->67072 67073 1059812 67064->67073 67087 105f440 278 API calls 67066->67087 67098 1059942 67067->67098 67556 10656a0 119 API calls 67069->67556 67077 105f440 278 API calls 67071->67077 67078 1059b2d 67072->67078 67085 1058e31 SetEvent 67077->67085 67086 105a0c9 67078->67086 67353 105b670 355 API calls 3 library calls 67078->67353 67080 f49e20 43 API calls 67125 1059679 67080->67125 67081 f5b710 33 API calls 67081->67124 67082 105938f 67557 1078750 192 API calls 67082->67557 67085->67049 67093 f49ae0 2 API calls 67086->67093 67092 1058ee7 67087->67092 67089 105939a 67089->67026 67532 107cb80 113 API calls std::_Locinfo::_Locinfo_dtor 67092->67532 67100 105a0d3 67093->67100 67098->67041 67099 105996c 67098->67099 67584 f49790 33 API calls 67098->67584 67105 1059983 67099->67105 67585 f49790 33 API calls 67099->67585 67597 f52a50 RaiseException 67100->67597 67101 f5ab80 108 API calls 67101->67124 67586 106d930 54 API calls _ValidateLocalCookies 67105->67586 67107 1059b51 67354 f48d10 67107->67354 67110 105a0df 67115 1059993 67119 f48d10 64 API calls 67115->67119 67123 10599a4 67119->67123 67121 1042bd0 93 API calls 67121->67125 67127 f49e20 43 API calls 67123->67127 67124->67041 67124->67058 67124->67081 67124->67101 67583 106d930 54 API calls _ValidateLocalCookies 67124->67583 67125->66993 67125->67004 67125->67080 67125->67121 67139 1059776 67125->67139 67160 10597e7 67125->67160 67575 102d800 67125->67575 67579 f49120 41 API calls 67125->67579 67580 f49990 33 API calls 3 library calls 67125->67580 67581 105d650 34 API calls 67125->67581 67129 10599ca 67127->67129 67128 1059b91 67590 105ea30 94 API calls 2 library calls 67128->67590 67129->67041 67131 10599d2 67129->67131 67136 10599f7 67131->67136 67587 f49790 33 API calls 67131->67587 67133 1059b99 67134 f49e20 43 API calls 67133->67134 67135 1059ba2 67134->67135 67135->67086 67144 1059bd6 67135->67144 67145 1059bc8 67135->67145 67588 106d930 54 API calls _ValidateLocalCookies 67136->67588 67141 f49e20 43 API calls 67139->67141 67140 1059a07 67142 f48d10 64 API calls 67140->67142 67143 105977e 67141->67143 67156 1059a17 67142->67156 67143->66993 67146 1059786 67143->67146 67148 1059bd3 67144->67148 67357 105ef60 67144->67357 67591 105ea30 94 API calls 2 library calls 67145->67591 67152 102ca40 11 API calls 67146->67152 67148->67144 67150 1059c06 67151 f49e20 43 API calls 67150->67151 67153 1059c0b 67151->67153 67154 10597a0 67152->67154 67153->67086 67157 106e0c0 RaiseException 67153->67157 67158 10597ad 67154->67158 67582 102c860 35 API calls 67154->67582 67158->67004 67158->67160 67160->67052 67219 f49e20 43 API calls 67218->67219 67220 107c88c 67219->67220 67221 f49ae0 2 API calls 67220->67221 67223 107c892 67220->67223 67222 107c8e8 67221->67222 67223->66921 67225 1049e3e 67224->67225 67226 1049e99 67225->67226 67227 1049e58 WideCharToMultiByte 67225->67227 67226->66939 67228 1049e74 67227->67228 67229 1049e95 67227->67229 67230 1049e7a WideCharToMultiByte 67228->67230 67229->66939 67230->67229 67232 102ca54 67231->67232 67233 102cafb 67231->67233 67232->67233 67598 f48f10 7 API calls 67232->67598 67233->66957 67518 102d3d0 33 API calls 4 library calls 67233->67518 67235 102ca69 67235->67233 67236 102ca73 FindResourceW 67235->67236 67236->67233 67237 102ca87 67236->67237 67599 f48fe0 LoadResource LockResource SizeofResource 67237->67599 67239 102ca91 67239->67233 67240 102ca9a WideCharToMultiByte 67239->67240 67240->67233 67241 102cb06 67240->67241 67242 f49ae0 2 API calls 67241->67242 67243 102cb10 67242->67243 67245 f49e20 43 API calls 67244->67245 67246 104e31e 67245->67246 67247 104e373 67246->67247 67251 104e324 67246->67251 67248 f49ae0 2 API calls 67247->67248 67249 104e37d 67248->67249 67250 104e350 67601 1046130 37 API calls 67250->67601 67251->67250 67252 104e343 67251->67252 67600 f49120 41 API calls 67252->67600 67255 104e34e 67256 1040e50 67255->67256 67257 1040e95 67256->67257 67258 f49e20 43 API calls 67257->67258 67260 1040eb2 67257->67260 67259 1040ea5 67258->67259 67259->67260 67261 1040ef5 67259->67261 67602 102a570 67260->67602 67263 f49ae0 2 API calls 67261->67263 67265 1040eff 67263->67265 67264 1040edf 67266 107c8f0 67264->67266 67267 107c933 67266->67267 67268 107c91d 67266->67268 67269 f5b580 33 API calls 67267->67269 67268->67014 67270 107c944 67269->67270 67616 107d260 67270->67616 67272 107c94f 67273 107c95c CreateNamedPipeW 67272->67273 67274 107c988 CreateFileW 67272->67274 67273->67274 67275 107c9a3 67273->67275 67274->67275 67275->67014 67277 107cf16 67276->67277 67278 107cf00 67276->67278 67279 f49e20 43 API calls 67277->67279 67278->67029 67280 107cf1b 67279->67280 67281 107cf25 67280->67281 67282 107d002 67280->67282 67635 107d010 67281->67635 67283 f49ae0 2 API calls 67282->67283 67284 107d00c 67283->67284 67286 107cf47 67287 f5b580 33 API calls 67286->67287 67288 107cf54 67287->67288 67288->67029 67290 107ca28 CloseHandle 67289->67290 67291 107ca2f 67289->67291 67290->67291 67291->67061 67294 106e0cd 67292->67294 67296 10590a8 67292->67296 67294->67296 67688 f52a50 RaiseException 67294->67688 67295 106e102 67296->66948 67296->66997 67298 f49e20 43 API calls 67297->67298 67299 1064f52 67298->67299 67300 1064f5c GetLocaleInfoW 67299->67300 67301 106500b 67299->67301 67689 1025b30 67300->67689 67302 f49ae0 2 API calls 67301->67302 67303 1065015 MsgWaitForMultipleObjectsEx 67302->67303 67305 1065047 67303->67305 67306 10650b1 67303->67306 67310 1065065 PeekMessageW 67305->67310 67311 10650bb 67305->67311 67306->66994 67308 1064f98 67309 1064fb6 GetLocaleInfoW 67308->67309 67714 f49790 33 API calls 67308->67714 67313 f48d10 64 API calls 67309->67313 67314 106508d TranslateMessage DispatchMessageW 67310->67314 67315 106509b MsgWaitForMultipleObjectsEx 67310->67315 67311->66994 67317 1064fd2 67313->67317 67314->67315 67315->67305 67315->67306 67316 1064fb3 67316->67309 67317->66994 67319 1064d00 33 API calls 67318->67319 67320 1064357 67319->67320 67321 1064373 67320->67321 67322 106435d 67320->67322 67719 1064930 200 API calls 67321->67719 67322->66964 67324 106437e 67720 1064b50 11 API calls _ValidateLocalCookies 67324->67720 67326 1064399 67329 f49e20 43 API calls 67326->67329 67348 106441b 67326->67348 67327 1064516 67724 f52a50 RaiseException 67327->67724 67328 1064465 67337 106447a 67328->67337 67722 1064530 46 API calls 67328->67722 67331 10643b3 67329->67331 67334 106450c 67331->67334 67335 10643bd 67331->67335 67333 1064522 67336 f49ae0 2 API calls 67334->67336 67338 f5ab80 108 API calls 67335->67338 67336->67327 67341 10644aa 67337->67341 67723 1064530 46 API calls 67337->67723 67340 10643db 67338->67340 67342 1064f10 71 API calls 67340->67342 67343 10644c0 67341->67343 67344 10e0746 __freea 2 API calls 67341->67344 67347 10643e5 67342->67347 67343->66964 67344->67343 67345 106440d 67721 1078750 192 API calls 67345->67721 67347->67345 67349 f5ab80 108 API calls 67347->67349 67348->67327 67348->67328 67349->67345 67350->67018 67351->67025 67352->67063 67353->67107 67725 f49290 67354->67725 67358 105efb8 67357->67358 67367 105ef97 67357->67367 67359 105f16e 67358->67359 67360 105efe6 CreateFileW 67358->67360 67363 105efd8 67358->67363 67362 f49ae0 2 API calls 67359->67362 67361 105f00f 67360->67361 67364 105f0b7 67361->67364 67365 105f036 GetLastError 67361->67365 67366 105f178 67362->67366 67363->67360 67814 f5b710 33 API calls 67363->67814 67800 10800c0 67364->67800 67815 1043200 66 API calls 67365->67815 67367->67358 67367->67359 67813 f5b710 33 API calls 67367->67813 67372 105f0c0 67374 105f14e 67372->67374 67375 105f0ca 67372->67375 67373 105f04d 67816 10454b0 92 API calls 67373->67816 67808 1060df0 67374->67808 67378 105f0cf GetLastError 67375->67378 67388 105f115 67375->67388 67818 1043200 66 API calls 67378->67818 67379 105f065 67817 104ed40 64 API calls 67379->67817 67383 105f0e9 67819 10454b0 92 API calls 67383->67819 67385 105f07b 67385->67150 67386 105f0fd 67388->67150 67516->66933 67517->66933 67518->66957 67520 1063996 67519->67520 67521 1063970 67519->67521 68246 f52a50 RaiseException 67520->68246 67521->67520 67523 1063982 DeleteFileW 67521->67523 67523->67520 67523->67521 67524 1063a6c 67525 1058df5 67524->67525 67526 10e0746 __freea 2 API calls 67524->67526 67525->67037 67526->67525 67527 1063aa8 68253 f52a50 RaiseException 67527->68253 67529 1063ab4 67531 10639b1 std::ios_base::_Ios_base_dtor 67531->67524 67531->67527 68247 1080480 67531->68247 67532->67034 67533->67049 67534->66949 67535->66956 67537 1064d3e EnumResourceLanguagesW 67536->67537 67545 1064e98 67536->67545 67544 1064d7d 67537->67544 67538 1064dce 67539 1064ddb 67538->67539 67542 10e0746 __freea 2 API calls 67538->67542 67540 1064ec8 67539->67540 67543 1064e76 67539->67543 68255 f52a50 RaiseException 67540->68255 67542->67539 67543->67545 67546 10e0746 __freea 2 API calls 67543->67546 67544->67538 67544->67540 67549 1064e10 67544->67549 67545->67008 67546->67545 67548 1064ed4 67548->67008 67549->67539 68254 f5b5f0 31 API calls 3 library calls 67549->68254 67551->66962 67552->67001 68256 10eedad 67553->68256 67555 10e075e 67555->67039 67556->67082 67557->67089 67559->67012 67560->67019 67561->67019 67563 102d800 2 API calls 67562->67563 67570 1042c14 67563->67570 67564 1042cf4 67564->67125 67565 1042d33 67566 10403b0 34 API calls 67565->67566 67566->67564 67567 1042cbf 67567->67565 67568 1042cc6 67567->67568 67569 f4eae0 92 API calls 67568->67569 67571 1042ce1 67569->67571 67570->67564 67570->67565 67570->67567 67573 f4eae0 92 API calls 67570->67573 67574 10403b0 34 API calls 67570->67574 67572 10403b0 34 API calls 67571->67572 67572->67564 67573->67570 67574->67570 67576 102d869 67575->67576 67577 102d82c 67575->67577 67576->67125 67578 10e0746 __freea 2 API calls 67577->67578 67578->67576 67579->67125 67580->67125 67581->67125 67582->67158 67583->67124 67584->67099 67585->67105 67586->67115 67587->67136 67588->67140 67589 105b460 355 API calls 5 library calls 67589->67128 67590->67133 67591->67148 67597->67110 67598->67235 67599->67239 67600->67255 67601->67255 67603 102a586 67602->67603 67611 102a5c5 67602->67611 67605 102a5a1 67603->67605 67613 f49870 33 API calls 67603->67613 67604 f49ae0 2 API calls 67610 102a5ea 67604->67610 67614 f498e0 31 API calls 4 library calls 67605->67614 67608 102a5b2 67615 f498e0 31 API calls 4 library calls 67608->67615 67610->67264 67611->67604 67612 102a5d0 67611->67612 67612->67264 67613->67605 67614->67608 67615->67611 67617 f49e20 43 API calls 67616->67617 67618 107d29a 67617->67618 67619 107d2a0 67618->67619 67620 107d30a 67618->67620 67623 107d2c2 67619->67623 67624 107d2cd 67619->67624 67621 f49ae0 2 API calls 67620->67621 67622 107d314 67621->67622 67634 107cb80 113 API calls std::_Locinfo::_Locinfo_dtor 67622->67634 67632 f49120 41 API calls 67623->67632 67627 107d2cb 67624->67627 67633 f49990 33 API calls 3 library calls 67624->67633 67629 f5ab80 108 API calls 67627->67629 67630 107d2f5 67629->67630 67630->67272 67631 107d358 67631->67272 67632->67627 67633->67627 67634->67631 67636 107d094 ReadFile 67635->67636 67637 107d049 ConnectNamedPipe 67635->67637 67639 107d0bc 67636->67639 67640 107d129 67636->67640 67637->67636 67638 107d056 GetLastError 67637->67638 67638->67636 67641 107d06a 67638->67641 67639->67640 67643 107d0c1 67639->67643 67642 f49e20 43 API calls 67640->67642 67641->67636 67646 107d073 67641->67646 67644 107d12e 67642->67644 67645 f56a60 53 API calls 67643->67645 67647 107d078 67644->67647 67648 107d134 67644->67648 67649 107d0cc 67645->67649 67650 f49e20 43 API calls 67646->67650 67651 f49ae0 2 API calls 67647->67651 67655 107d080 67647->67655 67648->67655 67652 f49620 33 API calls 67649->67652 67650->67647 67653 107d16f 67651->67653 67654 107d0de 67652->67654 67656 107d1a6 67653->67656 67657 107d1e5 WriteFile 67653->67657 67654->67286 67655->67286 67658 f49e20 43 API calls 67656->67658 67659 107d202 67657->67659 67660 107d21c 67657->67660 67663 107d1ab 67658->67663 67661 f49e20 43 API calls 67659->67661 67662 107d010 109 API calls 67660->67662 67664 107d207 67661->67664 67665 107d22a 67662->67665 67666 107d1b3 67663->67666 67668 f49ae0 2 API calls 67663->67668 67664->67663 67667 107d20d 67664->67667 67665->67286 67666->67286 67667->67666 67669 107d257 67668->67669 67670 f49e20 43 API calls 67669->67670 67671 107d29a 67670->67671 67672 107d2a0 67671->67672 67673 107d30a 67671->67673 67676 107d2c2 67672->67676 67677 107d2cd 67672->67677 67674 f49ae0 2 API calls 67673->67674 67675 107d314 67674->67675 67687 107cb80 113 API calls std::_Locinfo::_Locinfo_dtor 67675->67687 67685 f49120 41 API calls 67676->67685 67680 107d2cb 67677->67680 67686 f49990 33 API calls 3 library calls 67677->67686 67682 f5ab80 108 API calls 67680->67682 67683 107d2f5 67682->67683 67683->67286 67684 107d358 67684->67286 67685->67680 67686->67680 67687->67684 67688->67295 67690 f49e20 43 API calls 67689->67690 67694 1025b6e 67690->67694 67691 1025ce0 67692 f49ae0 2 API calls 67691->67692 67693 1025cea 67692->67693 67696 f49ae0 2 API calls 67693->67696 67694->67691 67695 1025caf 67694->67695 67700 1025cd6 67694->67700 67704 1025be7 67694->67704 67697 10d6c0a _ValidateLocalCookies 5 API calls 67695->67697 67698 1025cf4 67696->67698 67699 1025cd0 67697->67699 67701 1025d0b 67698->67701 67703 10e0746 __freea 2 API calls 67698->67703 67699->67308 67702 f49ae0 2 API calls 67700->67702 67701->67308 67702->67691 67705 1025d39 67703->67705 67706 1025bf5 67704->67706 67715 1025d50 RtlAllocateHeap RaiseException std::_Facet_Register 67704->67715 67705->67308 67716 10e06b7 31 API calls 3 library calls 67706->67716 67709 1025c0d 67709->67693 67711 1025c41 67709->67711 67717 f49870 33 API calls 67709->67717 67711->67693 67711->67711 67712 1025c91 67711->67712 67712->67695 67718 1025d10 RtlFreeHeap GetLastError __freea 67712->67718 67714->67316 67715->67706 67716->67709 67717->67711 67718->67695 67719->67324 67720->67326 67721->67348 67724->67333 67726 f492c3 67725->67726 67727 f49361 67725->67727 67742 10e0635 67726->67742 67728 f49ae0 2 API calls 67727->67728 67741 f48d23 67727->67741 67729 f493b6 67728->67729 67730 f49ae0 2 API calls 67729->67730 67732 f493c0 67730->67732 67733 f49e20 43 API calls 67734 f4930f 67733->67734 67748 f491d0 67734->67748 67738 f49342 67758 10e0676 67738->67758 67741->67589 67743 10e0649 __Getctype 67742->67743 67765 10dc74f 67743->67765 67749 f49201 67748->67749 67750 f4926b 67748->67750 67753 f49221 67749->67753 67755 f4922e 67749->67755 67751 f49ae0 2 API calls 67750->67751 67752 f49275 67751->67752 67787 f49120 41 API calls 67753->67787 67755->67755 67788 f49990 33 API calls 3 library calls 67755->67788 67757 f4922c 67757->67738 67764 f49870 33 API calls 67757->67764 67759 10e068a __Getctype 67758->67759 67789 10dc971 67759->67789 67764->67738 67766 10dc79e 67765->67766 67767 10dc77b 67765->67767 67766->67767 67770 10dc7a6 67766->67770 67782 10dc022 31 API calls 2 library calls 67767->67782 67769 10d6c0a _ValidateLocalCookies 5 API calls 67771 10dc8d0 67769->67771 67783 10def22 43 API calls __cftof 67770->67783 67776 10dbddb 67771->67776 67774 10dc793 67774->67769 67775 10dc827 67784 10de444 RtlFreeHeap GetLastError ___free_lconv_mon 67775->67784 67777 10dbde7 67776->67777 67778 10dbdfe 67777->67778 67785 10dbe86 31 API calls 2 library calls 67777->67785 67781 f492e3 67778->67781 67786 10dbe86 31 API calls 2 library calls 67778->67786 67781->67729 67781->67733 67781->67734 67782->67774 67783->67775 67784->67774 67785->67778 67786->67781 67787->67757 67788->67757 67790 10dc97d 67789->67790 67791 10dc9a0 67789->67791 67804 1080106 67800->67804 67801 108015b SetFilePointer 67802 1080182 ReadFile 67801->67802 67803 1080174 GetLastError 67801->67803 67802->67804 67807 108010d 67802->67807 67803->67802 67803->67807 67804->67801 67805 1080236 SetFilePointer 67804->67805 67804->67807 67806 108025e ReadFile 67805->67806 67805->67807 67806->67807 67807->67372 67821 10619d0 67808->67821 67810 105f15c 67810->67150 67811 1060dff 67811->67810 67840 1061ea0 67811->67840 67813->67358 67814->67360 67815->67373 67816->67379 67817->67385 67818->67383 67819->67386 67822 1061abd 67821->67822 67823 1061a1b SetFilePointer 67821->67823 67822->67811 67823->67822 67824 1061ad1 67823->67824 67825 f49e20 43 API calls 67824->67825 67826 1061af1 67825->67826 67841 1061edb SetFilePointer 67840->67841 67845 106215c 67840->67845 67845->67810 68246->67531 68248 10804c0 68247->68248 68249 10804f5 68248->68249 68250 10804e4 FreeLibrary 68248->68250 68251 1080538 CloseHandle 68249->68251 68252 1080549 68249->68252 68250->68249 68251->68252 68252->67531 68253->67529 68254->67549 68255->67548 68257 10eedb8 RtlFreeHeap 68256->68257 68259 10eedda ___free_lconv_mon __floor_pentium4 68256->68259 68258 10eedcd GetLastError 68257->68258 68257->68259 68258->68259 68259->67555 68260 1062380 68261 f49e20 43 API calls 68260->68261 68265 10623d5 68261->68265 68262 1062df4 68263 f49ae0 2 API calls 68262->68263 68264 1062dfe 68263->68264 68265->68262 68266 f49e20 43 API calls 68265->68266 68267 1062414 68266->68267 68267->68262 68268 f49e20 43 API calls 68267->68268 68270 1062432 68268->68270 68269 1062531 68271 f49e20 43 API calls 68269->68271 68270->68262 68270->68269 68341 1044970 92 API calls _wcsrchr 68270->68341 68316 106256e std::locale::_Setgloballocale 68271->68316 68273 1062463 68274 f5b580 33 API calls 68273->68274 68275 1062470 68274->68275 68278 f5b580 33 API calls 68275->68278 68276 1062a9d 68329 10815c0 68276->68329 68277 10d6c49 std::_Facet_Register 2 API calls 68277->68316 68279 10624c8 68278->68279 68342 1062f30 92 API calls 68279->68342 68283 1062b54 68284 1062c55 CloseHandle 68283->68284 68317 1062a9f 68283->68317 68284->68317 68285 1062b73 CreateEventW 68287 1062b8a 68285->68287 68286 1062ba0 CreateThread 68290 1062bd4 WaitForSingleObject GetExitCodeThread 68286->68290 68291 1062bcd 68286->68291 68369 10806e0 237 API calls 68286->68369 68287->68286 68288 1062c74 CloseHandle 68289 1062c7e 68288->68289 68294 102d800 2 API calls 68289->68294 68292 1062c14 68290->68292 68293 1062bec 68290->68293 68291->68290 68292->68283 68296 1062c23 CloseHandle 68292->68296 68293->68283 68295 1062c02 CloseHandle 68293->68295 68304 1062cb3 std::ios_base::_Ios_base_dtor 68294->68304 68295->68283 68296->68283 68297 1062d30 68300 10e0746 __freea 2 API calls 68297->68300 68301 1062d41 68297->68301 68298 1062de8 68351 f52a50 RaiseException 68298->68351 68300->68301 68303 10d6c0a _ValidateLocalCookies 5 API calls 68301->68303 68302 1080480 2 API calls 68302->68304 68305 1062dd4 68303->68305 68304->68297 68304->68298 68304->68302 68307 f49e20 43 API calls 68307->68316 68308 1040e50 45 API calls 68308->68316 68309 1040e50 45 API calls 68320 106291d std::locale::_Setgloballocale 68309->68320 68310 f5b580 33 API calls 68310->68316 68312 1062946 FindFirstFileW 68313 106298a FindClose 68312->68313 68312->68320 68313->68320 68315 f5b580 33 API calls 68315->68320 68316->68262 68316->68276 68316->68277 68316->68298 68316->68307 68316->68308 68316->68310 68316->68317 68319 10458e0 118 API calls 68316->68319 68316->68320 68322 10403b0 34 API calls 68316->68322 68323 1080560 68316->68323 68343 1044970 92 API calls _wcsrchr 68316->68343 68344 1080600 CreateFileW 68316->68344 68317->68288 68317->68289 68318 1080600 238 API calls 68318->68320 68319->68316 68320->68309 68320->68312 68320->68315 68320->68316 68320->68318 68321 1062aa8 68320->68321 68321->68317 68322->68316 68324 1080569 68323->68324 68325 108056e LoadLibraryW 68323->68325 68324->68316 68326 1080587 68325->68326 68327 10805a1 68326->68327 68328 10805a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 68326->68328 68327->68316 68328->68316 68330 10815f8 CreateEventW 68329->68330 68331 1081626 CreateThread 68329->68331 68336 108160d 68330->68336 68332 108173c WaitForSingleObject GetExitCodeThread 68331->68332 68335 1081662 68331->68335 68353 1081980 68331->68353 68333 1081769 CloseHandle 68332->68333 68334 1062b4e 68332->68334 68333->68334 68334->68283 68334->68285 68334->68286 68337 108178d 68335->68337 68338 1081720 68335->68338 68336->68331 68352 f52a50 RaiseException 68337->68352 68338->68332 68340 1081799 68341->68273 68342->68269 68343->68316 68346 108062d 68344->68346 68345 10806a9 68345->68316 68346->68345 68347 f49ae0 2 API calls 68346->68347 68348 10806db 68347->68348 68368 10806f0 237 API calls __freea 68348->68368 68350 10806e9 68350->68316 68351->68262 68352->68340 68358 10817a0 68353->68358 68355 1081984 68356 10817a0 RaiseException 68355->68356 68357 1081989 68356->68357 68359 10817da 68358->68359 68360 1081937 68359->68360 68367 f52a50 RaiseException 68359->68367 68360->68355 68362 108197b 68363 10817a0 RaiseException 68362->68363 68364 1081984 68363->68364 68365 10817a0 RaiseException 68364->68365 68366 1081989 68365->68366 68366->68355 68367->68362 68368->68350 68370 f72530 68371 f72543 std::ios_base::_Ios_base_dtor 68370->68371 68376 10d8723 68371->68376 68374 f7256b 68375 f72559 SetUnhandledExceptionFilter 68375->68374 68381 10d875b 68376->68381 68378 10d872c 68379 10d875b __set_se_translator 41 API calls 68378->68379 68380 f7254d 68379->68380 68380->68374 68380->68375 68394 10d8769 11 API calls 3 library calls 68381->68394 68383 10d8760 68383->68378 68395 10f0417 EnterCriticalSection std::locale::_Setgloballocale 68383->68395 68385 10e0fa6 68386 10e0fb1 68385->68386 68396 10f045c 31 API calls 6 library calls 68385->68396 68388 10e0fda 68386->68388 68389 10e0fbb IsProcessorFeaturePresent 68386->68389 68398 10ed911 68388->68398 68390 10e0fc7 68389->68390 68397 10dbea3 8 API calls 2 library calls 68390->68397 68394->68383 68395->68385 68396->68386 68397->68388 68401 10ed735 68398->68401 68402 10ed774 68401->68402 68403 10ed762 68401->68403 68413 10ed5de 68402->68413 68426 10ed7fd GetModuleHandleW 68403->68426 68406 10ed767 68406->68402 68427 10ed862 GetModuleHandleExW 68406->68427 68407 10ed7ab 68408 10e0fe4 68407->68408 68419 10ed7cc 68407->68419 68408->68378 68414 10ed5ea __Getctype 68413->68414 68433 10eba2a EnterCriticalSection 68414->68433 68416 10ed5f4 68434 10ed64a 68416->68434 68418 10ed601 std::locale::_Setgloballocale 68418->68407 68453 10ed840 68419->68453 68422 10ed7ea 68424 10ed862 std::locale::_Setgloballocale 3 API calls 68422->68424 68423 10ed7da GetCurrentProcess TerminateProcess 68423->68422 68425 10ed7f2 ExitProcess 68424->68425 68426->68406 68428 10ed8c2 68427->68428 68429 10ed8a1 GetProcAddress 68427->68429 68431 10ed8c8 FreeLibrary 68428->68431 68432 10ed773 68428->68432 68429->68428 68430 10ed8b5 68429->68430 68430->68428 68431->68432 68432->68402 68433->68416 68435 10ed656 __Getctype 68434->68435 68437 10ed6bd std::locale::_Setgloballocale 68435->68437 68438 10ee21c 68435->68438 68437->68418 68439 10ee228 __EH_prolog3 68438->68439 68442 10edf74 68439->68442 68441 10ee24f std::locale::_Init 68441->68437 68443 10edf80 __Getctype 68442->68443 68448 10eba2a EnterCriticalSection 68443->68448 68445 10edf8e 68449 10ee12c 68445->68449 68447 10edf9b std::locale::_Setgloballocale 68447->68441 68448->68445 68450 10ee143 68449->68450 68452 10ee14b 68449->68452 68450->68447 68451 10eedad ___free_lconv_mon 2 API calls 68451->68450 68452->68450 68452->68451 68458 10f8a0e GetPEB std::locale::_Setgloballocale 68453->68458 68455 10ed845 68456 10ed7d6 68455->68456 68457 10ed84a GetPEB 68455->68457 68456->68422 68456->68423 68457->68456 68458->68455 68459 1081d20 68468 1081990 68459->68468 68462 1081d7a 68464 1081d8a 68462->68464 68466 1081d91 GetFileVersionInfoW 68462->68466 68463 1081dde GetLastError 68463->68464 68465 1081df0 DeleteFileW 68464->68465 68467 1081df7 68464->68467 68465->68467 68466->68463 68466->68464 68483 10439a0 68468->68483 68471 10819d5 SHGetFolderPathW 68473 10819f3 std::locale::_Setgloballocale 68471->68473 68472 1081b3a 68474 10d6c0a _ValidateLocalCookies 5 API calls 68472->68474 68473->68472 68476 1081a6a GetTempPathW 68473->68476 68475 1081b68 GetFileVersionInfoSizeW 68474->68475 68475->68462 68475->68463 68490 10d9160 68476->68490 68478 1081a92 GetTempFileNameW 68492 1081bd0 68478->68492 68480 1081abe Wow64DisableWow64FsRedirection CopyFileW 68481 1081b10 68480->68481 68481->68472 68482 1081b28 Wow64RevertWow64FsRedirection 68481->68482 68482->68472 68484 1043ad0 67 API calls 68483->68484 68485 10439c9 68484->68485 68486 10d7112 4 API calls 68485->68486 68489 1043a77 68485->68489 68487 10439f0 std::locale::_Setgloballocale 68486->68487 68487->68489 68494 10d70c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 68487->68494 68489->68471 68489->68472 68491 10d9177 68490->68491 68491->68478 68491->68491 68493 1081bda 68492->68493 68493->68480 68494->68489 68495 fa4cb0 68500 105de50 GetLastError 68495->68500 68496 fa4d27 68497 fa4d78 SetWindowLongW 68496->68497 68498 fa4d5e 68496->68498 68497->68498 68501 105de5a 68500->68501 68502 f49ae0 2 API calls 68501->68502 68503 105de68 68502->68503 68504 105dec6 68503->68504 68505 105de8e 68503->68505 68510 105decd 68503->68510 68507 105df04 DestroyWindow 68504->68507 68504->68510 68506 1041f70 5 API calls 68505->68506 68508 105de9d 68506->68508 68507->68496 68514 105e0d0 6 API calls 68508->68514 68510->68496 68512 fa5a70 16 API calls 68513 105deb0 68512->68513 68513->68496 68515 105e163 68514->68515 68516 105e16a SetWindowPos 68514->68516 68515->68516 68517 10d6c0a _ValidateLocalCookies 5 API calls 68516->68517 68518 105dea7 68517->68518 68518->68512 68519 103fcb0 68520 f46610 32 API calls 68519->68520 68521 103fd2a 68520->68521 68547 10401e0 68521->68547 68524 103fd73 68526 f478d0 31 API calls 68524->68526 68525 f478d0 31 API calls 68525->68524 68527 103fdac 68526->68527 68528 103fe70 68527->68528 68530 103fde5 68527->68530 68531 103fdc9 68527->68531 68562 100e0c0 68528->68562 68532 f46610 32 API calls 68530->68532 68573 f46c00 32 API calls 68531->68573 68535 103fdd8 68532->68535 68533 103fe9c 68536 10d6c0a _ValidateLocalCookies 5 API calls 68533->68536 68574 f48d30 68535->68574 68537 103febc 68536->68537 68541 103fe2c 68542 f478d0 31 API calls 68541->68542 68543 103fe38 68542->68543 68544 103fe54 68543->68544 68545 f478d0 31 API calls 68543->68545 68544->68528 68546 f478d0 31 API calls 68544->68546 68545->68544 68546->68528 68548 1040252 68547->68548 68549 104023d 68547->68549 68551 104026f 68548->68551 68552 104025a 68548->68552 68587 f47160 68549->68587 68555 1040277 68551->68555 68556 104028c 68551->68556 68554 f47160 32 API calls 68552->68554 68553 103fd60 68553->68524 68553->68525 68554->68553 68559 f47160 32 API calls 68555->68559 68557 1040294 68556->68557 68558 10402a9 68556->68558 68560 f47160 32 API calls 68557->68560 68558->68553 68561 f47160 32 API calls 68558->68561 68559->68553 68560->68553 68561->68553 68563 100e158 RegOpenKeyExW 68562->68563 68564 100e0f9 68562->68564 68565 100e151 68563->68565 68566 100e14b 68564->68566 68567 100e0fe GetModuleHandleW 68564->68567 68568 100e180 68565->68568 68571 100e177 RegCloseKey 68565->68571 68566->68563 68566->68565 68569 100e126 GetProcAddress 68567->68569 68570 100e10d 68567->68570 68568->68533 68569->68565 68572 100e136 68569->68572 68570->68533 68571->68568 68572->68565 68573->68535 68575 f48d70 68574->68575 68575->68575 68576 f48d90 68575->68576 68577 f48dc9 68575->68577 68600 f46ea0 68576->68600 68604 f47150 32 API calls 2 library calls 68577->68604 68580 f48dce 68581 f48da7 68582 f47070 68581->68582 68583 f470b7 68582->68583 68585 f47083 std::locale::_Init 68582->68585 68605 f46f40 32 API calls 2 library calls 68583->68605 68585->68541 68586 f470c8 68586->68541 68590 f471ad 68587->68590 68592 f47171 std::locale::_Init 68587->68592 68588 f47261 68599 f47150 32 API calls 2 library calls 68588->68599 68590->68588 68593 f47750 32 API calls 68590->68593 68591 f47266 68595 f47160 32 API calls 68591->68595 68592->68553 68594 f471f6 std::locale::_Init 68593->68594 68597 f47245 std::ios_base::_Ios_base_dtor 68594->68597 68598 10dc0af 31 API calls 68594->68598 68596 f472d2 68595->68596 68596->68553 68597->68553 68598->68588 68599->68591 68601 f46ecf 68600->68601 68602 f46ef6 std::locale::_Init 68600->68602 68603 f47750 32 API calls 68601->68603 68602->68581 68603->68602 68604->68580 68605->68586 68606 1037cb0 68607 1037cfb 68606->68607 68608 1037ce8 68606->68608 68614 1027fd0 45 API calls 3 library calls 68607->68614 68612 10d6c0a _ValidateLocalCookies 5 API calls 68608->68612 68610 1037d05 68611 f478d0 31 API calls 68610->68611 68611->68608 68613 1037d4a 68612->68613 68614->68610 68615 f48720 68616 f48738 68615->68616 68617 f4872a CloseHandle 68615->68617 68617->68616 68618 1054b10 68619 1054b42 68618->68619 68620 1054b6a GetShortPathNameW 68618->68620 68671 102c9a0 RtlAllocateHeap RaiseException 68619->68671 68622 1054b7b 68620->68622 68642 1054b4f 68620->68642 68624 f49e20 43 API calls 68622->68624 68623 1054b47 68625 f496e0 2 API calls 68623->68625 68630 1054b80 68624->68630 68625->68642 68626 1054c67 68627 f49ae0 2 API calls 68626->68627 68628 1054c71 68627->68628 68629 f49e20 43 API calls 68628->68629 68632 1054cb1 68629->68632 68630->68626 68631 1054c5d 68630->68631 68633 1054bc1 68630->68633 68672 f49870 33 API calls 68630->68672 68634 f49ae0 2 API calls 68631->68634 68636 1054e80 68632->68636 68637 1054cbb 68632->68637 68633->68631 68635 1054bcd GetShortPathNameW 68633->68635 68634->68626 68641 1054be7 std::_Locinfo::_Locinfo_dtor 68635->68641 68635->68642 68639 f49ae0 2 API calls 68636->68639 68674 1054e90 68637->68674 68640 1054e8a 68639->68640 68641->68631 68643 1054c04 68641->68643 68673 102c860 35 API calls 68643->68673 68646 1054c1a 68648 f5b580 33 API calls 68646->68648 68647 1054d13 68649 1054e36 68647->68649 68651 f47160 32 API calls 68647->68651 68648->68642 68808 f46ad0 31 API calls std::ios_base::_Ios_base_dtor 68649->68808 68652 1054d53 68651->68652 68654 1054e90 267 API calls 68652->68654 68653 1054e42 68656 10d6c0a _ValidateLocalCookies 5 API calls 68653->68656 68655 1054d66 68654->68655 68657 f478d0 31 API calls 68655->68657 68658 1054e7a 68656->68658 68659 1054d75 68657->68659 68659->68649 68660 f47160 32 API calls 68659->68660 68661 1054db7 68660->68661 68662 1054e90 267 API calls 68661->68662 68663 1054dca 68662->68663 68664 f478d0 31 API calls 68663->68664 68665 1054dd9 68664->68665 68665->68649 68666 f47160 32 API calls 68665->68666 68667 1054e17 68666->68667 68668 1054e90 267 API calls 68667->68668 68669 1054e2a 68668->68669 68670 f478d0 31 API calls 68669->68670 68670->68649 68671->68623 68672->68633 68673->68646 68675 f49e20 43 API calls 68674->68675 68676 1054ec8 68675->68676 68677 1055132 68676->68677 68681 1054ed2 68676->68681 68678 f49ae0 2 API calls 68677->68678 68679 105513c 68678->68679 68680 f49ae0 2 API calls 68679->68680 68682 1055146 68680->68682 68683 f56a60 53 API calls 68681->68683 68684 1055575 68682->68684 68686 1055474 68682->68686 68687 10551e9 68682->68687 68685 1054efc 68683->68685 68688 f49e20 43 API calls 68684->68688 68689 f56a60 53 API calls 68685->68689 68691 f49e20 43 API calls 68686->68691 68890 1070e90 155 API calls _ValidateLocalCookies 68687->68890 68692 105559b 68688->68692 68693 1054f16 68689->68693 68695 1055479 68691->68695 68696 10558bb 68692->68696 68705 10555bf 68692->68705 68719 1055606 68692->68719 68697 f49e20 43 API calls 68693->68697 68694 10551ee 68698 10551f6 68694->68698 68699 10552ec 68694->68699 68695->68696 68809 105f920 68695->68809 68700 f49ae0 2 API calls 68696->68700 68701 1054f1f 68697->68701 68703 f49e20 43 API calls 68698->68703 68894 f4af70 62 API calls _ValidateLocalCookies 68699->68894 68704 10558c5 68700->68704 68701->68679 68706 1054f29 68701->68706 68708 10551fb 68703->68708 68901 1034ab0 44 API calls 2 library calls 68705->68901 68716 1054f54 68706->68716 68717 1054f49 68706->68717 68707 1055300 68710 105531a 68707->68710 68713 f478d0 31 API calls 68707->68713 68708->68696 68891 104ed40 64 API calls 68708->68891 68714 f478d0 31 API calls 68710->68714 68712 10555d1 68721 f48d10 64 API calls 68712->68721 68713->68710 68718 105535f 68714->68718 68715 10554cb 68899 10454b0 92 API calls 68715->68899 68887 f49990 33 API calls 3 library calls 68716->68887 68886 f49120 41 API calls 68717->68886 68895 1071220 47 API calls std::ios_base::_Ios_base_dtor 68718->68895 68726 f49e20 43 API calls 68719->68726 68727 10555ef 68721->68727 68760 105565d 68726->68760 68732 f478d0 31 API calls 68727->68732 68728 1054f52 68737 f56a60 53 API calls 68728->68737 68729 105536e 68896 1034ab0 44 API calls 2 library calls 68729->68896 68730 1055232 68731 10552bf 68730->68731 68735 f49e20 43 API calls 68730->68735 68893 104e980 196 API calls 68731->68893 68739 1055601 68732->68739 68734 1055384 68744 f56a60 53 API calls 68734->68744 68740 1055249 68735->68740 68742 1054f7a 68737->68742 68738 10554d6 68743 f47160 32 API calls 68738->68743 68747 f49e20 43 API calls 68739->68747 68740->68696 68762 1055253 68740->68762 68741 10552cc 68752 f478d0 31 API calls 68741->68752 68888 1040a00 33 API calls 2 library calls 68742->68888 68746 1055550 68743->68746 68748 105539c 68744->68748 68900 1034cc0 43 API calls _ValidateLocalCookies 68746->68900 68751 1055729 68747->68751 68753 10403b0 34 API calls 68748->68753 68749 1054f99 68758 f56a60 53 API calls 68749->68758 68751->68696 68768 f49e20 43 API calls 68751->68768 68755 105589c 68752->68755 68756 10553d4 68753->68756 68754 1055566 68759 f478d0 31 API calls 68754->68759 68761 10d6c0a _ValidateLocalCookies 5 API calls 68755->68761 68771 102d800 2 API calls 68756->68771 68757 105528c 68892 1078750 192 API calls 68757->68892 68763 1054fac 68758->68763 68759->68684 68760->68696 68769 f48d10 64 API calls 68760->68769 68764 10558b5 68761->68764 68762->68757 68762->68762 68766 105527b 68762->68766 68773 f56a60 53 API calls 68763->68773 68764->68647 68772 f5ab80 108 API calls 68766->68772 68774 1055758 68768->68774 68775 10556d3 68769->68775 68770 10552a3 68770->68731 68776 1055404 68771->68776 68772->68757 68777 1054fc3 68773->68777 68774->68696 68778 1055762 SHGetFolderPathW 68774->68778 68779 f48d10 64 API calls 68775->68779 68783 f478d0 31 API calls 68776->68783 68889 1070b10 124 API calls std::_Locinfo::_Locinfo_dtor 68777->68889 68785 10557e2 68778->68785 68786 105578f 68778->68786 68780 10556eb 68779->68780 68902 f46ad0 31 API calls std::ios_base::_Ios_base_dtor 68780->68902 68788 105543d 68783->68788 68904 1075b90 142 API calls 68785->68904 68786->68785 68795 10557a5 PathFileExistsW 68786->68795 68789 1055446 68788->68789 68790 105545a 68788->68790 68897 10558d0 CloseHandle CloseHandle RtlFreeHeap GetLastError 68789->68897 68898 10558d0 CloseHandle CloseHandle RtlFreeHeap GetLastError 68790->68898 68794 10557f8 68797 1055455 68794->68797 68905 104e980 196 API calls 68794->68905 68795->68785 68798 10557b6 68795->68798 68796 1055469 68796->68684 68797->68741 68903 f49990 33 API calls 3 library calls 68798->68903 68799 1054fe6 68801 10550db 68799->68801 68802 10550ac PathFileExistsW 68799->68802 68805 10d6c0a _ValidateLocalCookies 5 API calls 68801->68805 68802->68801 68803 10550b7 68802->68803 68803->68801 68806 f47160 32 API calls 68803->68806 68807 105512c 68805->68807 68806->68801 68807->68647 68808->68653 68810 105f9d4 68809->68810 68811 105f951 68809->68811 68924 1060c40 RaiseException 68810->68924 68922 1060be0 RaiseException 68811->68922 68814 105f9db 68815 105fa43 68814->68815 68818 105f9e7 68814->68818 68906 f52a50 RaiseException 68815->68906 68816 105f95a 68816->68815 68819 105f96d 68816->68819 68925 1060c90 108 API calls 68818->68925 68822 1040e50 45 API calls 68819->68822 68820 105fa4f 68823 f49620 33 API calls 68820->68823 68825 105f984 68822->68825 68826 105fa84 68823->68826 68824 105f9fc 68827 f5b580 33 API calls 68824->68827 68828 f5b580 33 API calls 68825->68828 68829 105faf7 68826->68829 68830 105fa9c 68826->68830 68831 105f9d2 68827->68831 68832 105f997 68828->68832 68833 105faf2 68829->68833 68928 1062f30 92 API calls 68829->68928 68926 1060be0 RaiseException 68830->68926 68831->68715 68836 10403b0 34 API calls 68832->68836 68907 1044da0 68833->68907 68840 105f9c7 68836->68840 68837 105fabe 68841 105fc13 68837->68841 68845 105facf 68837->68845 68839 105fb0b 68842 f5ab80 108 API calls 68839->68842 68923 1060ec0 RtlAllocateHeap RaiseException RaiseException 68840->68923 68932 f52a50 RaiseException 68841->68932 68857 105fb1d 68842->68857 68927 1044970 92 API calls _wcsrchr 68845->68927 68846 105fc1f 68848 105fc51 68846->68848 68866 105fd16 68846->68866 68933 1060e50 RtlAllocateHeap RaiseException RaiseException 68848->68933 68849 105fae0 68854 f5ab80 108 API calls 68849->68854 68850 105fbcf 68850->68715 68852 105fb69 68930 1060c40 RaiseException 68852->68930 68853 105fd54 68935 1060c90 108 API calls 68853->68935 68854->68833 68856 105fc5c 68864 105fc6c 68856->68864 68934 1060e50 RtlAllocateHeap RaiseException RaiseException 68856->68934 68857->68852 68858 105fc09 68857->68858 68865 105fb58 68857->68865 68862 f49ae0 2 API calls 68858->68862 68859 105fdb5 68867 f49ae0 2 API calls 68859->68867 68861 105fb72 68861->68841 68873 105fb86 68861->68873 68862->68841 68863 105fd60 68868 f5b580 33 API calls 68863->68868 68870 105fcd1 68864->68870 68874 105fd52 68864->68874 68879 1040e50 45 API calls 68864->68879 68865->68852 68929 f5b710 33 API calls 68865->68929 68866->68853 68866->68859 68871 105fd42 68866->68871 68877 105fd49 68866->68877 68872 105fdbf 68867->68872 68868->68874 68885 105fcfc 68870->68885 68936 f52a50 RaiseException 68870->68936 68871->68853 68871->68877 68931 1044970 92 API calls _wcsrchr 68873->68931 68874->68715 68878 f5b580 33 API calls 68877->68878 68878->68874 68881 105fcbe 68879->68881 68883 f5b580 33 API calls 68881->68883 68882 105fb97 68884 f5ab80 108 API calls 68882->68884 68883->68870 68884->68833 68885->68715 68886->68728 68887->68728 68888->68749 68889->68799 68890->68694 68891->68730 68892->68770 68893->68741 68894->68707 68895->68729 68896->68734 68897->68797 68898->68796 68899->68738 68900->68754 68901->68712 68902->68739 68903->68785 68904->68794 68905->68797 68906->68820 68908 f49620 33 API calls 68907->68908 68909 1044de3 68908->68909 68910 f5ab80 108 API calls 68909->68910 68911 1044e2a 68910->68911 68937 10284f0 68911->68937 68913 1044f41 68944 10285a0 68913->68944 68916 1044edd GetFileAttributesW 68919 1044e32 68916->68919 68917 10d6c0a _ValidateLocalCookies 5 API calls 68918 1044f8a 68917->68918 68918->68850 68919->68913 68919->68916 68920 1044f26 FindNextFileW 68919->68920 68921 1044da0 109 API calls 68919->68921 68920->68913 68920->68919 68921->68916 68922->68816 68924->68814 68925->68824 68926->68837 68927->68849 68928->68839 68929->68852 68930->68861 68931->68882 68932->68846 68933->68856 68934->68864 68935->68863 68936->68859 68938 1028552 std::locale::_Setgloballocale 68937->68938 68939 f49e20 43 API calls 68938->68939 68940 102856a 68939->68940 68941 1028570 68940->68941 68942 f49ae0 2 API calls 68940->68942 68941->68919 68943 102859e 68942->68943 68945 10285f1 68944->68945 68946 102863a 68945->68946 68947 102862d FindClose 68945->68947 68946->68917 68947->68946 68948 105a370 69006 105b460 355 API calls 5 library calls 68948->69006 68950 105a3a5 69007 105ea30 94 API calls 2 library calls 68950->69007 68952 105a3ad 68977 1065210 68952->68977 68955 105ef60 130 API calls 68956 105a3c6 68955->68956 68957 105a3ca 68956->68957 68988 104b9d0 46 API calls 68956->68988 68959 105a3f4 68989 1057060 68959->68989 68978 f5b580 33 API calls 68977->68978 68979 106523f 68978->68979 68980 f5b580 33 API calls 68979->68980 68981 106524b 68980->68981 69008 1081e30 68981->69008 68983 1065253 69033 106d930 54 API calls _ValidateLocalCookies 68983->69033 68985 1065260 68986 f48d10 64 API calls 68985->68986 68987 105a3bf 68986->68987 68987->68955 68988->68959 69039 105f260 68989->69039 68992 105719a 69005 104cce0 213 API calls 68992->69005 68993 10570b3 CreateFileW 68994 10570f1 SetFilePointer 68993->68994 69004 10570e0 68993->69004 68996 105711e 68994->68996 68994->69004 68995 10571ca CloseHandle 68995->68992 68997 1025b30 45 API calls 68996->68997 68998 105712d 68997->68998 68999 1057148 ReadFile 68998->68999 69102 f49790 33 API calls 68998->69102 69001 105715b 68999->69001 68999->69004 69001->69004 69069 1079c00 69001->69069 69002 1057145 69002->68999 69004->68992 69004->68995 69006->68950 69007->68952 69009 f49620 33 API calls 69008->69009 69010 1081e6f 69009->69010 69011 1081e90 GetFileVersionInfoSizeW 69010->69011 69034 f49790 33 API calls 69010->69034 69014 1081eb5 69011->69014 69015 1081ea8 69011->69015 69013 1081e8d 69013->69011 69014->68983 69015->69014 69016 1081eda GetFileVersionInfoW 69015->69016 69035 f49790 33 API calls 69015->69035 69016->69014 69018 1081ef1 69016->69018 69020 f49e20 43 API calls 69018->69020 69019 1081ed7 69019->69016 69021 1081ef6 69020->69021 69022 1082040 69021->69022 69027 1081f00 69021->69027 69023 f49ae0 2 API calls 69022->69023 69024 108204a 69023->69024 69038 1082070 WaitForSingleObject GetExitCodeThread TerminateThread CloseHandle 69024->69038 69026 1082058 std::ios_base::_Ios_base_dtor 69026->68983 69028 f48d10 64 API calls 69027->69028 69029 1081f58 69028->69029 69031 1081f6f 69029->69031 69036 f49790 33 API calls 69029->69036 69031->69014 69037 f49990 33 API calls 3 library calls 69031->69037 69033->68985 69034->69013 69035->69019 69036->69031 69037->69014 69038->69026 69040 105f307 69039->69040 69041 105f2c3 69039->69041 69104 1060c40 RaiseException 69040->69104 69103 1060be0 RaiseException 69041->69103 69044 105f30e 69046 105f316 69044->69046 69047 105f3ca 69044->69047 69045 105f2cc 69045->69047 69048 105f2d6 69045->69048 69049 105f423 69046->69049 69050 105f322 69046->69050 69052 f49e20 43 API calls 69047->69052 69048->69049 69051 105f2df 69048->69051 69106 f52a50 RaiseException 69049->69106 69105 1060c90 108 API calls 69050->69105 69056 f49620 33 API calls 69051->69056 69053 105f3de 69052->69053 69057 105f42f 69053->69057 69059 105f2fd 69053->69059 69056->69059 69061 f49ae0 2 API calls 69057->69061 69058 105f337 FindFirstFileW 69060 105f369 69058->69060 69064 10d6c0a _ValidateLocalCookies 5 API calls 69059->69064 69062 f49620 33 API calls 69060->69062 69063 105f439 69061->69063 69065 105f379 69062->69065 69066 105709c 69064->69066 69067 105f3a6 69065->69067 69068 105f398 FindClose 69065->69068 69066->68992 69066->68993 69067->69059 69068->69067 69107 105db60 69069->69107 69072 f49e20 43 API calls 69073 1079c5d 69072->69073 69074 1079f7d 69073->69074 69078 1079c85 69073->69078 69079 1079c90 69073->69079 69075 f49ae0 2 API calls 69074->69075 69076 1079f87 69075->69076 69077 f49ae0 2 API calls 69076->69077 69080 1079f91 69077->69080 69113 f49120 41 API calls 69078->69113 69114 f49990 33 API calls 3 library calls 69079->69114 69083 1079c8e 69084 1042bd0 93 API calls 69083->69084 69090 1079caf 69084->69090 69085 1079f4c 69086 102d800 2 API calls 69085->69086 69087 1079f5b 69086->69087 69087->69004 69088 1079f71 69120 f52a50 RaiseException 69088->69120 69089 1079d01 69116 f5b5f0 31 API calls 3 library calls 69089->69116 69090->69089 69100 1079d16 69090->69100 69115 f49790 33 API calls 69090->69115 69096 f49e20 43 API calls 69096->69100 69097 f4eae0 92 API calls 69097->69100 69098 f5b580 33 API calls 69098->69100 69099 105d650 34 API calls 69099->69100 69100->69074 69100->69076 69100->69085 69100->69088 69100->69096 69100->69097 69100->69098 69100->69099 69117 107a1c0 92 API calls 2 library calls 69100->69117 69118 107a0d0 34 API calls 69100->69118 69119 10799e0 46 API calls 69100->69119 69102->69002 69103->69045 69104->69044 69105->69058 69106->69057 69108 105dbf7 69107->69108 69112 105db8f 69107->69112 69108->69072 69109 105dbf0 69110 10e0746 __freea 2 API calls 69109->69110 69110->69108 69112->69109 69121 105dd80 RtlFreeHeap GetLastError __freea 69112->69121 69113->69083 69114->69083 69115->69089 69116->69100 69117->69100 69118->69100 69119->69100 69120->69074 69121->69112 69122 10d67b8 GetProcessHeap HeapAlloc 69123 10d67d4 69122->69123 69124 10d67d0 69122->69124 69132 10d654a 69123->69132 69126 10d67df 69127 10d67fb 69126->69127 69129 10d67ef 69126->69129 69146 10d6656 15 API calls std::locale::_Setgloballocale 69127->69146 69130 10d6819 69129->69130 69131 10d6808 GetProcessHeap HeapFree 69129->69131 69131->69124 69133 10d6564 LoadLibraryExA 69132->69133 69134 10d6557 DecodePointer 69132->69134 69135 10d657d 69133->69135 69136 10d65f5 69133->69136 69134->69126 69147 10d65fa GetProcAddress EncodePointer 69135->69147 69136->69126 69138 10d658d 69138->69136 69148 10d65fa GetProcAddress EncodePointer 69138->69148 69140 10d65a4 69140->69136 69149 10d65fa GetProcAddress EncodePointer 69140->69149 69142 10d65bb 69142->69136 69150 10d65fa GetProcAddress EncodePointer 69142->69150 69144 10d65d2 69144->69136 69145 10d65d9 DecodePointer 69144->69145 69145->69136 69146->69129 69147->69138 69148->69140 69149->69142 69150->69144 69151 10574f0 69215 1057360 69151->69215 69153 105753c 69301 107b490 GetUserNameW 69153->69301 69156 f47160 32 API calls 69157 10575b9 69156->69157 69158 1057636 69157->69158 69159 10d7112 4 API calls 69157->69159 69160 f46610 32 API calls 69158->69160 69161 10575dc 69159->69161 69169 1057645 69160->69169 69161->69158 69162 f47160 32 API calls 69161->69162 69163 105761b 69162->69163 69325 10d6fca 34 API calls 69163->69325 69164 10d6c49 std::_Facet_Register 2 API calls 69166 1057706 69164->69166 69170 f47160 32 API calls 69166->69170 69167 1057625 69326 10d70c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69167->69326 69169->69164 69171 105775c 69170->69171 69172 f47160 32 API calls 69171->69172 69173 10577b9 69172->69173 69174 f46610 32 API calls 69173->69174 69175 10577d5 69174->69175 69176 f46610 32 API calls 69175->69176 69177 10577e8 69176->69177 69178 f46610 32 API calls 69177->69178 69179 10577f8 69178->69179 69180 f46610 32 API calls 69179->69180 69181 105780a 69180->69181 69182 f478d0 31 API calls 69181->69182 69183 105784e 69182->69183 69184 f478d0 31 API calls 69183->69184 69185 1057866 69184->69185 69188 f478d0 31 API calls 69185->69188 69207 10578e3 std::ios_base::_Ios_base_dtor 69185->69207 69186 f478d0 31 API calls 69189 1057974 69186->69189 69187 f478d0 31 API calls 69190 1057925 69187->69190 69191 10578c0 69188->69191 69192 f478d0 31 API calls 69189->69192 69193 f478d0 31 API calls 69190->69193 69194 f478d0 31 API calls 69191->69194 69195 1057980 69192->69195 69196 1057937 69193->69196 69197 10578cc 69194->69197 69198 f478d0 31 API calls 69195->69198 69199 f478d0 31 API calls 69196->69199 69200 f478d0 31 API calls 69197->69200 69202 105798f 69198->69202 69203 1057949 69199->69203 69201 10578d8 69200->69201 69204 f478d0 31 API calls 69201->69204 69205 10579a4 69202->69205 69209 10579d3 GetCurrentProcess OpenProcessToken 69202->69209 69206 f478d0 31 API calls 69203->69206 69204->69207 69210 10d6c0a _ValidateLocalCookies 5 API calls 69205->69210 69208 1057954 std::ios_base::_Ios_base_dtor 69206->69208 69207->69187 69207->69208 69208->69186 69211 10579ed GetTokenInformation 69209->69211 69212 1057a19 69209->69212 69213 1057aa0 69210->69213 69211->69212 69212->69205 69214 1057a4f CloseHandle 69212->69214 69214->69205 69216 f49e20 43 API calls 69215->69216 69217 105739a 69216->69217 69218 10574df 69217->69218 69327 106dfd0 47 API calls 69217->69327 69219 f49ae0 2 API calls 69218->69219 69220 10574e9 69219->69220 69223 1057360 127 API calls 69220->69223 69222 10573c3 69224 10573e4 GetTickCount 69222->69224 69225 10573dc 69222->69225 69226 105753c 69223->69226 69328 10d5deb GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 69224->69328 69225->69224 69227 107b490 37 API calls 69226->69227 69230 105754e 69227->69230 69229 10573f1 69232 f49e20 43 API calls 69229->69232 69231 f47160 32 API calls 69230->69231 69233 10575b9 69231->69233 69234 1057411 69232->69234 69235 1057636 69233->69235 69236 10d7112 4 API calls 69233->69236 69234->69218 69240 1057419 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 69234->69240 69237 f46610 32 API calls 69235->69237 69238 10575dc 69236->69238 69251 1057645 69237->69251 69238->69235 69239 f47160 32 API calls 69238->69239 69241 105761b 69239->69241 69242 f48d10 64 API calls 69240->69242 69331 10d6fca 34 API calls 69241->69331 69245 105744b 69242->69245 69243 10d6c49 std::_Facet_Register 2 API calls 69246 1057706 69243->69246 69329 106dfd0 47 API calls 69245->69329 69253 f47160 32 API calls 69246->69253 69247 1057625 69332 10d70c8 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69247->69332 69250 105745c 69330 106e110 119 API calls 69250->69330 69251->69243 69256 105775c 69253->69256 69254 105746a 69255 f49620 33 API calls 69254->69255 69257 1057479 69255->69257 69258 f47160 32 API calls 69256->69258 69257->69153 69259 10577b9 69258->69259 69260 f46610 32 API calls 69259->69260 69261 10577d5 69260->69261 69262 f46610 32 API calls 69261->69262 69263 10577e8 69262->69263 69264 f46610 32 API calls 69263->69264 69265 10577f8 69264->69265 69266 f46610 32 API calls 69265->69266 69267 105780a 69266->69267 69268 f478d0 31 API calls 69267->69268 69269 105784e 69268->69269 69270 f478d0 31 API calls 69269->69270 69271 1057866 69270->69271 69274 f478d0 31 API calls 69271->69274 69293 10578e3 std::ios_base::_Ios_base_dtor 69271->69293 69272 f478d0 31 API calls 69275 1057974 69272->69275 69273 f478d0 31 API calls 69276 1057925 69273->69276 69277 10578c0 69274->69277 69278 f478d0 31 API calls 69275->69278 69279 f478d0 31 API calls 69276->69279 69280 f478d0 31 API calls 69277->69280 69281 1057980 69278->69281 69282 1057937 69279->69282 69283 10578cc 69280->69283 69284 f478d0 31 API calls 69281->69284 69285 f478d0 31 API calls 69282->69285 69286 f478d0 31 API calls 69283->69286 69288 105798f 69284->69288 69289 1057949 69285->69289 69287 10578d8 69286->69287 69290 f478d0 31 API calls 69287->69290 69291 10579a4 69288->69291 69295 10579d3 GetCurrentProcess OpenProcessToken 69288->69295 69292 f478d0 31 API calls 69289->69292 69290->69293 69296 10d6c0a _ValidateLocalCookies 5 API calls 69291->69296 69294 1057954 std::ios_base::_Ios_base_dtor 69292->69294 69293->69273 69293->69294 69294->69272 69297 10579ed GetTokenInformation 69295->69297 69298 1057a19 69295->69298 69299 1057aa0 69296->69299 69297->69298 69298->69291 69300 1057a4f CloseHandle 69298->69300 69299->69153 69300->69291 69302 107b524 GetLastError 69301->69302 69303 107b56e GetEnvironmentVariableW 69301->69303 69302->69303 69306 107b52f 69302->69306 69304 107b5ae 69303->69304 69311 107b5f2 69303->69311 69305 107b5b5 69304->69305 69334 f736c0 32 API calls 69304->69334 69309 107b5da GetEnvironmentVariableW 69305->69309 69307 107b539 69306->69307 69333 f736c0 32 API calls 69306->69333 69312 107b55c GetUserNameW 69307->69312 69309->69311 69313 107b648 69311->69313 69314 f47160 32 API calls 69311->69314 69312->69303 69315 f47070 32 API calls 69313->69315 69314->69313 69316 107b65d 69315->69316 69317 f47070 32 API calls 69316->69317 69318 107b673 69317->69318 69319 f478d0 31 API calls 69318->69319 69320 107b67f 69319->69320 69321 f478d0 31 API calls 69320->69321 69322 107b68b 69321->69322 69323 10d6c0a _ValidateLocalCookies 5 API calls 69322->69323 69324 105754e 69323->69324 69324->69156 69325->69167 69326->69158 69327->69222 69328->69229 69329->69250 69330->69254 69331->69247 69332->69235 69333->69312 69334->69309 69335 108ff90 69346 108f8c0 69335->69346 69337 108ffba 69355 1090060 69337->69355 69340 f47160 32 API calls 69340->69337 69347 f47160 32 API calls 69346->69347 69348 108f8d8 69347->69348 69349 108f8f0 69348->69349 69350 f478d0 31 API calls 69348->69350 69427 1091d20 69349->69427 69350->69348 69352 108f908 69354 108f92e 69352->69354 69431 f48590 31 API calls std::ios_base::_Ios_base_dtor 69352->69431 69354->69337 69354->69340 69356 10900aa 69355->69356 69385 10903b1 69355->69385 69358 f47160 32 API calls 69356->69358 69357 10d6c0a _ValidateLocalCookies 5 API calls 69359 108ffca 69357->69359 69360 10900d0 69358->69360 69392 10903e0 69359->69392 69361 1090272 69360->69361 69376 10900df 69360->69376 69362 f47070 32 API calls 69361->69362 69363 10901c2 69362->69363 69364 f48d30 32 API calls 69363->69364 69365 10901d6 69364->69365 69433 f48dd0 69365->69433 69366 f47070 32 API calls 69366->69376 69369 f47160 32 API calls 69369->69376 69371 f47070 32 API calls 69372 1090205 69371->69372 69374 f478d0 31 API calls 69372->69374 69373 f48dd0 32 API calls 69373->69376 69375 1090211 69374->69375 69377 f478d0 31 API calls 69375->69377 69376->69363 69376->69366 69376->69369 69376->69373 69379 f478d0 31 API calls 69376->69379 69437 f69550 32 API calls 69376->69437 69378 109021d 69377->69378 69380 f47070 32 API calls 69378->69380 69391 109024e 69378->69391 69379->69376 69381 1090230 69380->69381 69382 f47070 32 API calls 69381->69382 69382->69391 69383 1090356 69384 f478d0 31 API calls 69383->69384 69384->69385 69385->69357 69386 f47160 32 API calls 69386->69391 69388 f48dd0 32 API calls 69388->69391 69389 f47070 32 API calls 69389->69391 69390 f478d0 31 API calls 69390->69391 69391->69383 69391->69386 69391->69388 69391->69389 69391->69390 69438 f69550 32 API calls 69391->69438 69395 1090428 69392->69395 69397 1090421 69392->69397 69393 10d6c0a _ValidateLocalCookies 5 API calls 69394 108ffd1 69393->69394 69402 10905c0 69394->69402 69398 f47160 32 API calls 69395->69398 69400 10904f1 69395->69400 69439 f71a50 32 API calls 69395->69439 69397->69393 69398->69395 69400->69397 69440 10e0f41 42 API calls 69400->69440 69441 1091990 33 API calls std::locale::_Init 69400->69441 69403 1090d83 69402->69403 69411 1090620 std::ios_base::_Ios_base_dtor std::locale::_Setgloballocale 69402->69411 69404 10d6c0a _ValidateLocalCookies 5 API calls 69403->69404 69405 108ffdc 69404->69405 69406 10d6c49 std::_Facet_Register 2 API calls 69406->69411 69411->69403 69411->69406 69413 1091840 33 API calls 69411->69413 69414 f47160 32 API calls 69411->69414 69415 f478d0 31 API calls 69411->69415 69421 f48dd0 32 API calls 69411->69421 69425 1090af7 69411->69425 69442 1091da0 69411->69442 69476 1037e10 32 API calls 2 library calls 69411->69476 69477 f736c0 32 API calls 69411->69477 69478 108f560 42 API calls __Init_thread_footer 69411->69478 69479 103d180 32 API calls 4 library calls 69411->69479 69481 1041de0 32 API calls 4 library calls 69411->69481 69482 1092150 32 API calls std::locale::_Init 69411->69482 69483 1091af0 32 API calls 3 library calls 69411->69483 69484 f48590 31 API calls std::ios_base::_Ios_base_dtor 69411->69484 69485 1092060 69411->69485 69490 f6ac90 31 API calls std::ios_base::_Ios_base_dtor 69411->69490 69413->69411 69414->69411 69415->69411 69421->69411 69423 f47070 32 API calls 69423->69425 69424 f478d0 31 API calls 69424->69425 69425->69411 69425->69423 69425->69424 69480 108fe40 35 API calls std::locale::_Setgloballocale 69425->69480 69428 1091d86 69427->69428 69430 1091d52 std::ios_base::_Ios_base_dtor 69427->69430 69428->69352 69430->69428 69432 f6ac90 31 API calls std::ios_base::_Ios_base_dtor 69430->69432 69431->69352 69432->69430 69434 f48e10 69433->69434 69434->69434 69435 f47070 32 API calls 69434->69435 69436 f48e2b 69435->69436 69436->69371 69437->69376 69438->69391 69439->69395 69440->69400 69441->69400 69443 1091df0 69442->69443 69444 1091f97 69442->69444 69445 1091f92 69443->69445 69450 1091e3c 69443->69450 69451 1091e63 69443->69451 69493 f46ac0 32 API calls 69444->69493 69448 f47730 32 API calls 69445->69448 69447 1091f38 69449 10dc0af 31 API calls 69447->69449 69475 1091f5d std::ios_base::_Ios_base_dtor 69447->69475 69448->69444 69452 1091fa1 69449->69452 69450->69445 69453 1091e47 69450->69453 69456 10d6c49 std::_Facet_Register 2 API calls 69451->69456 69458 1091e4d 69451->69458 69454 1091d20 31 API calls 69452->69454 69455 10d6c49 std::_Facet_Register 2 API calls 69453->69455 69457 1091fad 69454->69457 69455->69458 69456->69458 69494 f5fc70 31 API calls std::ios_base::_Ios_base_dtor 69457->69494 69458->69447 69459 1092060 32 API calls 69458->69459 69461 1091e9f 69459->69461 69463 1091efe 69461->69463 69464 1091eb1 69461->69464 69462 1091fbb 69465 10d89ab Concurrency::cancel_current_task RaiseException 69462->69465 69491 10923e0 32 API calls std::_Facet_Register 69463->69491 69468 1091ee4 69464->69468 69471 1092060 32 API calls 69464->69471 69466 1091fc4 69465->69466 69472 1091d20 31 API calls 69468->69472 69469 1091f09 69492 10923e0 32 API calls std::_Facet_Register 69469->69492 69471->69464 69473 1091ef3 69472->69473 69474 1091d20 31 API calls 69473->69474 69473->69475 69474->69447 69475->69411 69476->69411 69477->69411 69478->69411 69479->69411 69480->69425 69481->69411 69482->69411 69483->69411 69484->69411 69486 10d6c49 std::_Facet_Register 2 API calls 69485->69486 69487 10920a9 69486->69487 69495 1092550 69487->69495 69490->69411 69491->69469 69492->69473 69494->69462 69496 1092592 69495->69496 69506 10920d7 69495->69506 69497 10d6c49 std::_Facet_Register 2 API calls 69496->69497 69498 10925b4 69497->69498 69499 f46610 32 API calls 69498->69499 69500 10925ca 69499->69500 69501 f46610 32 API calls 69500->69501 69502 10925da 69501->69502 69503 1092550 32 API calls 69502->69503 69504 109262e 69503->69504 69505 1092550 32 API calls 69504->69505 69505->69506 69506->69411 69507 10d42d7 69533 10d4035 69507->69533 69509 10d42e7 69510 10d4344 69509->69510 69520 10d4368 69509->69520 69542 10d4275 6 API calls 2 library calls 69510->69542 69512 10d434f RaiseException 69529 10d453d 69512->69529 69513 10d43e0 LoadLibraryExA 69514 10d4441 69513->69514 69515 10d43f3 GetLastError 69513->69515 69519 10d444c FreeLibrary 69514->69519 69523 10d4453 69514->69523 69516 10d441c 69515->69516 69524 10d4406 69515->69524 69543 10d4275 6 API calls 2 library calls 69516->69543 69517 10d44b1 GetProcAddress 69518 10d450f 69517->69518 69522 10d44c1 GetLastError 69517->69522 69545 10d4275 6 API calls 2 library calls 69518->69545 69519->69523 69520->69513 69520->69514 69520->69518 69520->69523 69526 10d44d4 69522->69526 69523->69517 69523->69518 69524->69514 69524->69516 69525 10d4427 RaiseException 69525->69529 69526->69518 69544 10d4275 6 API calls 2 library calls 69526->69544 69530 10d44f5 RaiseException 69531 10d4035 ___delayLoadHelper2@8 6 API calls 69530->69531 69532 10d450c 69531->69532 69532->69518 69534 10d4067 69533->69534 69535 10d4041 69533->69535 69534->69509 69546 10d40de GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 69535->69546 69537 10d4046 69538 10d4062 69537->69538 69547 10d4207 VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 69537->69547 69548 10d4068 GetModuleHandleW GetProcAddress GetProcAddress 69538->69548 69541 10d42b0 69541->69509 69542->69512 69543->69525 69544->69530 69545->69529 69546->69537 69547->69538 69548->69541

                                    Executed Functions

                                    Function 01058C40 Relevance: 24.5, APIs: 2, Strings: 11, Instructions: 1753COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    • SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 01058E37
                                    • SetEvent.KERNEL32(?), ref: 01058E95
                                      • Part of subcall function 01063960: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,567482D4), ref: 0106398B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
                                    • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
                                    • API String ID: 4144826820-297406034
                                    • Opcode ID: 932d710ae6cdd1f0fe66d4ee530dea4f4c76c4ced274855eff79e0038b69e441
                                    • Instruction ID: 995601ebea3a30cf5da180ffbd16ab7c0eb9c9fe65d4e1249f00135559915a7e
                                    • Opcode Fuzzy Hash: 932d710ae6cdd1f0fe66d4ee530dea4f4c76c4ced274855eff79e0038b69e441
                                    • Instruction Fuzzy Hash: 90E2C230A0060ADFDB50DFACC844BAFFBF5EF45314F1482A9E855AB291DB749905CBA1
                                    Function 00F5AB80 Relevance: 23.6, APIs: 10, Strings: 3, Instructions: 895fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNEL32(00000000), ref: 00F5ACA2
                                    • PathIsUNCW.SHLWAPI(00000001,*.*), ref: 00F5AD03
                                    • FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 00F5AF4E
                                    • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00F5AF68
                                    • GetFullPathNameW.KERNEL32(00000001,00000000,?,00000000), ref: 00F5AF9B
                                    • FindClose.KERNEL32(00000000), ref: 00F5B00C
                                    • SetLastError.KERNEL32(0000007B), ref: 00F5B016
                                    • _wcsrchr.LIBVCRUNTIME ref: 00F5B06C
                                    • _wcsrchr.LIBVCRUNTIME ref: 00F5B08C
                                    • PathIsUNCW.SHLWAPI(?,?,567482D4,?,00000000), ref: 00F5B24B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
                                    • String ID: *.*$\\?\$\\?\UNC\
                                    • API String ID: 1241272779-1700010636
                                    • Opcode ID: 2fac5483b38f368625ee7d74ddf14de8b8ca733651e496e9d00d75bc7a18b9dc
                                    • Instruction ID: 5c8e470f9e784e4f63b267f73eef9d8eec3db4a169aa3495c801f80101490789
                                    • Opcode Fuzzy Hash: 2fac5483b38f368625ee7d74ddf14de8b8ca733651e496e9d00d75bc7a18b9dc
                                    • Instruction Fuzzy Hash: 7F62F331A006069FDB14DF68CC89BAFFBA5FF44321F148268ED15DB295DB35A908DB90
                                    Function 0107C120 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 550COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1025 107c120-107c14d 1026 107c165-107c16e call f49e20 1025->1026 1027 107c14f-107c162 1025->1027 1030 107c174-107c1b2 call f48d10 1026->1030 1031 107c33a-107c389 call f49ae0 call f49e20 1026->1031 1039 107c1b7-107c1d2 1030->1039 1040 107c1b4 1030->1040 1041 107c38f-107c3a6 1031->1041 1042 107c539-107c53e call f49ae0 1031->1042 1049 107c2f5 1039->1049 1050 107c1d8-107c1e4 1039->1050 1040->1039 1047 107c3b0-107c3c3 1041->1047 1045 107c543-107c55a call f49ae0 1042->1045 1058 107c736-107c73b 1045->1058 1059 107c560-107c569 1045->1059 1051 107c3c5-107c3cf call f49870 1047->1051 1052 107c3d2-107c3d6 1047->1052 1053 107c2f7-107c300 1049->1053 1050->1049 1067 107c1ea-107c1f6 1050->1067 1051->1052 1066 107c3de-107c3e3 1052->1066 1056 107c305-107c31a 1053->1056 1057 107c302 1053->1057 1064 107c324-107c337 1056->1064 1065 107c31c-107c31f 1056->1065 1057->1056 1062 107c5d2-107c5d7 1059->1062 1063 107c56b-107c5b2 call 1041f70 SetWindowTextW call fa5a70 GetDlgItem SendMessageW 1059->1063 1062->1058 1071 107c5dd-107c5ec 1062->1071 1097 107c5b6-107c5cf 1063->1097 1065->1064 1069 107c501 1066->1069 1070 107c3e9-107c3eb 1066->1070 1072 107c1fb-107c211 1067->1072 1073 107c1f8 1067->1073 1078 107c503-107c51b 1069->1078 1070->1069 1077 107c3f1-107c404 call 10e08fb 1070->1077 1074 107c5ee-107c621 GetDlgItem * 2 SendMessageW 1071->1074 1075 107c649-107c651 1071->1075 1089 107c213-107c215 1072->1089 1090 107c21a-107c23b 1072->1090 1073->1072 1079 107c627-107c62b 1074->1079 1080 107c623-107c625 1074->1080 1082 107c676-107c67e 1075->1082 1083 107c653-107c673 EndDialog 1075->1083 1077->1045 1098 107c40a-107c410 1077->1098 1086 107c525-107c538 1078->1086 1087 107c51d-107c520 1078->1087 1088 107c62c-107c644 SendMessageW 1079->1088 1080->1088 1082->1058 1091 107c684-107c697 GetDlgItem 1082->1091 1087->1086 1088->1097 1094 107c2e5-107c2ee 1089->1094 1104 107c244-107c272 call 1053270 1090->1104 1105 107c23d-107c23f 1090->1105 1095 107c70d-107c710 call f496e0 1091->1095 1096 107c699-107c6a5 1091->1096 1094->1053 1103 107c2f0-107c2f3 1094->1103 1107 107c715-107c733 EndDialog 1095->1107 1113 107c73e-107c75d call f49ae0 call 107c770 1096->1113 1114 107c6ab-107c6bd 1096->1114 1098->1045 1102 107c416-107c429 call f49e20 1098->1102 1102->1042 1116 107c42f-107c457 1102->1116 1103->1053 1131 107c285-107c2bf call f49e20 call f4ebf0 call f5b580 1104->1131 1132 107c274-107c283 call 10d74c5 1104->1132 1105->1094 1134 107c75f-107c767 call 10d6c18 1113->1134 1135 107c76a-107c76d 1113->1135 1118 107c6bf-107c6c3 call f49870 1114->1118 1119 107c6c8-107c6d8 1114->1119 1129 107c466-107c487 call 10e08fb 1116->1129 1130 107c459-107c463 call f49870 1116->1130 1118->1119 1127 107c6f3-107c6f5 1119->1127 1128 107c6da-107c6df 1119->1128 1127->1113 1139 107c6f7-107c6fd 1127->1139 1136 107c6e5-107c6f1 call 10e08fb 1128->1136 1137 107c6e1-107c6e3 1128->1137 1129->1045 1156 107c48d-107c490 1129->1156 1130->1129 1159 107c2c1-107c2c4 1131->1159 1160 107c2c9-107c2d6 call 10d74c5 1131->1160 1148 107c2d8-107c2de 1132->1148 1134->1135 1136->1127 1137->1139 1139->1113 1147 107c6ff-107c70b 1139->1147 1147->1107 1148->1094 1156->1045 1158 107c496-107c4ac call f4e790 1156->1158 1164 107c4d2-107c4d7 1158->1164 1165 107c4ae-107c4bf 1158->1165 1159->1160 1160->1148 1169 107c4e2-107c4f3 1164->1169 1170 107c4d9-107c4dd call f5b580 1164->1170 1167 107c4c1-107c4c4 1165->1167 1168 107c4c9-107c4cd 1165->1168 1167->1168 1168->1047 1172 107c4f5-107c4f8 1169->1172 1173 107c4fd-107c4ff 1169->1173 1170->1169 1172->1173 1173->1078
                                    Strings
                                    • PackageCode, xrefs: 0107C46B
                                    • SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 0107C18E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
                                    • API String ID: 0-2409377028
                                    • Opcode ID: 50ec2b2a2b35ee68e2ff87996f3918ea0d938b7a571695e3df959e9167656baa
                                    • Instruction ID: 725a798de15f296ee35a57cdb69205e13a0a2ba855728efabf3742d36764c846
                                    • Opcode Fuzzy Hash: 50ec2b2a2b35ee68e2ff87996f3918ea0d938b7a571695e3df959e9167656baa
                                    • Instruction Fuzzy Hash: 79122071A002069FEB14DFA8CD48BAEBBF8FF04314F148169F955EB291DB759940CBA4
                                    Function 0106FD20 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1174 106fd20-106fd7d GetCurrentProcess OpenProcessToken 1176 106fd7f-106fd87 GetLastError 1174->1176 1177 106fd8c-106fdad GetTokenInformation 1174->1177 1178 106fe4a-106fe5d 1176->1178 1179 106fdaf-106fdb8 GetLastError 1177->1179 1180 106fddb-106fddf 1177->1180 1181 106fe5f-106fe66 CloseHandle 1178->1181 1182 106fe6d-106fe89 call 10d6c0a 1178->1182 1183 106fe2e GetLastError 1179->1183 1184 106fdba-106fdd9 call 1063ac0 GetTokenInformation 1179->1184 1180->1183 1185 106fde1-106fe10 AllocateAndInitializeSid 1180->1185 1181->1182 1186 106fe34 1183->1186 1184->1180 1184->1183 1185->1186 1189 106fe12-106fe2c EqualSid FreeSid 1185->1189 1190 106fe36-106fe43 call 10d74c5 1186->1190 1189->1190 1190->1178
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0106FD68
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0106FD75
                                    • GetLastError.KERNEL32 ref: 0106FD7F
                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 0106FDA9
                                    • GetLastError.KERNEL32 ref: 0106FDAF
                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 0106FDD5
                                    • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0106FE08
                                    • EqualSid.ADVAPI32(00000000,?), ref: 0106FE17
                                    • FreeSid.ADVAPI32(?), ref: 0106FE26
                                    • CloseHandle.KERNEL32(00000000), ref: 0106FE60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                    • String ID:
                                    • API String ID: 695978879-0
                                    • Opcode ID: 4bc395de5f90378f657a83a6d030e10a63b5ad379aa48772e2fb000cf4ec3da0
                                    • Instruction ID: bc5bd7597c64beb9ab59c1c63cddc667dbd21b160b11fdc77b4b539034af9ef5
                                    • Opcode Fuzzy Hash: 4bc395de5f90378f657a83a6d030e10a63b5ad379aa48772e2fb000cf4ec3da0
                                    • Instruction Fuzzy Hash: 6D41467190021AEBDF249FE4DC58BEEBBF9FF08718F104069E521B6280DB759A44CB64
                                    Function 01080560 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1336 1080560-1080567 1337 1080569-108056b 1336->1337 1338 108056e-1080585 LoadLibraryW 1336->1338 1339 108059d-108059f 1338->1339 1340 1080587-1080597 1338->1340 1341 10805a1-10805a4 1339->1341 1342 10805a7-10805f9 GetProcAddress * 4 1339->1342 1340->1339
                                    APIs
                                    • LoadLibraryW.KERNEL32(?,00000000,010626CB,?,?,?,?,?), ref: 01080575
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                    • API String ID: 1029625771-3462492388
                                    • Opcode ID: 09d1e90641e3c56026455d6096985b9382ce3d3e1e27b36bf00b33a41355375f
                                    • Instruction ID: e76813e4bc3f3e5a3e1ae6d88854572910c039c845182678ac2f79648a75c5c4
                                    • Opcode Fuzzy Hash: 09d1e90641e3c56026455d6096985b9382ce3d3e1e27b36bf00b33a41355375f
                                    • Instruction Fuzzy Hash: 2E018074A00315DBCB3DABE5A90494A3FE0B718611B80853AF4A24B208C77684D4CFA0
                                    Function 01062380 Relevance: 15.7, APIs: 10, Instructions: 744COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess
                                    • String ID:
                                    • API String ID: 275895251-0
                                    • Opcode ID: 5fe670ddf983e1b66aeb31b3e6e87d35a26cbfaf4cfd4f948abebd5ef1424d38
                                    • Instruction ID: f4690ea7854c9bdcbaff5953922e12c0e73f780dc30349bb16450439612786a7
                                    • Opcode Fuzzy Hash: 5fe670ddf983e1b66aeb31b3e6e87d35a26cbfaf4cfd4f948abebd5ef1424d38
                                    • Instruction Fuzzy Hash: 7462C23090064ADFDB14DFA8C984BDEFBF8BF05314F1482A9E495AB291DB74A945CF90
                                    Function 01064F10 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1550 1064f10-1064f56 call f49e20 1553 1064f5c-1064fa6 GetLocaleInfoW call 1025b30 1550->1553 1554 106500b-1065045 call f49ae0 MsgWaitForMultipleObjectsEx 1550->1554 1563 1064fb6-1064fed GetLocaleInfoW call f48d10 1553->1563 1564 1064fa8-1064fb3 call f49790 1553->1564 1558 1065047-1065059 1554->1558 1559 10650b1-10650ba 1554->1559 1561 1065060-1065063 1558->1561 1565 1065065-106508b PeekMessageW 1561->1565 1566 10650bb-10650c4 1561->1566 1573 1064ff7-106500a 1563->1573 1574 1064fef-1064ff2 1563->1574 1564->1563 1569 106508d-1065099 TranslateMessage DispatchMessageW 1565->1569 1570 106509b-10650af MsgWaitForMultipleObjectsEx 1565->1570 1569->1570 1570->1559 1570->1561 1574->1573
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • GetLocaleInfoW.KERNEL32(?,00000002,0116438C,00000000), ref: 01064F81
                                    • GetLocaleInfoW.KERNEL32(?,00000002,000000FF,-00000001,00000078,-00000001), ref: 01064FBD
                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 01065041
                                    • PeekMessageW.USER32(?,00000000), ref: 01065087
                                    • TranslateMessage.USER32(00000000), ref: 01065092
                                    • DispatchMessageW.USER32(00000000), ref: 01065099
                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 010650AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
                                    • String ID: %d-%s
                                    • API String ID: 445213441-1781338863
                                    • Opcode ID: b904238a9e01280ea117b46bce0de58a2551d5a1dd5b3fd7f81a299c58b657de
                                    • Instruction ID: fad29f8c39017bb280ee2648e76c000a65a4b9e052b2a7c1d0de700cf6d653c0
                                    • Opcode Fuzzy Hash: b904238a9e01280ea117b46bce0de58a2551d5a1dd5b3fd7f81a299c58b657de
                                    • Instruction Fuzzy Hash: F451F171A40209ABE710DB98DC45FAFBBE8EF44724F104269FA14E72C1DB7599448BA1
                                    Function 0107B490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 161COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1726 107b490-107b522 GetUserNameW 1727 107b524-107b52d GetLastError 1726->1727 1728 107b56e-107b5ac GetEnvironmentVariableW 1726->1728 1727->1728 1731 107b52f-107b537 1727->1731 1729 107b5f2-107b5fc 1728->1729 1730 107b5ae-107b5b3 1728->1730 1734 107b607-107b60d 1729->1734 1735 107b5fe-107b605 1729->1735 1732 107b5b5-107b5c9 1730->1732 1733 107b5cb-107b5d5 call f736c0 1730->1733 1736 107b54f-107b557 call f736c0 1731->1736 1737 107b539-107b54d 1731->1737 1739 107b5da-107b5ec GetEnvironmentVariableW 1732->1739 1733->1739 1741 107b610-107b639 1734->1741 1735->1741 1742 107b55c-107b56c GetUserNameW 1736->1742 1737->1742 1739->1729 1743 107b63b-107b643 call f47160 1741->1743 1744 107b648-107b6a7 call f47070 * 2 call f478d0 * 2 call 10d6c0a 1741->1744 1742->1728 1743->1744
                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,?), ref: 0107B51E
                                    • GetLastError.KERNEL32 ref: 0107B524
                                    • GetUserNameW.ADVAPI32(00000000,?), ref: 0107B56C
                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0107B5A2
                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 0107B5EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: EnvironmentNameUserVariable$ErrorLast
                                    • String ID: UserDomain
                                    • API String ID: 3567734997-2275544873
                                    • Opcode ID: 5fd9268ec782c0f669222a6de18c5721b13144e5bbd588b59cae8fdb2d824f32
                                    • Instruction ID: 8a47fb73ffcb48c54d4f3fe63d57216d14697f6bb13011e4a9aaf4a5c58d4b7e
                                    • Opcode Fuzzy Hash: 5fd9268ec782c0f669222a6de18c5721b13144e5bbd588b59cae8fdb2d824f32
                                    • Instruction Fuzzy Hash: 52610571A00219DFDB24DFA8C859BEEBBF4FF08704F14452DE411A7280DB75AA49CBA5
                                    Function 01002620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 01002661
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • _wcschr.LIBVCRUNTIME ref: 0100271F
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 01002734
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
                                    • String ID: Kernel32.dll
                                    • API String ID: 1122257418-1926710522
                                    • Opcode ID: 3a34e78869a19af71daf592ba662a684d03833d0224fc5780ddb8983783bf923
                                    • Instruction ID: 7f366458ee0347c057023710125af0b4cc49aee0b08cdf32fc6e69cf50c7f180
                                    • Opcode Fuzzy Hash: 3a34e78869a19af71daf592ba662a684d03833d0224fc5780ddb8983783bf923
                                    • Instruction Fuzzy Hash: 7CA18BB0501745EFE715CF68C818B9ABBF0FF04318F10865DD8699B6C1D7BAA618CB91
                                    Function 0106DAE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0106DBBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: DiskFreeSpace
                                    • String ID: \$\$\
                                    • API String ID: 1705453755-3791832595
                                    • Opcode ID: c29ee7b11c49df5af3cc89cdb5ca5b96c320708b2f17c6eba0e3733a4e6fb7ad
                                    • Instruction ID: 1369df39e957f42a8327ec4627abf8bd605675ff9b7378263ceb095aef46721d
                                    • Opcode Fuzzy Hash: c29ee7b11c49df5af3cc89cdb5ca5b96c320708b2f17c6eba0e3733a4e6fb7ad
                                    • Instruction Fuzzy Hash: 7B410262F04315C6CB70DFA88440AABB7F8FF88354F156A6EE9C8D7049F760898583C6
                                    Function 010D67B8 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000008,?,00F50E77,?,?,00F50C24,?), ref: 010D67BD
                                    • HeapAlloc.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D67C4
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00F50C24,?), ref: 010D680A
                                    • HeapFree.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D6811
                                      • Part of subcall function 010D6656: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,010D6800,00000000,?,?,00F50C24,?), ref: 010D667A
                                      • Part of subcall function 010D6656: HeapAlloc.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D6681
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$Process$Alloc$Free
                                    • String ID:
                                    • API String ID: 1864747095-0
                                    • Opcode ID: 1acbbb51bbb56cf6c6a34736db2a1d70c4b177a7827e5b888765188cae849215
                                    • Instruction ID: b084863dee2d769842e864e1467261f2b101e2b62538d36877b6d44c7c1acf21
                                    • Opcode Fuzzy Hash: 1acbbb51bbb56cf6c6a34736db2a1d70c4b177a7827e5b888765188cae849215
                                    • Instruction Fuzzy Hash: 97F05972644716D7CBB92BBCFC0CA5F3AA9BF80A657024878F196C7108EF31C4418B62
                                    Function 01045370 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 0104540D
                                    • FindClose.KERNEL32(00000000), ref: 0104546C
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$AllocateCloseFileFirstHeap
                                    • String ID:
                                    • API String ID: 1673784098-0
                                    • Opcode ID: 8c897f82add13c99262459e3244ece723da5fe38f522e5004ef305d1eb03906f
                                    • Instruction ID: f75eb2c0de1303d29aef76206cda8e49360f5ae7cff701a3834204f5fde0b351
                                    • Opcode Fuzzy Hash: 8c897f82add13c99262459e3244ece723da5fe38f522e5004ef305d1eb03906f
                                    • Instruction Fuzzy Hash: D031D7B4A05218DFDB28DF14DC88B9AB7F4EF84329F1081A9D99997380DB715944CB51
                                    Function 01063220 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess
                                    • String ID:
                                    • API String ID: 275895251-0
                                    • Opcode ID: 2d5e3127ea9a6ef4286b9f9bc4088588499e8053d66b15be1f916138437e4c5e
                                    • Instruction ID: ec9833ce8f5f8aec3e9f109fafe5bbc5226a5b0042345a0df88d5a27e704c394
                                    • Opcode Fuzzy Hash: 2d5e3127ea9a6ef4286b9f9bc4088588499e8053d66b15be1f916138437e4c5e
                                    • Instruction Fuzzy Hash: 92E19170A0064ADFDB14DFA8C884B9EBBF4FF48314F14816DE959AB391DB74A905CB90
                                    Function 01044DA0 Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3b6ca0561d125ed59a333553df2add9dcdc335bb94e437648218a117ddaff959
                                    • Instruction ID: 17864156ac125ba3a4609f95a8d15b029835be28cbdc88941386862ee48f5609
                                    • Opcode Fuzzy Hash: 3b6ca0561d125ed59a333553df2add9dcdc335bb94e437648218a117ddaff959
                                    • Instruction Fuzzy Hash: 7041B07050164ADFDB28DF69C998BEEB7A4FF50320F4082A9E865972D0DB349A04CB50
                                    Function 0107C8F0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,567482D4,567482D4,?,?,?,?,00000000), ref: 0107C979
                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,567482D4,567482D4,?,?,?,?,00000000,010FEE85), ref: 0107C99A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Create$FileNamedPipe
                                    • String ID:
                                    • API String ID: 1328467360-0
                                    • Opcode ID: fb76265ff5c3cb80a984a5d1e52143c936e4dca1ed7c12623f7be22d7c5a7ad6
                                    • Instruction ID: a7ea52e1848156ff38bda40d4153e30bbe5319a104f74b9b4479a083c971db6e
                                    • Opcode Fuzzy Hash: fb76265ff5c3cb80a984a5d1e52143c936e4dca1ed7c12623f7be22d7c5a7ad6
                                    • Instruction Fuzzy Hash: 4231F531A84746AFE731CF18CC05B9ABBE4EB01720F10866EF9A59B6D0D771A541CB54
                                    Function 00F72530 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • __set_se_translator.LIBVCRUNTIME ref: 00F72548
                                    • SetUnhandledExceptionFilter.KERNEL32(010417A0), ref: 00F7255E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                    • String ID:
                                    • API String ID: 2480343447-0
                                    • Opcode ID: 93f43cb85fc22e7d4ab0a9955dafc685fcbb2d4ce9d8d349ff26dd57fe6d068e
                                    • Instruction ID: ba47b9c036928f2ebc0a15d2aa44662d78d29c641cbbf20ab2dc98818db2fef6
                                    • Opcode Fuzzy Hash: 93f43cb85fc22e7d4ab0a9955dafc685fcbb2d4ce9d8d349ff26dd57fe6d068e
                                    • Instruction Fuzzy Hash: 28E02672A003007FD320A3E1A849F4A3F50BBA6B60F08802EF2882B140C370A48183B2
                                    Function 01087B10 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01043860: __Init_thread_footer.LIBCMT ref: 01043940
                                    • CoCreateInstance.COMBASE(011641E8,00000000,00000001,01180588,000000B0), ref: 01087B8E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateInit_thread_footerInstance
                                    • String ID:
                                    • API String ID: 3436645735-0
                                    • Opcode ID: 9fdb2a9d724d289f94fde1119d2ae1424a761201d14fed5ba93dbbfffa1d001a
                                    • Instruction ID: 4c375c473ca6f5b8410a03c899189dca3b183b3db1c3875f446e2cea350b0de1
                                    • Opcode Fuzzy Hash: 9fdb2a9d724d289f94fde1119d2ae1424a761201d14fed5ba93dbbfffa1d001a
                                    • Instruction Fuzzy Hash: 8E11EDB1604305EBE724CF59D804B87BBF8EB04B20F10466DE9659B780D3B6A504CBA0
                                    Function 0101C150 Relevance: .5, Instructions: 507COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aa97482d0616b98df06f2e8595afc7aa55703a5f5c814952fc7a9a15a1a38078
                                    • Instruction ID: 1631e283c3bc0eb344fc7bfd0362d46b14b7f8f628e016f67be9ce41b78d0968
                                    • Opcode Fuzzy Hash: aa97482d0616b98df06f2e8595afc7aa55703a5f5c814952fc7a9a15a1a38078
                                    • Instruction Fuzzy Hash: C902E572A002158FEB19CFACD980AAEBBE5FB59310F14422DE855E7384D734E945CB90
                                    Function 01082390 Relevance: .2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                    • String ID:
                                    • API String ID: 3807588171-0
                                    • Opcode ID: 011e7022e0a31c78ef9cc0bd7d31c7e3355d25b54cdf668ddceb56df7d833c6b
                                    • Instruction ID: 47830396040e0f44da0bc205ce0a30820af6b13dca6277e53706b82bfeedc9ae
                                    • Opcode Fuzzy Hash: 011e7022e0a31c78ef9cc0bd7d31c7e3355d25b54cdf668ddceb56df7d833c6b
                                    • Instruction Fuzzy Hash: CD6147B0504745CFE760DF68C55838ABFE0FF08318F108A9DD98A9B381D7B9A649DB90
                                    Function 01043B70 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 01043BDE
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 01043C25
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 01043C44
                                    • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 01043C73
                                    • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 01043CE8
                                    • RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 01043D51
                                    • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 01043DB4
                                    • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 01043E06
                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 01043EA3
                                    • GetProcAddress.KERNEL32(00000000), ref: 01043EAA
                                    • __Init_thread_footer.LIBCMT ref: 01043EBE
                                    • GetCurrentProcess.KERNEL32(?), ref: 01043EE1
                                    • IsWow64Process.KERNEL32(00000000), ref: 01043EE8
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01043F22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                    • String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
                                    • API String ID: 1906320730-525127412
                                    • Opcode ID: 389f8481950f71c54401c93190e113b3d1a06e55f4177f738c929903fd7e53d9
                                    • Instruction ID: 8f9c524fb1bab138aa32ccfa4af24ab8e994d7ae9741878152c7a06faf6f720b
                                    • Opcode Fuzzy Hash: 389f8481950f71c54401c93190e113b3d1a06e55f4177f738c929903fd7e53d9
                                    • Instruction Fuzzy Hash: 98A1B1B0900328DFEB74DF55DC45BA9B7F4FB04715F0041E9E499AA280EB749A84CF94
                                    Function 01043F50 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 51 1043f50-1043fc8 RegOpenKeyExW 53 1044232-104424b 51->53 54 1043fce-1043fff RegQueryValueExW 51->54 55 104424d-1044254 RegCloseKey 53->55 56 104425e-1044279 call 10d6c0a 53->56 57 1044001-1044013 call 1049fe0 54->57 58 104404f-104407a RegQueryValueExW 54->58 55->56 67 1044024-104403b call 1049fe0 57->67 68 1044015-1044022 57->68 58->53 59 1044080-1044091 58->59 62 1044093-104409b 59->62 63 104409d-104409f 59->63 62->62 62->63 63->53 66 10440a5-10440ac 63->66 70 10440b0-10440be call 1049fe0 66->70 74 1044042-1044048 67->74 75 104403d 67->75 71 104404a 68->71 77 10440c0-10440c4 70->77 78 10440c9-10440d7 call 1049fe0 70->78 71->58 74->71 75->74 80 1044204 77->80 83 10440e2-10440f0 call 1049fe0 78->83 84 10440d9-10440dd 78->84 82 104420b-1044218 80->82 85 104422a-104422c 82->85 86 104421a 82->86 90 10440f2-10440f6 83->90 91 10440fb-1044109 call 1049fe0 83->91 84->80 85->53 85->70 88 1044220-1044228 86->88 88->85 88->88 90->80 94 1044114-1044122 call 1049fe0 91->94 95 104410b-104410f 91->95 98 1044124-1044128 94->98 99 104412d-104413b call 1049fe0 94->99 95->80 98->80 102 1044146-1044154 call 1049fe0 99->102 103 104413d-1044141 99->103 106 1044156-104415a 102->106 107 104415f-104416d call 1049fe0 102->107 103->80 106->80 110 104416f-1044174 107->110 111 1044179-1044187 call 1049fe0 107->111 113 1044201 110->113 115 1044190-104419e call 1049fe0 111->115 116 1044189-104418e 111->116 113->80 119 10441a7-10441b5 call 1049fe0 115->119 120 10441a0-10441a5 115->120 116->113 123 10441b7-10441bc 119->123 124 10441be-10441cc call 1049fe0 119->124 120->113 123->113 127 10441d5-10441e3 call 1049fe0 124->127 128 10441ce-10441d3 124->128 131 10441e5-10441ea 127->131 132 10441ec-10441fa call 1049fe0 127->132 128->113 131->113 132->82 135 10441fc 132->135 135->113
                                    APIs
                                    • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 01043FC0
                                    • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 01043FFB
                                    • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 01044076
                                    • RegCloseKey.KERNEL32(00000000), ref: 0104424E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                    • API String ID: 1586453840-3149529848
                                    • Opcode ID: d7d6e160783c208e9bad9f44536729b7163c375607cf34e241513f1b13cacc5b
                                    • Instruction ID: 45f20edb4b02497c26778e2ae8e0160ca8d14053458055ca55d24af2ed0f0590
                                    • Opcode Fuzzy Hash: d7d6e160783c208e9bad9f44536729b7163c375607cf34e241513f1b13cacc5b
                                    • Instruction Fuzzy Hash: 3071E5B07043099BEF249B64DEC0BAA72F5FB44248F0080B8DE95EB796EB34D945CB44
                                    Function 01065820 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 136 1065820-106585f 137 10658a4-10658af 136->137 138 1065861-1065875 call 10d7112 136->138 140 10658f4-106591c call 1043ad0 137->140 141 10658b1-10658c5 call 10d7112 137->141 138->137 145 1065877-10658a1 call 1065d10 call 10d6fca call 10d70c8 138->145 149 1065922-1065929 140->149 150 10659c1-10659c3 140->150 141->140 151 10658c7-10658f1 call 1066600 call 10d6fca call 10d70c8 141->151 145->137 153 1065930-1065936 149->153 154 10659c8-10659ce 150->154 151->140 160 1065956-1065958 153->160 161 1065938-106593b 153->161 156 10659d0-10659d3 154->156 157 10659ee-10659f0 154->157 162 10659d5-10659dd 156->162 163 10659ea-10659ec 156->163 165 10659f3-10659f5 157->165 169 106595b-106595d 160->169 167 1065952-1065954 161->167 168 106593d-1065945 161->168 162->157 172 10659df-10659e8 162->172 163->165 170 1065ac3 165->170 174 10659fb-1065a04 call f49e20 165->174 167->169 168->160 176 1065947-1065950 168->176 169->170 171 1065963-106596a call f49e20 169->171 179 1065ac5-1065ae7 call 102d800 170->179 186 1065970-106598e 171->186 187 1065ae8-1065aed call f49ae0 171->187 172->154 172->163 174->187 189 1065a0a-1065a26 174->189 176->153 176->167 194 1065990-1065999 call f49120 186->194 195 106599b-10659a2 call f49990 186->195 192 1065af2-1065aff call f52a50 187->192 197 1065a33-1065a3a call f49990 189->197 198 1065a28-1065a31 call f49120 189->198 206 10659a7-10659bc call 1042bd0 194->206 195->206 204 1065a3f-1065a51 call 1042bd0 197->204 198->204 212 1065a54-1065a69 204->212 206->212 213 1065a73-1065a7c 212->213 214 1065a6b-1065a6e 212->214 215 1065a7e 213->215 216 1065abf-1065ac1 213->216 214->213 217 1065a80-1065a82 215->217 216->179 217->192 218 1065a84-1065a86 217->218 218->192 219 1065a88-1065a9a call f4e790 218->219 219->170 222 1065a9c-1065a9f 219->222 222->192 223 1065aa1-1065ab3 call f4e790 222->223 223->170 226 1065ab5-1065ab8 223->226 226->216 227 1065aba-1065abd 226->227 227->217
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0106589C
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                      • Part of subcall function 00F52A50: RaiseException.KERNEL32(?,?,00000000,00000000,010D64E7,C000008C,00000001,?,010D6518,00000000,?,00F48F47,00000000,567482D4,00000001,?), ref: 00F52A5C
                                    • __Init_thread_footer.LIBCMT ref: 010658EC
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AllocateConditionExceptionHeapRaiseVariableWake
                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$shfolder.dll
                                    • API String ID: 2519272855-3044903971
                                    • Opcode ID: fd755a2d30eabce80c77596e0f1cb8f637e505674890de3555288cb26c0b8b85
                                    • Instruction ID: 4483d091859356c629116ad5bb9223d579276368b6764795e001777aaf15c447
                                    • Opcode Fuzzy Hash: fd755a2d30eabce80c77596e0f1cb8f637e505674890de3555288cb26c0b8b85
                                    • Instruction Fuzzy Hash: F5713771A00707CBEB10EFA8DC45BAEB7F9AF11364F1442A8D991AB2C1E735D905C7A1
                                    Function 01057360 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 509COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1195 1057360-105739c call f49e20 1198 10573a2-10573da call 106dfd0 1195->1198 1199 10574df-105759e call f49ae0 call 1057360 call 107b490 1195->1199 1207 10573e4-1057413 GetTickCount call 10d5deb call 10d7850 call f49e20 1198->1207 1208 10573dc-10573df 1198->1208 1214 10575a0-10575a9 1199->1214 1207->1199 1224 1057419-10574a0 call 10fdf50 call f48d10 call 106dfd0 call 106e110 call f49620 1207->1224 1208->1207 1214->1214 1216 10575ab-10575d0 call f47160 1214->1216 1222 10575d2-10575e6 call 10d7112 1216->1222 1223 1057639-1057656 call f46610 1216->1223 1222->1223 1232 10575e8-1057636 call f47160 call 10d6fca call 10d70c8 1222->1232 1230 105765f 1223->1230 1231 1057658-105765d 1223->1231 1272 10574a2-10574a5 1224->1272 1273 10574aa-10574bf 1224->1273 1234 1057662-1057672 1230->1234 1231->1234 1232->1223 1237 1057678-105767d 1234->1237 1238 10576fb-105773f call 10d6c49 1234->1238 1242 1057680-105769e 1237->1242 1251 1057743-105774c 1238->1251 1246 10576e4-10576ed 1242->1246 1247 10576a0-10576a6 1242->1247 1246->1242 1250 10576ef-10576f5 1246->1250 1252 10576a8-10576ae 1247->1252 1253 10576ca-10576cc 1247->1253 1250->1238 1251->1251 1256 105774e-1057798 call f47160 1251->1256 1257 10576b0-10576b3 1252->1257 1258 10576c2 1252->1258 1259 10576df 1253->1259 1260 10576ce-10576d5 1253->1260 1271 10577a0-10577a9 1256->1271 1264 10576b5-10576c0 1257->1264 1265 10576c4 1257->1265 1258->1265 1259->1246 1260->1259 1266 10576d7-10576dc 1260->1266 1264->1257 1264->1258 1265->1253 1266->1259 1271->1271 1274 10577ab-1057888 call f47160 call f46610 * 4 call f478d0 * 2 1271->1274 1272->1273 1275 10574c1-10574c4 1273->1275 1276 10574c9-10574dc 1273->1276 1291 1057902-1057911 1274->1291 1292 105788a-10578ac 1274->1292 1275->1276 1293 1057913-105795c call f478d0 * 4 call 10d6c18 1291->1293 1294 105795f-10579a2 call f478d0 * 3 1291->1294 1295 1057900 1292->1295 1296 10578ae-10578fe call f478d0 * 4 call 10d6c18 1292->1296 1293->1294 1316 10579a4-10579a7 1294->1316 1317 10579ac-10579eb GetCurrentProcess OpenProcessToken 1294->1317 1295->1291 1296->1291 1320 1057a60-1057a7e 1316->1320 1330 10579ed-1057a17 GetTokenInformation 1317->1330 1331 1057a2c 1317->1331 1324 1057a80-1057a83 1320->1324 1325 1057a88-1057aa3 call 10d6c0a 1320->1325 1324->1325 1330->1331 1334 1057a19-1057a2a 1330->1334 1332 1057a31-1057a4d 1331->1332 1332->1320 1335 1057a4f-1057a56 CloseHandle 1332->1335 1334->1332 1335->1320
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • GetTickCount.KERNEL32 ref: 010573E4
                                    • __Xtime_get_ticks.LIBCPMT ref: 010573EC
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01057436
                                    • __Init_thread_footer.LIBCMT ref: 01057631
                                    • GetCurrentProcess.KERNEL32 ref: 010579D3
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 010579E3
                                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 01057A0F
                                    • CloseHandle.KERNEL32(00000000), ref: 01057A50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                    • String ID: \/:*?"<>|
                                    • API String ID: 3363527671-3830478854
                                    • Opcode ID: 73c652fbe27bc7e85fdc8f173a6f8ccf3ab2982e30b8b3cb749795ecb7dbd22a
                                    • Instruction ID: e33342019dda0562a7c9719a2b326d027c12ef2afd80b9b4829fe4084d2e212c
                                    • Opcode Fuzzy Hash: 73c652fbe27bc7e85fdc8f173a6f8ccf3ab2982e30b8b3cb749795ecb7dbd22a
                                    • Instruction Fuzzy Hash: 2322CF70A00219DFEB24DFA8CC48BEEBBB4BF44314F1445A8D849AB281DB745A45DFA1
                                    Function 010D654A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1575 10d654a-10d6555 1576 10d6564-10d657b LoadLibraryExA 1575->1576 1577 10d6557-10d6563 DecodePointer 1575->1577 1578 10d657d-10d6592 call 10d65fa 1576->1578 1579 10d65f5 1576->1579 1578->1579 1583 10d6594-10d65a9 call 10d65fa 1578->1583 1580 10d65f7-10d65f9 1579->1580 1583->1579 1586 10d65ab-10d65c0 call 10d65fa 1583->1586 1586->1579 1589 10d65c2-10d65d7 call 10d65fa 1586->1589 1589->1579 1592 10d65d9-10d65f3 DecodePointer 1589->1592 1592->1580
                                    APIs
                                    • DecodePointer.KERNEL32(567482D4,?,?,010D6890,011E5C90,?,?,?,01082657,00000000,567482D4,?,01082792), ref: 010D655C
                                    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,567482D4,?,?,010D6890,011E5C90,?,?,?,01082657,00000000,567482D4,?,01082792), ref: 010D6571
                                    • DecodePointer.KERNEL32(567482D4,?,?,?,?,?,?,?,?,?,00000000,567482D4,?,01082792), ref: 010D65ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: DecodePointer$LibraryLoad
                                    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                    • API String ID: 1423960858-1745123996
                                    • Opcode ID: dff4d0466fe26cd80d3f0becde0213226f4fd5145d439b968ef67f0733128c10
                                    • Instruction ID: da40b640209945469c6a72f40f5f6b7bc17dca485894ac5fe10c1000e089cd6c
                                    • Opcode Fuzzy Hash: dff4d0466fe26cd80d3f0becde0213226f4fd5145d439b968ef67f0733128c10
                                    • Instruction Fuzzy Hash: D9012B30541311EBDB9D5759AC0ABCE3FDE9F1150CF4402B8BD827B14DEB539584C282
                                    Function 01081990 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1593 1081990-10819cf call 10439a0 1596 1081b43-1081b4b call 1081bd0 1593->1596 1597 10819d5-10819f1 SHGetFolderPathW 1593->1597 1605 1081b4f 1596->1605 1599 10819fd-1081a0c 1597->1599 1600 10819f3-10819fb 1597->1600 1602 1081a0e 1599->1602 1603 1081a22-1081a33 call 1028d20 1599->1603 1600->1599 1600->1600 1606 1081a10-1081a18 1602->1606 1610 1081a35 1603->1610 1611 1081a57-1081b0e call 10d9160 GetTempPathW call 10d9160 GetTempFileNameW call 1081bd0 Wow64DisableWow64FsRedirection CopyFileW 1603->1611 1608 1081b51-1081b6b call 10d6c0a 1605->1608 1606->1606 1609 1081a1a-1081a1c 1606->1609 1609->1596 1609->1603 1613 1081a40-1081a4c 1610->1613 1622 1081b18-1081b26 1611->1622 1623 1081b10-1081b13 call 1081bd0 1611->1623 1613->1596 1616 1081a52-1081a55 1613->1616 1616->1611 1616->1613 1622->1605 1624 1081b28-1081b38 Wow64RevertWow64FsRedirection 1622->1624 1623->1622 1624->1608 1626 1081b3a-1081b41 1624->1626 1626->1608
                                    APIs
                                      • Part of subcall function 010439A0: __Init_thread_footer.LIBCMT ref: 01043A72
                                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,567482D4,00000000,00000000), ref: 010819E4
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 01081A79
                                    • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 01081AAA
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 01081ADD
                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 01081AFF
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 01081B2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
                                    • String ID: shim_clone
                                    • API String ID: 4264308349-3944563459
                                    • Opcode ID: 6053229ece360e0307c29d2a64491ffd84f7657217a7055effdaf60517e69aae
                                    • Instruction ID: d333a642e24cbd2a7f245a674fb77235d5bdb82230ea410f25935ed6d8329138
                                    • Opcode Fuzzy Hash: 6053229ece360e0307c29d2a64491ffd84f7657217a7055effdaf60517e69aae
                                    • Instruction Fuzzy Hash: D4510570A042189FEB24EB64CC44BEEBBF9EF54710F0480E9E585D7180EB759B86CB90
                                    Function 010636B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1627 10636b0-10636ec 1628 10636ee-10636f3 call f49790 1627->1628 1629 10636f8-1063706 call 106dae0 1627->1629 1628->1629 1633 10637f2-10637f4 1629->1633 1634 106370c-1063717 1629->1634 1635 10637f6 1633->1635 1636 1063818-1063821 1633->1636 1637 1063747-106374e 1634->1637 1638 1063719-1063731 call 10454b0 1634->1638 1641 10637fc-1063809 call 10458e0 1635->1641 1642 10637f8-10637fa 1635->1642 1643 1063827-106382e call f49e20 1636->1643 1644 1063934-1063947 1636->1644 1639 1063754-106375b call f49e20 1637->1639 1640 10637d9-10637ef 1637->1640 1653 1063736-1063741 1638->1653 1654 1063733 1638->1654 1655 1063761-1063788 call f5ab80 1639->1655 1656 106394a-1063954 call f49ae0 1639->1656 1651 106380e-1063816 1641->1651 1642->1636 1642->1641 1643->1656 1657 1063834-10638a1 call f48d10 CreateFileW call 10403b0 1643->1657 1651->1643 1653->1633 1653->1637 1654->1653 1668 106378a-106378f 1655->1668 1669 10637a9-10637cf call 1078750 1655->1669 1673 10638a3 1657->1673 1674 10638bf-10638ca 1657->1674 1671 1063790-1063799 1668->1671 1669->1640 1681 10637d1-10637d4 1669->1681 1671->1671 1675 106379b-10637a4 call f5ab80 1671->1675 1677 10638a5-10638ab 1673->1677 1678 10638ad-10638bd 1673->1678 1679 10638cd-10638f4 SetFilePointer SetEndOfFile 1674->1679 1675->1669 1677->1674 1677->1678 1678->1679 1682 10638f6-10638fd CloseHandle 1679->1682 1683 1063904-1063919 1679->1683 1681->1640 1682->1683 1684 1063923-106392e 1683->1684 1685 106391b-106391e 1683->1685 1684->1643 1684->1644 1685->1684
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01063876
                                    • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 010638D5
                                    • SetEndOfFile.KERNEL32(?), ref: 010638DE
                                    • CloseHandle.KERNEL32(?), ref: 010638F7
                                    Strings
                                    • %sholder%d.aiph, xrefs: 01063852
                                    • Not enough disk space to extract file:, xrefs: 0106377A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointer
                                    • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                    • API String ID: 22866420-929304071
                                    • Opcode ID: 8413bd7306509193b5028dd11e8a7a3bcbe1abed6610621cdf84195ba3d1e5c9
                                    • Instruction ID: 359d438cdb1c012989ddb50e3bf4bf4d8111dad00e8d445cab28f8ac43b6a94c
                                    • Opcode Fuzzy Hash: 8413bd7306509193b5028dd11e8a7a3bcbe1abed6610621cdf84195ba3d1e5c9
                                    • Instruction Fuzzy Hash: 4C818F75A0020A9FDB10DF68CC45BAEBBF8FF45324F148669E965AB281D735E901CB90
                                    Function 010800C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1686 10800c0-108010b call 1063ac0 1689 108010d-1080112 1686->1689 1690 1080117-1080125 1686->1690 1691 10802c1-10802eb call 10d74c5 1689->1691 1692 1080130-1080151 1690->1692 1694 108015b-1080172 SetFilePointer 1692->1694 1695 1080153-1080159 1692->1695 1697 1080182-1080197 ReadFile 1694->1697 1698 1080174-108017c GetLastError 1694->1698 1695->1694 1699 10802bc 1697->1699 1700 108019d-10801a4 1697->1700 1698->1697 1698->1699 1699->1691 1700->1699 1701 10801aa-10801bb 1700->1701 1701->1692 1702 10801c1-10801cd 1701->1702 1703 10801d0-10801d4 1702->1703 1704 10801e1-10801e5 1703->1704 1705 10801d6-10801df 1703->1705 1706 1080208-108020a 1704->1706 1707 10801e7-10801ed 1704->1707 1705->1703 1705->1704 1708 108020d-108020f 1706->1708 1707->1706 1709 10801ef-10801f2 1707->1709 1710 1080211-1080214 1708->1710 1711 1080224-1080226 1708->1711 1712 1080204-1080206 1709->1712 1713 10801f4-10801fa 1709->1713 1710->1702 1714 1080216-108021f 1710->1714 1715 1080228-1080231 1711->1715 1716 1080236-108025c SetFilePointer 1711->1716 1712->1708 1713->1706 1717 10801fc-1080202 1713->1717 1714->1692 1715->1692 1716->1699 1718 108025e-1080273 ReadFile 1716->1718 1717->1706 1717->1712 1718->1699 1719 1080275-1080279 1718->1719 1719->1699 1720 108027b-1080285 1719->1720 1721 108029f-10802a4 1720->1721 1722 1080287-108028d 1720->1722 1721->1691 1722->1721 1723 108028f-1080297 1722->1723 1723->1721 1724 1080299-108029d 1723->1724 1724->1721 1725 10802a6-10802ba 1724->1725 1725->1691
                                    APIs
                                    • SetFilePointer.KERNEL32(01147C6D,-00000400,?,00000002,00000400,567482D4,?,?,?), ref: 01080166
                                    • GetLastError.KERNEL32(?,?), ref: 01080174
                                    • ReadFile.KERNEL32(01147C6D,00000000,00000400,?,00000000,?,?), ref: 0108018F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$ErrorLastPointerRead
                                    • String ID: ADVINSTSFX
                                    • API String ID: 64821003-4038163286
                                    • Opcode ID: a019ff7414550b26d5607c9b1dad41e5ce5d52d6a208d8a5590175bd5e007898
                                    • Instruction ID: c2c0772112b262d5a1601cd0eca60777f881218a55549567829b8e4f84e5842c
                                    • Opcode Fuzzy Hash: a019ff7414550b26d5607c9b1dad41e5ce5d52d6a208d8a5590175bd5e007898
                                    • Instruction Fuzzy Hash: 6261F271A04209DBDB11DFA8C884BBEBBF6FF45320F144668F591A7385D3709945CB60
                                    Function 00F52891 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1756 f52891-f52919 1758 f5298f-f52994 1756->1758 1759 f5291b-f52924 1756->1759 1762 f52996-f52998 1758->1762 1763 f529bf-f529cd 1758->1763 1760 f52926-f5293a CallWindowProcW 1759->1760 1761 f5293c-f5296e GetWindowLongW CallWindowProcW 1759->1761 1760->1758 1764 f52970-f5297b GetWindowLongW 1761->1764 1765 f5298b 1761->1765 1762->1763 1766 f5299a-f529bc 1762->1766 1764->1765 1767 f5297d-f52985 SetWindowLongW 1764->1767 1765->1758 1767->1765
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00F52930
                                    • GetWindowLongW.USER32(?,000000FC), ref: 00F52945
                                    • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00F5295B
                                    • GetWindowLongW.USER32(?,000000FC), ref: 00F52975
                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00F52985
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$CallProc
                                    • String ID: $
                                    • API String ID: 513923721-3993045852
                                    • Opcode ID: 2303485dc0b1e1f30253e9527e23342862da4e8944814d409b42616024678219
                                    • Instruction ID: eaec0e2522aea8a2b17451c3ef3e67a016c30c4852f1c2c783488fd63b9d8409
                                    • Opcode Fuzzy Hash: 2303485dc0b1e1f30253e9527e23342862da4e8944814d409b42616024678219
                                    • Instruction Fuzzy Hash: BE414271608700AFC3A0DF59C884A1BFBF5FF89720F504A2DF9A6872A0D332E8449B51
                                    Function 0102EBE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1769 102ebe0-102ec17 1770 102ec82-102ec99 RegCreateKeyExW 1769->1770 1771 102ec19-102ec1c 1769->1771 1772 102ec9f-102eca1 1770->1772 1773 102ec75-102ec79 1771->1773 1774 102ec1e-102ec2b GetModuleHandleW 1771->1774 1778 102eca3-102eca9 1772->1778 1779 102ecc4-102ecd5 1772->1779 1773->1770 1777 102ec7b-102ec80 1773->1777 1775 102ec46-102ec54 GetProcAddress 1774->1775 1776 102ec2d-102ec43 1774->1776 1775->1777 1780 102ec56-102ec73 1775->1780 1777->1772 1781 102ecb4-102ecc1 1778->1781 1782 102ecab-102ecb2 RegCloseKey 1778->1782 1780->1772 1781->1779 1782->1781
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,567482D4,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 0102EC23
                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0102EC4C
                                    • RegCreateKeyExW.KERNEL32(?,00F57319,00000000,00000000,00000000,?,00000000,00000000,?,567482D4,?,?,?,00000000,?,Function_001BEE20), ref: 0102EC99
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 0102ECAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressCloseCreateHandleModuleProc
                                    • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                    • API String ID: 1765684683-2994018265
                                    • Opcode ID: f974c0050539146aa31dc053a655515881f1ee9226cd8fbf5c4ec06a305ef819
                                    • Instruction ID: 1dc92508c4634c8ad0f8aaf93d8a48acd84a88138a22f6c2c21129e709857d3e
                                    • Opcode Fuzzy Hash: f974c0050539146aa31dc053a655515881f1ee9226cd8fbf5c4ec06a305ef819
                                    • Instruction Fuzzy Hash: F231B472644219EFEB25CF89DC45FAABBB9FB04750F10812AFA15D7280D771A451CB90
                                    Function 0100E0C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,567482D4,?,?,?,?,?,Function_001BEE20,000000FF,?,0103FE9C,?,?,000000FF), ref: 0100E103
                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0100E12C
                                    • RegOpenKeyExW.KERNEL32(?,567482D4,00000000,?,00000000,567482D4,?,?,?,?,?,Function_001BEE20,000000FF,?,0103FE9C,?), ref: 0100E165
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BEE20,000000FF,?,0103FE9C,?,?,000000FF), ref: 0100E178
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressCloseHandleModuleOpenProc
                                    • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                    • API String ID: 823179699-3913318428
                                    • Opcode ID: 1ea17f5fa8bc9d1af4863a5ed7a87fe0b16b48e24e5044b448ffe3977e733923
                                    • Instruction ID: b17c2d6c932ec3174519340239b24e58c9cc1388aec666927afd4648fe2e6c49
                                    • Opcode Fuzzy Hash: 1ea17f5fa8bc9d1af4863a5ed7a87fe0b16b48e24e5044b448ffe3977e733923
                                    • Instruction Fuzzy Hash: AE219172604619EFFB268F49DC44FEABBB9FB48710F00896AF915E7280D771A410CB50
                                    Function 0105E0D0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000002), ref: 0105E0F0
                                    • GetWindowRect.USER32(00000000,?), ref: 0105E106
                                    • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0105DEA7,?,00000000), ref: 0105E11F
                                    • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0105DEA7,?), ref: 0105E12A
                                    • GetDlgItem.USER32(?,000003E9), ref: 0105E13C
                                    • GetWindowRect.USER32(00000000,?), ref: 0105E152
                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 0105E195
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Item$InvalidateShow
                                    • String ID:
                                    • API String ID: 2147159307-0
                                    • Opcode ID: 226d93c44e0588b2e69b08a6823e53e74523e2c4b92371dadd4f961facad6adf
                                    • Instruction ID: 3bc418f630e27a388b0b166df56200974faae2bbf159828df6bc875d75a79c53
                                    • Opcode Fuzzy Hash: 226d93c44e0588b2e69b08a6823e53e74523e2c4b92371dadd4f961facad6adf
                                    • Instruction Fuzzy Hash: F4216B75604301AFD354DF64DC49A6BBBE9EF88709F008629F899DB281E730E9858B52
                                    Function 01061EA0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,567482D4,?,?,00000002,?,?,?,?,?,?,00000000,01141942), ref: 01061EF7
                                    • GetLastError.KERNEL32(?,00000002), ref: 01062189
                                    • GetLastError.KERNEL32(?,00000002), ref: 01062233
                                    • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,01141942,000000FF,?,01060E0A,00000010), ref: 01061F06
                                      • Part of subcall function 01043200: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,567482D4,?,00000000), ref: 0104324B
                                      • Part of subcall function 01043200: GetLastError.KERNEL32(?,00000000), ref: 01043255
                                    • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 01061FC8
                                    • ReadFile.KERNEL32(?,567482D4,00000000,00000000,00000000,00000001,?,00000002), ref: 01062045
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$File$Read$FormatMessagePointer
                                    • String ID:
                                    • API String ID: 3903527278-0
                                    • Opcode ID: d6414cb0b46cb94dd0b492616d4db73588f0a1edf3a75bcb399ee24d3c6e006f
                                    • Instruction ID: 12f013ef2695c6facd2eb97d6005eba6dca03fc3a9982f5165b93d2679482650
                                    • Opcode Fuzzy Hash: d6414cb0b46cb94dd0b492616d4db73588f0a1edf3a75bcb399ee24d3c6e006f
                                    • Instruction Fuzzy Hash: A8D1B571D0020ADFDB00DFA8C884BAEFBB9FF54314F1482A9E965AB391D7759905CB90
                                    Function 01081E30 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,567482D4,567482D4,?,?,?,?,0106485D,?,567482D4,?,00000000,?,00000000,011420E5), ref: 01081E95
                                    • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,?,00000000,?,?,0106485D,?,567482D4,?,00000000,?,00000000,011420E5), ref: 01081EE3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion$Size
                                    • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                    • API String ID: 2104008232-2149928195
                                    • Opcode ID: 68c33770fd6bd4e047efc2bbb6cec49d4fd03f1ed6931e275b5c9d1cfe6fb468
                                    • Instruction ID: fcbb2869a2d212c02c7cabf6c7fc06cb25b875cd9cbeb1b91f80c59edbe2d40a
                                    • Opcode Fuzzy Hash: 68c33770fd6bd4e047efc2bbb6cec49d4fd03f1ed6931e275b5c9d1cfe6fb468
                                    • Instruction Fuzzy Hash: C771DE7190520A9FDB14EFACC848AAFBBF9FF14314F148169F991E7291DB749901CBA0
                                    Function 01081D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01081990: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,567482D4,00000000,00000000), ref: 010819E4
                                      • Part of subcall function 01081990: GetTempPathW.KERNEL32(00000104,?), ref: 01081A79
                                      • Part of subcall function 01081990: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 01081AAA
                                      • Part of subcall function 01081990: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 01081ADD
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,567482D4,00000000,?,?,00000000,01148105,000000FF,Shlwapi.dll,01081CD6,?,?,00000010), ref: 01081D6D
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 01081D99
                                    • GetLastError.KERNEL32(?,00000010), ref: 01081DDE
                                    • DeleteFileW.KERNEL32(?), ref: 01081DF1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
                                    • String ID: Shlwapi.dll
                                    • API String ID: 1841109139-1687636465
                                    • Opcode ID: 3935d75e3bd196b9963f81902a0a51125e745ffe8f44ed9e39b24b6060077153
                                    • Instruction ID: 3877d183b1179d496b6a2934dce17f16ac180ea7c1252fc568a975ddf9e4ce7f
                                    • Opcode Fuzzy Hash: 3935d75e3bd196b9963f81902a0a51125e745ffe8f44ed9e39b24b6060077153
                                    • Instruction Fuzzy Hash: 4431AF71905209EFDB15EFA9D844BEEBFF8EF09610F14416AE895A7240DB309941CBA0
                                    Function 01043320 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(ComCtl32.dll,567482D4,00000000,?,00000000), ref: 0104335E
                                    • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 01043381
                                    • FreeLibrary.KERNEL32(00000000), ref: 010433FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: ComCtl32.dll$LoadIconMetric
                                    • API String ID: 145871493-764666640
                                    • Opcode ID: 1c08c0762fb9a4b251a586cb739f1f54b1654e4fe7266a491d27ff17184b8663
                                    • Instruction ID: db62e956fbbf763a6e14998f19893edb745ae1e96096cd35fa69894202829462
                                    • Opcode Fuzzy Hash: 1c08c0762fb9a4b251a586cb739f1f54b1654e4fe7266a491d27ff17184b8663
                                    • Instruction Fuzzy Hash: D73184B1A04259EBDB148F99DC44BAFBFF8FB48714F00416DF925A7380DB7589008B90
                                    Function 010815C0 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,567482D4,?,?,00000000,?,?,?,?,0114804D,000000FF,?,01062B4E), ref: 01081600
                                    • CreateThread.KERNEL32(00000000,00000000,01081980,?,00000000,?), ref: 01081636
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0108173F
                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 0108174A
                                    • CloseHandle.KERNEL32(00000000), ref: 0108176A
                                      • Part of subcall function 00F52A50: RaiseException.KERNEL32(?,?,00000000,00000000,010D64E7,C000008C,00000001,?,010D6518,00000000,?,00F48F47,00000000,567482D4,00000001,?), ref: 00F52A5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
                                    • String ID:
                                    • API String ID: 3595790897-0
                                    • Opcode ID: 408ba5b8307aed0f50a4dda1eb0f587b4c75e0e654203d20fcbfff494ebd7e4d
                                    • Instruction ID: db9fb9f92d109c517a59250e4af48445da2a7b908bc4d0d87aecccc01218cb51
                                    • Opcode Fuzzy Hash: 408ba5b8307aed0f50a4dda1eb0f587b4c75e0e654203d20fcbfff494ebd7e4d
                                    • Instruction Fuzzy Hash: A4515B74A04709DFCB24DF68C884BAABBF4FF48714F24466DE996A7751D730A841CB90
                                    Function 01045560 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • PathIsUNCW.SHLWAPI(?,?), ref: 010456F6
                                    • _wcschr.LIBVCRUNTIME ref: 01045712
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapPathProcess_wcschr
                                    • String ID: \\?\$\\?\UNC\
                                    • API String ID: 660126660-3019864461
                                    • Opcode ID: 781e7d2cdcb77d10a110bc0e2d12bde34bdad0f9401e5b086916ddbc6782d94e
                                    • Instruction ID: f5ba2dd32d7c5e446e5da712a2c4d0c9e4a33cbe025cdd315ede8876099471f9
                                    • Opcode Fuzzy Hash: 781e7d2cdcb77d10a110bc0e2d12bde34bdad0f9401e5b086916ddbc6782d94e
                                    • Instruction Fuzzy Hash: 40C18271A0160A9FEB00DBA8CC84BDEFBF9FF45314F148269E555E7291EB789904CB90
                                    Function 0105EB80 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,567482D4,?,00000010,?), ref: 0105EE4A
                                      • Part of subcall function 0106FD20: GetCurrentProcess.KERNEL32 ref: 0106FD68
                                      • Part of subcall function 0106FD20: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0106FD75
                                      • Part of subcall function 0106FD20: GetLastError.KERNEL32 ref: 0106FD7F
                                      • Part of subcall function 0106FD20: CloseHandle.KERNEL32(00000000), ref: 0106FE60
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                    • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                    • API String ID: 699919280-3538578949
                                    • Opcode ID: 98b88c63ba282e393e579bb72b5711f4498d60d281ebcd293baa79e586b844e2
                                    • Instruction ID: a8ffa8922aec6c160bc3b066b9133e84161dafb5648538f273124936a7c9645c
                                    • Opcode Fuzzy Hash: 98b88c63ba282e393e579bb72b5711f4498d60d281ebcd293baa79e586b844e2
                                    • Instruction Fuzzy Hash: 24C1E630A005469FDB50DF6CC844BAFFBF5AF44310F148298E995AB292DB74DE45CB91
                                    Function 0107D010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ConnectNamedPipe.KERNEL32(?,00000000,567482D4,?,000000FF,?,?,00000000,01147306,000000FF,?,0107D22A,000000FF,?,00000001), ref: 0107D04C
                                    • GetLastError.KERNEL32(?,?,00000000,01147306,000000FF,?,0107D22A,000000FF,?,00000001), ref: 0107D056
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,567482D4,?,000000FF,?,?,00000000,01147306,000000FF,?,0107D22A,000000FF), ref: 0107D0A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
                                    • String ID: \\.\pipe\ToServer
                                    • API String ID: 2973225359-63420281
                                    • Opcode ID: e74c144a31e50680b5a874e49ba8aa3f4019190067fbf451607ba722e7146e68
                                    • Instruction ID: 6cf3f199e0ac75dcb0e78b0784cce921d9317755aeb18367ee9ff0fee457d5c8
                                    • Opcode Fuzzy Hash: e74c144a31e50680b5a874e49ba8aa3f4019190067fbf451607ba722e7146e68
                                    • Instruction Fuzzy Hash: 6071B071A04209AFDB14CF68D814BAEBBE8FF44724F10866DE925DB381DB75A901CB94
                                    Function 01057060 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,567482D4,?,00000010,?,0105A430,?), ref: 010570C6
                                    • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 0105710F
                                    • ReadFile.KERNEL32(00000000,567482D4,?,?,00000000,00000078,?), ref: 01057151
                                    • CloseHandle.KERNEL32(00000000), ref: 010571CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerRead
                                    • String ID:
                                    • API String ID: 4133201480-0
                                    • Opcode ID: 0450ab64e1f7ba0d9575669ba07c38888490b3e1c74b79ea2d78026b2af10040
                                    • Instruction ID: 0f89f9326f3dc6a1936410f0c820ecd2af7aa7b29f12589be6131685a4943320
                                    • Opcode Fuzzy Hash: 0450ab64e1f7ba0d9575669ba07c38888490b3e1c74b79ea2d78026b2af10040
                                    • Instruction Fuzzy Hash: 23519C70900609EBDB55CBACCC48BAFFBF9EF04324F148259E960AB2D0D7749905CBA4
                                    Function 010F0112 Relevance: 4.7, APIs: 3, Instructions: 202COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __freea.LIBCMT ref: 010F02C1
                                      • Part of subcall function 010EEDE7: RtlAllocateHeap.NTDLL(00000000,00000000,010EE2B4,?,010F0055,?,00000000,?,010E07B5,00000000,010EE2B4,?,?,?,?,010EE0AE), ref: 010EEE19
                                    • __freea.LIBCMT ref: 010F02D6
                                    • __freea.LIBCMT ref: 010F02E6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: __freea$AllocateHeap
                                    • String ID:
                                    • API String ID: 2243444508-0
                                    • Opcode ID: 0757f41e6c3653884af39aa0efb573bedc3f11ed9f91e09b8c60c11f64e99bc8
                                    • Instruction ID: 59bc71c1bbb0f636bb2c91c88081dc44cfd369665f014137d26798994158c736
                                    • Opcode Fuzzy Hash: 0757f41e6c3653884af39aa0efb573bedc3f11ed9f91e09b8c60c11f64e99bc8
                                    • Instruction Fuzzy Hash: 5151C576601216AFEFA19FA8CC46EFF3AEAEB54210B15016CFF84D6945E671CC008770
                                    Function 010619D0 Relevance: 4.7, APIs: 3, Instructions: 191fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000,567482D4,?,?), ref: 01061A37
                                    • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 01061B44
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$PointerRead
                                    • String ID:
                                    • API String ID: 3154509469-0
                                    • Opcode ID: 90878cb4734287f64f68484929e57c9bff4a82b29c7c60ee854eb2b5da34d744
                                    • Instruction ID: 26f1d1b2616f499ade4823e49c81581ac1a90996bdb5e8aa472541c3599613a5
                                    • Opcode Fuzzy Hash: 90878cb4734287f64f68484929e57c9bff4a82b29c7c60ee854eb2b5da34d744
                                    • Instruction Fuzzy Hash: 2B616F71D00609EFDB14DFA8D845B9DFBB4FB45320F108269E925A7290DB75AA04CB91
                                    Function 0105EF60 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,567482D4,?,00000000,?,80004005,?,00000000), ref: 0105EFFE
                                    • GetLastError.KERNEL32 ref: 0105F036
                                    • GetLastError.KERNEL32(?), ref: 0105F0CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CreateFile
                                    • String ID:
                                    • API String ID: 1722934493-0
                                    • Opcode ID: 5bbf1cf5f5002c0a82d4b3c994db1bef6ffd59742943265b240a4f13652a06b9
                                    • Instruction ID: 340fbd058241cdf48f4ebd72c884e16ed8acbc0407c1503b8cb128396e0189fc
                                    • Opcode Fuzzy Hash: 5bbf1cf5f5002c0a82d4b3c994db1bef6ffd59742943265b240a4f13652a06b9
                                    • Instruction Fuzzy Hash: D051F171A00606DBDB60DF68C844B9BFBF5FF50320F148669E9A9D72D0EB35A901CB80
                                    Function 010458E0 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,567482D4,?,?,7591E010,0113BB25,000000FF,?,0108403A,00000000,.part,00000005), ref: 0104592B
                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,01173B4C,00000001,?), ref: 010459EA
                                    • GetLastError.KERNEL32 ref: 010459F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLastPath
                                    • String ID:
                                    • API String ID: 953296794-0
                                    • Opcode ID: 29ba8631b3d33084afe9238fe8b78ef199504788e20304c168993f4683f36fe5
                                    • Instruction ID: 0454c0d3839177b1058262725fc9f828eb0693e530d3e25534c325cbf7a7b237
                                    • Opcode Fuzzy Hash: 29ba8631b3d33084afe9238fe8b78ef199504788e20304c168993f4683f36fe5
                                    • Instruction Fuzzy Hash: CB61D171E002099FDB14DFA8C8C4BEEFBF4EF55320F1482A9E961A7290DB749944CB50
                                    Function 010ED7CC Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,010ED7C6,?,010DBEA2,?,?,567482D4,010DBEA2,?), ref: 010ED7DD
                                    • TerminateProcess.KERNEL32(00000000,?,010ED7C6,?,010DBEA2,?,?,567482D4,010DBEA2,?), ref: 010ED7E4
                                    • ExitProcess.KERNEL32 ref: 010ED7F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 291e62a8abeafe2c0b42c6c2b627f5ce35796128c10bda86a89b43dfd58e145f
                                    • Instruction ID: 6b519005f6144f2331948bee841d2ee8c534bcf0ccfa8c5ab95847273a2f4ad7
                                    • Opcode Fuzzy Hash: 291e62a8abeafe2c0b42c6c2b627f5ce35796128c10bda86a89b43dfd58e145f
                                    • Instruction Fuzzy Hash: DAD09E31000209EFCF153FA6D90C98D3FA9EF5429570040A4B9AD4A064DF35D991DB81
                                    Function 0105F440 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 403COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: _wcsrchr
                                    • String ID: .msi
                                    • API String ID: 1752292252-299543723
                                    • Opcode ID: e5fe6fe08ca9fa4f957aa99616d69c3060cce9fcfea32ae2e7e65485ba7e352c
                                    • Instruction ID: 25179c7f123146479761382cb4a1ad9e11c803dad9a92da959ab266bb8dc15d7
                                    • Opcode Fuzzy Hash: e5fe6fe08ca9fa4f957aa99616d69c3060cce9fcfea32ae2e7e65485ba7e352c
                                    • Instruction Fuzzy Hash: F1E1B071A0064BABEB54DF68C844BAFBBE5FF04314F148259ED90DB290DB78E914CB90
                                    Function 010574F0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01057360: GetTickCount.KERNEL32 ref: 010573E4
                                      • Part of subcall function 01057360: __Xtime_get_ticks.LIBCPMT ref: 010573EC
                                      • Part of subcall function 01057360: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01057436
                                      • Part of subcall function 0107B490: GetUserNameW.ADVAPI32(00000000,?), ref: 0107B51E
                                      • Part of subcall function 0107B490: GetLastError.KERNEL32 ref: 0107B524
                                      • Part of subcall function 0107B490: GetUserNameW.ADVAPI32(00000000,?), ref: 0107B56C
                                      • Part of subcall function 0107B490: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0107B5A2
                                      • Part of subcall function 0107B490: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 0107B5EC
                                    • __Init_thread_footer.LIBCMT ref: 01057631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                    • String ID: \/:*?"<>|
                                    • API String ID: 2099558200-3830478854
                                    • Opcode ID: 26795c563174a86ed945b561a8ad15b22a6654fd9772fb3ec5b5050afc29a087
                                    • Instruction ID: f0848e8898f7d38799d47b8631ceb19c6ddab5e403a17b976359b4b342b1fa9d
                                    • Opcode Fuzzy Hash: 26795c563174a86ed945b561a8ad15b22a6654fd9772fb3ec5b5050afc29a087
                                    • Instruction Fuzzy Hash: F7E1BC70D00258DFEB24DFA8C854BEEBBB0BF55304F5441D8D849AB281DBB45A89DFA1
                                    Function 01045C20 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,567482D4), ref: 01045DC0
                                      • Part of subcall function 01045E80: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 01045E8D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                    • String ID: USERPROFILE
                                    • API String ID: 1777821646-2419442777
                                    • Opcode ID: 60467b7ff2352b90502ce20eb6a830cc3cb64588e22733dcdf65021a6ff1f82b
                                    • Instruction ID: 513380964a7cd5faf8ee1a0bde30599971ae4235ed2a1fa359f6e897d0b21cd9
                                    • Opcode Fuzzy Hash: 60467b7ff2352b90502ce20eb6a830cc3cb64588e22733dcdf65021a6ff1f82b
                                    • Instruction Fuzzy Hash: 2B61B471A046099FDB24DF69CC89BAEBBE5EF44310F10866DE855DB291DB749900CB50
                                    Function 010451C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • _wcsrchr.LIBVCRUNTIME ref: 01045281
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapProcess_wcsrchr
                                    • String ID: \\?\
                                    • API String ID: 3663133277-4282027825
                                    • Opcode ID: 763bd238c5abb4b84c80e4dc9331c707823ff15d1f01f452b7cca102973c51ee
                                    • Instruction ID: 5cdf8c855dca3280959b828ca7aa2f6056d2b0d505fe8cf414e05437318a2258
                                    • Opcode Fuzzy Hash: 763bd238c5abb4b84c80e4dc9331c707823ff15d1f01f452b7cca102973c51ee
                                    • Instruction Fuzzy Hash: D241B4B0A01506DBDB04DB6CCD84BAEFBF5FF41325F1482A9E411EB291DB759905CB90
                                    Function 00FA4CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00FA4D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID: $
                                    • API String ID: 1378638983-3993045852
                                    • Opcode ID: 642842615a5da3619558c9b6aa4cf42ee65588d68d61869bf93a6b0a51ae5c0c
                                    • Instruction ID: 3868b2779c27a9c87547d30f736ab7f117d1e871314cd0a3ae6183331f847a22
                                    • Opcode Fuzzy Hash: 642842615a5da3619558c9b6aa4cf42ee65588d68d61869bf93a6b0a51ae5c0c
                                    • Instruction Fuzzy Hash: DF31BCB2504340DFCB549F09C88071ABBF0BFCA721F04855DF9548B295D3B1E945DB92
                                    Function 010F444C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010F3F7C: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 010F3FA7
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,010F4293,?,00000000,?,?,?), ref: 010F44AD
                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,010F4293,?,00000000,?,?,?), ref: 010F44EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID:
                                    • API String ID: 546120528-0
                                    • Opcode ID: abe370bfeecec429f3148e07fc26c89e21dc547bc5ba2611a0bf0efcb8205f13
                                    • Instruction ID: 87e545f304da95d0d3ed51da13d8120354090ce1f6468569ac2f0d4ad4a51da2
                                    • Opcode Fuzzy Hash: abe370bfeecec429f3148e07fc26c89e21dc547bc5ba2611a0bf0efcb8205f13
                                    • Instruction Fuzzy Hash: 2F5165709003468EEB21DF79C4866ABBBF5EF45304F1880AEC6D2CBA52E774D646CB41
                                    Function 01082690 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 010826E1
                                    • EndDialog.USER32(00000000,00000001), ref: 010826F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: DialogWindow
                                    • String ID:
                                    • API String ID: 2634769047-0
                                    • Opcode ID: 6611cb8aa0dbd62912ef401b30b09b37d1717daf8d489b9a1a6145e9813d6769
                                    • Instruction ID: aff9b4bd03c0e53da9a331f4ebfb56670bff7158e64694d005c45b3ea98fe8a0
                                    • Opcode Fuzzy Hash: 6611cb8aa0dbd62912ef401b30b09b37d1717daf8d489b9a1a6145e9813d6769
                                    • Instruction Fuzzy Hash: 7E519730905749DFD721DF69CA08B4ABBF4FF49310F1482A9E495EB2A1DB70AA04CB91
                                    Function 0105DE50 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(0105D643,00000000), ref: 0105DE50
                                    • DestroyWindow.USER32(?), ref: 0105DF07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: DestroyErrorLastWindow
                                    • String ID:
                                    • API String ID: 1182162058-0
                                    • Opcode ID: b42811dadc053ab61a24c6c1257ad017ca821bae34a9c733b6fcc4323c219d68
                                    • Instruction ID: a07314be1e5a9a6eb81733bf7dab7ea16bdb72967d34c78f6981639292e861ad
                                    • Opcode Fuzzy Hash: b42811dadc053ab61a24c6c1257ad017ca821bae34a9c733b6fcc4323c219d68
                                    • Instruction Fuzzy Hash: 472102756002099BDB61AF8CEC017AB77E8EB54320F004267FC54CB691D779E8A0DBE1
                                    Function 01080480 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000), ref: 010804E5
                                    • CloseHandle.KERNEL32(?), ref: 01080539
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CloseFreeHandleLibrary
                                    • String ID:
                                    • API String ID: 10933145-0
                                    • Opcode ID: 3e978b2ee8f1dd066aef39f48178ebfe2d3a34aae3040a058d49aaf83ed6001a
                                    • Instruction ID: 2f867d3ba1e76eb43441679f5170953b74159cf3d352e4377b49b192d8ee6b04
                                    • Opcode Fuzzy Hash: 3e978b2ee8f1dd066aef39f48178ebfe2d3a34aae3040a058d49aaf83ed6001a
                                    • Instruction Fuzzy Hash: 872159B0605606DBD728CFA9D848B9ABBF8FB04714F404229E475CB284DB7AA584CB90
                                    Function 01041F70 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01043320: LoadLibraryW.KERNEL32(ComCtl32.dll,567482D4,00000000,?,00000000), ref: 0104335E
                                      • Part of subcall function 01043320: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 01043381
                                      • Part of subcall function 01043320: FreeLibrary.KERNEL32(00000000), ref: 010433FF
                                    • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 01041FB4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01041FBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: LibraryMessageSend$AddressFreeLoadProc
                                    • String ID:
                                    • API String ID: 3032493519-0
                                    • Opcode ID: 2ed00db74b4848f0051f268c1f61db4c7bf2c4d50e9862f031afaff5a5c7a9a4
                                    • Instruction ID: 30f5cc69fbe1950786be4db4f701303c562c0848040bd4c50417783995b408bf
                                    • Opcode Fuzzy Hash: 2ed00db74b4848f0051f268c1f61db4c7bf2c4d50e9862f031afaff5a5c7a9a4
                                    • Instruction Fuzzy Hash: BBF0653178122837F66421595C46F6BB64DDB81B65F104276FB98AF3C1ECC67C0403D8
                                    Function 010F14D8 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringEx.KERNEL32(?,010F0200,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 010F150C
                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,010F0200,?,?,00000000,?,00000000), ref: 010F152A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: String
                                    • String ID:
                                    • API String ID: 2568140703-0
                                    • Opcode ID: 29009635d25a3ae67e2891c26ef3e8c6b9dba481c8941d407dd36ccc6ec01c0a
                                    • Instruction ID: 87d750714aa42ba1e8714c742ac7699e389eb7e84c4657b8b723fa9a0c406d96
                                    • Opcode Fuzzy Hash: 29009635d25a3ae67e2891c26ef3e8c6b9dba481c8941d407dd36ccc6ec01c0a
                                    • Instruction Fuzzy Hash: 4FF0683200021AFBCF125F90DC09ADE3E66AB587A0F094114BA2925420C736D971AB91
                                    Function 010EEDAD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,010F0066,00000000,010EE2B4,00000000,?,010E07B5,00000000,010EE2B4,?,?,?,?,010EE0AE), ref: 010EEDC3
                                    • GetLastError.KERNEL32(?,?,010F0066,00000000,010EE2B4,00000000,?,010E07B5,00000000,010EE2B4,?,?,?,?,010EE0AE), ref: 010EEDCE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 485612231-0
                                    • Opcode ID: 96940da7aeabaf6e452c4bc8ef17865fc5d57269a8f8bea22c0f806d51ee1b3a
                                    • Instruction ID: d7f9061fa2e05dd537eb50eab61e05a9d1c24ae521407e05227d1b2df2830708
                                    • Opcode Fuzzy Hash: 96940da7aeabaf6e452c4bc8ef17865fc5d57269a8f8bea22c0f806d51ee1b3a
                                    • Instruction Fuzzy Hash: CCE0CD35500718EBDB253FF9EC0CB997BDDEB01395F044074F6488A164D7358880CB95
                                    Function 01064D00 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,01064EE0,?), ref: 01064D4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: EnumLanguagesResource
                                    • String ID:
                                    • API String ID: 4141015960-0
                                    • Opcode ID: 704c506ba46f5b34e851406433418e1c017856eacc31273d57c7d32fcc958142
                                    • Instruction ID: 05e2c82f519c0f36aa2f9a56c9357840d23918f2037ed9965047bfefa2b0b7c0
                                    • Opcode Fuzzy Hash: 704c506ba46f5b34e851406433418e1c017856eacc31273d57c7d32fcc958142
                                    • Instruction Fuzzy Hash: 5151B271A042068FDB20DF68C884BDEBBF9FF48704F014669E595E7241EB75E944CBA0
                                    Function 010F4050 Relevance: 1.6, APIs: 1, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(E8458D00,?,010F429F,010F4293,00000000), ref: 010F4082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Info
                                    • String ID:
                                    • API String ID: 1807457897-0
                                    • Opcode ID: 8466b5a348bd19d370ed31b9e2b3382d190eb482911e70d63439d4aa21f27e2d
                                    • Instruction ID: fb1136384502f25c366709bb5eb2f5f5275d517fbd5604a151c7d86c73cee6e5
                                    • Opcode Fuzzy Hash: 8466b5a348bd19d370ed31b9e2b3382d190eb482911e70d63439d4aa21f27e2d
                                    • Instruction Fuzzy Hash: C9513B71A042589ADB218E68DC81AEB7BFCEB65304F1445EDEADAC7542D3319946CF20
                                    Function 01063960 Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,567482D4), ref: 0106398B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 9a1d836639a5b04d2edd92d8ffb8d37dacedd788a3689cec14cf3efaf8d61608
                                    • Instruction ID: a58c5243f844685251dcac716d1632922e7751ffe158d67624fc75c0702faca7
                                    • Opcode Fuzzy Hash: 9a1d836639a5b04d2edd92d8ffb8d37dacedd788a3689cec14cf3efaf8d61608
                                    • Instruction Fuzzy Hash: 6541F131A00215DFDB10CF5CC984B9EBBF8FB05710F1482A9E998AF281DB71A901CBE1
                                    Function 01044700 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?,567482D4,?,567482D4,0113B6FE,000000FF), ref: 0104474F
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$HeapPathProcessTemp
                                    • String ID:
                                    • API String ID: 764064751-0
                                    • Opcode ID: eae48dc3a8063c716da65afd48285d1066558d14240c0d830308d91f40afaa30
                                    • Instruction ID: f94d64a974f33d40d69c50a2157057c1ebab6559ebcf42e32267c5a5049e3a52
                                    • Opcode Fuzzy Hash: eae48dc3a8063c716da65afd48285d1066558d14240c0d830308d91f40afaa30
                                    • Instruction Fuzzy Hash: A731B3B0600249DFEB54EF68D849BAE7BF4FF04304F10866DE95AD7281EB749605CB84
                                    Function 01043860 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01043AD0: __Init_thread_footer.LIBCMT ref: 01043B46
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • __Init_thread_footer.LIBCMT ref: 01043940
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                    • String ID:
                                    • API String ID: 984842325-0
                                    • Opcode ID: b8b8c5959b481c94993a83f5b2e19510740139dd0cfb269db5199059ca2566d7
                                    • Instruction ID: 30cf99e824899b5f7d4ff1547eb7acfc9d07b5a3e7c0dcf38dafe4423630ecb9
                                    • Opcode Fuzzy Hash: b8b8c5959b481c94993a83f5b2e19510740139dd0cfb269db5199059ca2566d7
                                    • Instruction Fuzzy Hash: 5E31D1B5940601ABF729EFC8F885B85B7E0F708718F244679E5A14F2C4D3B168808F84
                                    Function 01080600 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,010629F8,?,00000000,00000000,?,?), ref: 0108061D
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                      • Part of subcall function 010806F0: WaitForSingleObject.KERNEL32(?,000000FF,567482D4,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 01080724
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AllocateCreateFileHeapObjectSingleWait
                                    • String ID:
                                    • API String ID: 1261966429-0
                                    • Opcode ID: 7411f35de60afddad82c29a6d05e81d658dac5c5512ce88a447c9b9cbf21b0ed
                                    • Instruction ID: 64551a7b08e76ef4b35d33bfeaeee5f11766482adf525ed6d84ac3cb5a0000be
                                    • Opcode Fuzzy Hash: 7411f35de60afddad82c29a6d05e81d658dac5c5512ce88a447c9b9cbf21b0ed
                                    • Instruction Fuzzy Hash: 06310874204B019FD324EF28D488B56BBE0FF98304F20895DF9DA9B354D771A994CB55
                                    Function 01028DC0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • __Init_thread_footer.LIBCMT ref: 01028E32
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID:
                                    • API String ID: 2296764815-0
                                    • Opcode ID: 07313b932be54ed3855b96226f34ec3e76f398ab2d929964cea3c1a7bb03b322
                                    • Instruction ID: 81687977916dab89b34fadc1c3dce5db6029b473fe85ad7608fbe186e2ab8ffb
                                    • Opcode Fuzzy Hash: 07313b932be54ed3855b96226f34ec3e76f398ab2d929964cea3c1a7bb03b322
                                    • Instruction Fuzzy Hash: A801DFB1A04B85DBDB2CDB9CE845B4973E5E714B20F0483BEE826C77C0DB35E9458A42
                                    Function 01043AD0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                      • Part of subcall function 01043B70: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 01043BDE
                                      • Part of subcall function 01043B70: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 01043C25
                                      • Part of subcall function 01043B70: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 01043C44
                                      • Part of subcall function 01043B70: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 01043C73
                                      • Part of subcall function 01043B70: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 01043CE8
                                    • __Init_thread_footer.LIBCMT ref: 01043B46
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                    • String ID:
                                    • API String ID: 3563064969-0
                                    • Opcode ID: 798a56d517b964dbef263e1407284cda94e04ac7c07e2f5f39dbcf43661344f9
                                    • Instruction ID: d579a28ea7cc535bbc3d1fc8547c96a5cf3abb108891493f84b73e67a82ef71d
                                    • Opcode Fuzzy Hash: 798a56d517b964dbef263e1407284cda94e04ac7c07e2f5f39dbcf43661344f9
                                    • Instruction Fuzzy Hash: 5501F2B1A00B84EBD329EB98DD41B59B3E0FB04B20F104379EA369B7C0D730A9008BD5
                                    Function 00F49AE0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010D89AB: RaiseException.KERNEL32(E06D7363,00000001,00000003,567482D4,?,?,0107C8E8,80004005,567482D4), ref: 010D8A0B
                                    • RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionHeapRaise
                                    • String ID:
                                    • API String ID: 3789339297-0
                                    • Opcode ID: a5234d276ff22ab8306a9b6eec208871dac985daa3436ca0b3715cca0e8a75d5
                                    • Instruction ID: f0a6038d2b4c94ec5cd3ba9eeb52b20ae5a5980d5ffe7667a1dc727b7304ed56
                                    • Opcode Fuzzy Hash: a5234d276ff22ab8306a9b6eec208871dac985daa3436ca0b3715cca0e8a75d5
                                    • Instruction Fuzzy Hash: 24F0E231608208FBC715CF50DC01F56BBA9EB04B10F00862DF81583A50D735A800DB41
                                    Function 010EEDE7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000000,010EE2B4,?,010F0055,?,00000000,?,010E07B5,00000000,010EE2B4,?,?,?,?,010EE0AE), ref: 010EEE19
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 88f8ca17dac5cabd876525170f0eedd2b40a5f46426400f674aee98354f9ed9d
                                    • Instruction ID: c8bc31d0d5d618fca142b61bfdeca55de7d5310c289cebdd6f813fb872c677eb
                                    • Opcode Fuzzy Hash: 88f8ca17dac5cabd876525170f0eedd2b40a5f46426400f674aee98354f9ed9d
                                    • Instruction Fuzzy Hash: 86E0E53120162E5EEA712A6FDD0CB9B3ACEDB053A0F0401A1EED196294EB70D84086E2
                                    Function 010EE21C Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: H_prolog3
                                    • String ID:
                                    • API String ID: 431132790-0
                                    • Opcode ID: 7d6a51e59b2cf0e7d566aab140c9281bd00698eedb8afe34ecee48d90b67c160
                                    • Instruction ID: 477d059709bd3eed340fa44e2588ee3783024349cdaccb8a2795a7d6f297a335
                                    • Opcode Fuzzy Hash: 7d6a51e59b2cf0e7d566aab140c9281bd00698eedb8afe34ecee48d90b67c160
                                    • Instruction Fuzzy Hash: B5E09AB2C4020E9EDB00DFD4C556BEFB7BCBB14314F504556D645E6140EB7457458BA1
                                    Function 0107C9F0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNEL32(?,567482D4,00000000,?,00000000,011470C3,000000FF,?,0105BB1C,?,00000000,00000000,?,0000000D,0000000E), ref: 0107CA29
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 091b03da5aa8d1506d5f51a02406656fbbf8eff081a9c22f793b030dafaada6b
                                    • Instruction ID: d87808c887b51000b0a0838ff8c6671c94aad889f9eef35f7bc8fe49342f7078
                                    • Opcode Fuzzy Hash: 091b03da5aa8d1506d5f51a02406656fbbf8eff081a9c22f793b030dafaada6b
                                    • Instruction Fuzzy Hash: 30114871805A09EFD720CF68C904B9ABBE8FB05724F1087AAE425D76D0E775A9008B80
                                    Function 00F48720 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 4e82b6581579ea6c7ab82809a500d93d9c11fe17b28c8452c26a418c83743219
                                    • Instruction ID: ab60b7718e40e618d375b0ec92446de06cb1c8353de3f72b49c8fe626c4546d7
                                    • Opcode Fuzzy Hash: 4e82b6581579ea6c7ab82809a500d93d9c11fe17b28c8452c26a418c83743219
                                    • Instruction Fuzzy Hash: 88C08C3060131087C7304A18B50874236DC5B04750F004819A819C3200CA74DC408654

                                    Non-executed Functions

                                    Function 00F43010 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                    • API String ID: 0-2910470256
                                    • Opcode ID: a8b1639b05f825c53b6b2ce6b9a8933bc2e6d485cad7c058699236f7f089f76c
                                    • Instruction ID: 7d7e2bf2abe7864cddd5d584acb68f45e588676428c16b585afde74a9af24c4d
                                    • Opcode Fuzzy Hash: a8b1639b05f825c53b6b2ce6b9a8933bc2e6d485cad7c058699236f7f089f76c
                                    • Instruction Fuzzy Hash: B133C520A48788E9D71CF7E4AA2971E7DD6AB65704F24834CF4613F6C1CFF90A41A791
                                    Function 00F43E25 Relevance: 156.9, Strings: 124, Instructions: 1926COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                    • API String ID: 0-1959677801
                                    • Opcode ID: e2a71ffa225ed756c2ea25462500bff673603b7418253255d29dd0bcf8d289c3
                                    • Instruction ID: 570c6b722fbdf59fb0cdb512928656fafd2bc339f949c8f070afebda057d74f1
                                    • Opcode Fuzzy Hash: e2a71ffa225ed756c2ea25462500bff673603b7418253255d29dd0bcf8d289c3
                                    • Instruction Fuzzy Hash: DD03E614648789E9D71DB2F51E3A75E7DD66B72640F24C38CB5523BAC2CFF80A01A362
                                    Function 00F644A0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 937memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00F644FA
                                    • VariantClear.OLEAUT32(?), ref: 00F6452C
                                    • VariantClear.OLEAUT32(?), ref: 00F6464F
                                    • VariantClear.OLEAUT32(?), ref: 00F6467E
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F64685
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F646D8
                                    • VariantClear.OLEAUT32(?), ref: 00F64766
                                    • VariantClear.OLEAUT32(?), ref: 00F64798
                                    • VariantClear.OLEAUT32(?), ref: 00F648F9
                                    • VariantClear.OLEAUT32(?), ref: 00F6492C
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F64937
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F6497A
                                    • VariantClear.OLEAUT32(?), ref: 00F64A2F
                                    • VariantClear.OLEAUT32(?), ref: 00F64A62
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F64A70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$Free$Alloc
                                    • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                    • API String ID: 4112810936-3153392536
                                    • Opcode ID: f9779f376d539dc575b7560daeee2acd226ae8c0e76dbe659c5cd7834928fbc9
                                    • Instruction ID: 25a6f41139710926106a51f202325856a4a02631c13744c2ec8aa9ae627cf73f
                                    • Opcode Fuzzy Hash: f9779f376d539dc575b7560daeee2acd226ae8c0e76dbe659c5cd7834928fbc9
                                    • Instruction Fuzzy Hash: 3F924971D01218DBDB20DFA4CC44BDEBBB4FF48314F104299E459A7281EB78AA99DF94
                                    Function 01078A50 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 517fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(011E7078,C0000000,00000003,00000000,00000004,00000080,00000000,567482D4,011E7054,011E706C,?), ref: 01078AD0
                                    • GetLastError.KERNEL32 ref: 01078AED
                                    • OutputDebugStringW.KERNEL32(00000000,00000020), ref: 01078B66
                                    • OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 01078C6A
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 01078CDB
                                    • WriteFile.KERNEL32(00000000,011E6920,00000000,00000000,00000000,?,0000001C), ref: 01078D0B
                                    • WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,011668B8,00000002), ref: 01078DB6
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 01078DBF
                                    • FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 01078D10
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    • OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 01078EB3
                                    • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 01078F39
                                    • FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 01078F44
                                    • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,011668B8,00000002,?,?,CPU: ,00000005), ref: 01078FB8
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 01078FC1
                                    • WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,011668B8,00000002), ref: 01079046
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 0107904F
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
                                    • String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
                                    • API String ID: 4051163352-1312762833
                                    • Opcode ID: 67aea5e9a21c55e5caacf8b04baeab3e8d66cde546259afc3fcd9a5869aa6610
                                    • Instruction ID: a572c182c320f76ac52d8a69667e60e1cc5697792488379e1587e6666ec63376
                                    • Opcode Fuzzy Hash: 67aea5e9a21c55e5caacf8b04baeab3e8d66cde546259afc3fcd9a5869aa6610
                                    • Instruction Fuzzy Hash: B2129170A0120ADFEB10DF68CC48BAEBBF5FF44324F148299E915AB295DB74D945CB90
                                    Function 00F63890 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00F638EA
                                    • VariantClear.OLEAUT32(?), ref: 00F6391C
                                    • VariantClear.OLEAUT32(?), ref: 00F63A16
                                    • VariantClear.OLEAUT32(?), ref: 00F63A45
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F63A4C
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F63A93
                                    • VariantClear.OLEAUT32(?), ref: 00F63B17
                                    • VariantClear.OLEAUT32(?), ref: 00F63B49
                                    • VariantClear.OLEAUT32(?), ref: 00F63C49
                                    • VariantClear.OLEAUT32(?), ref: 00F63C7C
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F63C87
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F63CCD
                                    • VariantClear.OLEAUT32(?), ref: 00F63D4A
                                    • VariantClear.OLEAUT32(?), ref: 00F63D7C
                                    • VariantClear.OLEAUT32(?), ref: 00F63E9C
                                    • VariantClear.OLEAUT32(?), ref: 00F63ECB
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F63ED2
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F63F25
                                    • VariantClear.OLEAUT32(?), ref: 00F63FAA
                                    • VariantClear.OLEAUT32(?), ref: 00F63FDC
                                    • VariantClear.OLEAUT32(?), ref: 00F640CD
                                    • VariantClear.OLEAUT32(?), ref: 00F640FA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$AllocFree
                                    • String ID:
                                    • API String ID: 1305860026-0
                                    • Opcode ID: df76c44ba1feea2c01086dec750c2c0a19ef4ab6d0a7ee11cfa9c0230e24469e
                                    • Instruction ID: cd705b9f5bcd072af63c12b2c8393f3db021ec5ae5d2eb6d9c359a4776642af4
                                    • Opcode Fuzzy Hash: df76c44ba1feea2c01086dec750c2c0a19ef4ab6d0a7ee11cfa9c0230e24469e
                                    • Instruction Fuzzy Hash: C9428C71D04248DFCB10DFA8CC44BDEBBB5EF48314F148269E815E7291E778AA49DBA1
                                    Function 00F4F1A0 Relevance: 22.9, APIs: 15, Instructions: 376memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F4F600: EnterCriticalSection.KERNEL32(011E7250,567482D4,00000000,?,?,?,?,?,?,00F4EE60,011007AD,000000FF), ref: 00F4F63D
                                      • Part of subcall function 00F4F600: LoadCursorW.USER32(00000000,00007F00), ref: 00F4F6B8
                                      • Part of subcall function 00F4F600: LoadCursorW.USER32(00000000,00007F00), ref: 00F4F75E
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F4F243
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F4F274
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F4F34B
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F4F35B
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F4F366
                                    • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00F4F374
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00F4F382
                                    • SetWindowTextW.USER32(?,0116438C), ref: 00F4F421
                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00F4F458
                                    • GlobalLock.KERNEL32(00000000), ref: 00F4F466
                                    • GlobalUnlock.KERNEL32(?), ref: 00F4F48A
                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00F4F515
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F4F52E
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00F4F575
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F4F595
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                    • String ID:
                                    • API String ID: 4180125975-0
                                    • Opcode ID: 8fde059c18e2099ddf3336413b4c90dfb973a0cc57b7233f845c37ef5cb3b10e
                                    • Instruction ID: 3f2e731d231657a5f120603770e9f148d90a70fd797c52d1fbbf67d0b9753c4b
                                    • Opcode Fuzzy Hash: 8fde059c18e2099ddf3336413b4c90dfb973a0cc57b7233f845c37ef5cb3b10e
                                    • Instruction Fuzzy Hash: D3D1B371E00209EFDB11CFA4C848BAFBFB9EF45324F144168F915AB280D7799A45DBA1
                                    Function 00F58DF0 Relevance: 21.6, APIs: 14, Instructions: 608COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00F58EA3
                                    • ShowWindow.USER32(00000000,?), ref: 00F58EC2
                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00F58ED0
                                    • GetWindowRect.USER32(00000000,?), ref: 00F58EE7
                                    • ShowWindow.USER32(00000000,?), ref: 00F58F08
                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 00F58F1F
                                      • Part of subcall function 00F52A50: RaiseException.KERNEL32(?,?,00000000,00000000,010D64E7,C000008C,00000001,?,010D6518,00000000,?,00F48F47,00000000,567482D4,00000001,?), ref: 00F52A5C
                                    • ShowWindow.USER32(?,?), ref: 00F5905D
                                    • GetWindowLongW.USER32(?,000000EB), ref: 00F5908C
                                    • ShowWindow.USER32(?,?), ref: 00F590A9
                                    • GetWindowRect.USER32(?,?), ref: 00F590CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$LongShow$Rect$ExceptionRaise
                                    • String ID:
                                    • API String ID: 777556035-0
                                    • Opcode ID: 6ed3a15b0d98bf08b6f155f75f3e1072cb2f7b8c2252216ff2457b8229afa632
                                    • Instruction ID: 5c336b18c60beef952bb1733a3a3b65f487bd4974e8e2e88b155730ca1cf434a
                                    • Opcode Fuzzy Hash: 6ed3a15b0d98bf08b6f155f75f3e1072cb2f7b8c2252216ff2457b8229afa632
                                    • Instruction Fuzzy Hash: D9425971E04208DFCB28CFA8D884A9EBBF5FF48315F10851DE959AB250D770A949DF51
                                    Function 0104CF00 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 419fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 0104D2A2
                                    • FindClose.KERNEL32(00000000), ref: 0104D2D0
                                    • FindClose.KERNEL32(00000000), ref: 0104D359
                                    Strings
                                    • No acceptable version found. It must be downloaded., xrefs: 0104D72D
                                    • No acceptable version found. It must be installed from package., xrefs: 0104D726
                                    • No acceptable version found. Operating System not supported., xrefs: 0104D73B
                                    • Not selected for install., xrefs: 0104D750
                                    • No acceptable version found., xrefs: 0104D749
                                    • No acceptable version found. It is already downloaded and it will be installed., xrefs: 0104D742
                                    • No acceptable version found. It must be downloaded manually from a site., xrefs: 0104D734
                                    • An acceptable version was found., xrefs: 0104D71F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                    • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                    • API String ID: 544434140-749633484
                                    • Opcode ID: c9792c9e6b48adbbd39911edc77f5d2c0acfcad97570b05f322e2dcdd9d9a6e8
                                    • Instruction ID: 0d659836727f24c23f54e3c233a83f9abc9106623d16b3c6f4aa175a44779a08
                                    • Opcode Fuzzy Hash: c9792c9e6b48adbbd39911edc77f5d2c0acfcad97570b05f322e2dcdd9d9a6e8
                                    • Instruction Fuzzy Hash: 1CF1AD70A00606CFDB50DF68C9887AEFBF1EF55310F1482A9D899AB391DB34DA45CB91
                                    Function 00F4EBF0 Relevance: 16.8, APIs: 11, Instructions: 296nativememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F4ECDB
                                    • GetWindowLongW.USER32(00000004,000000EC), ref: 00F4ECEB
                                    • SetWindowLongW.USER32(00000004,000000EC,00000000), ref: 00F4ECF6
                                    • NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 00F4ED04
                                    • GetWindowLongW.USER32(00000004,000000EB), ref: 00F4ED12
                                    • SetWindowTextW.USER32(00000004,0116438C), ref: 00F4EDB1
                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00F4EDE8
                                    • GlobalLock.KERNEL32(00000000), ref: 00F4EDF6
                                    • GlobalUnlock.KERNEL32(?), ref: 00F4EE1A
                                    • SetWindowLongW.USER32(00000004,000000EB,00000000), ref: 00F4EE7F
                                    • NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 00F4EED1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                    • String ID:
                                    • API String ID: 3555041256-0
                                    • Opcode ID: ee3241bd14cdff70d9455fb938bdf66df047bb897068796fead255b0b02da8d5
                                    • Instruction ID: 8be21736d0d00610355c412ba268aeb61df81a21d5e210b4f635e57c250e8b35
                                    • Opcode Fuzzy Hash: ee3241bd14cdff70d9455fb938bdf66df047bb897068796fead255b0b02da8d5
                                    • Instruction Fuzzy Hash: 43A1AD71E01216DBDB209FA4CC48BAFBFB9FF44324F140618ED26A7281D7799940DBA1
                                    Function 00F662B0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 545windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00F66386
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • __Init_thread_footer.LIBCMT ref: 00F6634F
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00F6677F
                                    • SendMessageW.USER32(?,0000102B,?,?), ref: 00F667C8
                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 00F6684E
                                      • Part of subcall function 01037EE0: __cftof.LIBCMT ref: 01037F2F
                                    • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00F66994
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
                                    • String ID: AiFeatIco$Icon
                                    • API String ID: 2303580663-1280411655
                                    • Opcode ID: 908548f80c7137c0bffdeccde122163f1680e13d68212129b8edd01f826b5066
                                    • Instruction ID: 8b439395291cef0051df126ac86998c0d006c381b05deb4411adb6262aa070a1
                                    • Opcode Fuzzy Hash: 908548f80c7137c0bffdeccde122163f1680e13d68212129b8edd01f826b5066
                                    • Instruction Fuzzy Hash: 2932BB71900249DFDF28DFA8C885BDDBBB1FF58304F144169E909AF292DB746A44DBA0
                                    Function 0106B500 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 394COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • _wcschr.LIBVCRUNTIME ref: 0106B5AC
                                    • _wcsrchr.LIBVCRUNTIME ref: 0106B68B
                                    • _wcsrchr.LIBVCRUNTIME ref: 0106B6B5
                                    • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 0106B710
                                    • GetDriveTypeW.KERNEL32(?), ref: 0106B72A
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 0106B927
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 0106B9B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Wow64$DriveInit_thread_footerRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType_wcschr
                                    • String ID: ]%!
                                    • API String ID: 1522321474-1069524040
                                    • Opcode ID: 7630e9fb73cba226d0e09d6174c0d2e8e00083e4d690faceef120d984d2f092a
                                    • Instruction ID: bbafa44b3cb87a76fe9930fdbad9603ad1724040ba7f766da178a5ac3116616f
                                    • Opcode Fuzzy Hash: 7630e9fb73cba226d0e09d6174c0d2e8e00083e4d690faceef120d984d2f092a
                                    • Instruction Fuzzy Hash: B4F19071A00659CFDB25DB68CC84BADFBB8AF44310F0482E9E559E7291DB749E84CF90
                                    Function 00F9FAD0 Relevance: 12.3, APIs: 8, Instructions: 289windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000432,00000000,?), ref: 00F9FD0C
                                    • SendMessageW.USER32(00000000,00000439,00000000,?), ref: 00F9FD1C
                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00F9FD2E
                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00F9FD3F
                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00F9FD52
                                    • GetWindowRect.USER32(?,?), ref: 00F9FD80
                                      • Part of subcall function 00FA1310: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA136F
                                      • Part of subcall function 00FA1310: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00F9FEE9,00000000,567482D4,?,?), ref: 00FA1388
                                      • Part of subcall function 00F50E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F50E96
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00F9FDE2
                                    • SendMessageW.USER32(00000000,00000411,00000001,?), ref: 00F9FDF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateLongRect
                                    • String ID:
                                    • API String ID: 1954517558-0
                                    • Opcode ID: c826df43fed8a9937c91a8ccedeb6898e054cac40669f42a115f4e381ef649df
                                    • Instruction ID: bbbac9b739c3795e4182efbabe637fcd752c57d68318048f0d22b54f83f3cef9
                                    • Opcode Fuzzy Hash: c826df43fed8a9937c91a8ccedeb6898e054cac40669f42a115f4e381ef649df
                                    • Instruction Fuzzy Hash: 54B1FAB1A00219AFDB04CF69C981AEEBBF5FB48300F40862AFD15E7280D774E954DB90
                                    Function 01023460 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 313windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 01023690
                                    • SendMessageW.USER32(?,00000443,00000000), ref: 010236FA
                                    • MulDiv.KERNEL32(?,00000000), ref: 01023731
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow
                                    • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                    • API String ID: 701072176-2319862951
                                    • Opcode ID: 59d58f19e1cc63a812946dc96e68692fd5177cde5c9548fd4373a9c447d16142
                                    • Instruction ID: ca9297e6c8d8be398ed5fd8daf3458485aeea40e4e4738a4b236d50920dee9a0
                                    • Opcode Fuzzy Hash: 59d58f19e1cc63a812946dc96e68692fd5177cde5c9548fd4373a9c447d16142
                                    • Instruction Fuzzy Hash: 9CC1B031A00705AFEB28DF64CC55BEABBF1FF49300F108599E556AB2C1DB746A49CB90
                                    Function 010F4D50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • GetACP.KERNEL32(?,?,?,?,?,?,010EA53E,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 010F4E11
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,010EA53E,?,?,?,00000055,?,-00000050,?,?), ref: 010F4E3C
                                    • _wcschr.LIBVCRUNTIME ref: 010F4ED0
                                    • _wcschr.LIBVCRUNTIME ref: 010F4EDE
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 010F4F9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                    • String ID: utf8
                                    • API String ID: 4147378913-905460609
                                    • Opcode ID: 111b78e4e570f76d9c7eaeee1b426f410b1756353b6b218fd0d0d6e81a336a05
                                    • Instruction ID: 97c061e7ed383c41d9040aeea87b05dc3e3d491ef60a34bd77ab7deba59a12bd
                                    • Opcode Fuzzy Hash: 111b78e4e570f76d9c7eaeee1b426f410b1756353b6b218fd0d0d6e81a336a05
                                    • Instruction Fuzzy Hash: 4971D531A04306AAEB25AF39CC4ABBB77E8EF54704F04406DEF99D7980EB70E5448761
                                    Function 010F9D65 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 39f4d58abd613b1a01e1dffceb4ddaaee6ab1bab374d64438630eb8c182701f2
                                    • Instruction ID: 55914353e8b59fbcfd2fc144a89f0479de698d26fe95ffeb619c396b341fd848
                                    • Opcode Fuzzy Hash: 39f4d58abd613b1a01e1dffceb4ddaaee6ab1bab374d64438630eb8c182701f2
                                    • Instruction Fuzzy Hash: BDD21671E08229CFDB65CE28DD417EAB7B5EB84304F1441EED68DE7640E738AA858F41
                                    Function 01044A10 Relevance: 9.3, APIs: 6, Instructions: 321fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsrchr.LIBVCRUNTIME ref: 01044A68
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 01044B68
                                    • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 01044C05
                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 01044C2B
                                    • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 01044C75
                                    • _wcsrchr.LIBVCRUNTIME ref: 01044CF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirstInit_thread_footer_wcsrchr$HeapProcess
                                    • String ID:
                                    • API String ID: 2593539128-0
                                    • Opcode ID: 4ebcb3f657f55e3b002c481500c257bc055aa733835ef53c98767d61005db783
                                    • Instruction ID: abc4f97ead4bcb762768a0fafd5ff0d3da5f2175009bd5a63c99969c3a6ed826
                                    • Opcode Fuzzy Hash: 4ebcb3f657f55e3b002c481500c257bc055aa733835ef53c98767d61005db783
                                    • Instruction Fuzzy Hash: A1A1B1B1A00209DBDB14DF68CC84BAEBBF4FF84324F14866AE965D7280D7759904CB94
                                    Function 010808D0 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,567482D4,?,00000000,00000000), ref: 010809A1
                                    • FindNextFileW.KERNEL32(?,00000000), ref: 010809BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: FileFind$FirstNext
                                    • String ID:
                                    • API String ID: 1690352074-0
                                    • Opcode ID: 61067bbd37b8e84c3b3a85e9fd16d4802684f08d6f60fc88a9c5d97ea5c5878b
                                    • Instruction ID: 28c4cce726cb3ae4543693b6c153a4a123707df056375ab9cf78ca1f0e7fadc2
                                    • Opcode Fuzzy Hash: 61067bbd37b8e84c3b3a85e9fd16d4802684f08d6f60fc88a9c5d97ea5c5878b
                                    • Instruction Fuzzy Hash: 34717C7190564DDFDB20EFA8C948ADEBBF8FF08314F148269E855EB285D7349A08CB51
                                    Function 010D674C Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000C,010D6668,00000000,?,010D6800,00000000,?,?,00F50C24,?), ref: 010D674E
                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,00F50C24,?), ref: 010D6775
                                    • HeapAlloc.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D677C
                                    • InitializeSListHead.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D6789
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00F50C24,?), ref: 010D679E
                                    • HeapFree.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D67A5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                    • String ID:
                                    • API String ID: 1475849761-0
                                    • Opcode ID: f1ddd1d3f631bc32319ac172a6aab7ee4f2715b502ccad53c8e55a7092ce29c0
                                    • Instruction ID: 441dc8a21394d7f5a6b809ea4bf8ac3c59f1fefb9a2588137fb9546f4233a43e
                                    • Opcode Fuzzy Hash: f1ddd1d3f631bc32319ac172a6aab7ee4f2715b502ccad53c8e55a7092ce29c0
                                    • Instruction Fuzzy Hash: 4AF0C835600305DFDBB59FBCE808B0677ECBB88619F010878F996D3244EB30D0818B51
                                    Function 010F54DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,010F57FD,00000002,00000000,?,?,?,010F57FD,?,00000000), ref: 010F5578
                                    • GetLocaleInfoW.KERNEL32(?,20001004,010F57FD,00000002,00000000,?,?,?,010F57FD,?,00000000), ref: 010F55A1
                                    • GetACP.KERNEL32(?,?,010F57FD,?,00000000), ref: 010F55B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 5740848c4845523da0e54c9469ee265f14bfdc92d7995479bad1ec50a45074dd
                                    • Instruction ID: 67de1046a0bdd066c6405659c6570d7fb0394cf4a2bfd097232784404bf69613
                                    • Opcode Fuzzy Hash: 5740848c4845523da0e54c9469ee265f14bfdc92d7995479bad1ec50a45074dd
                                    • Instruction Fuzzy Hash: EB210672600101EAEB758F18CD1EA9B77E7AF40E64B4684ACEB8AD7901F732DE40C340
                                    Function 010F56B4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 010F57C0
                                    • IsValidCodePage.KERNEL32(00000000), ref: 010F5809
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 010F5818
                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 010F5860
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 010F587F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID:
                                    • API String ID: 415426439-0
                                    • Opcode ID: 9ed6582864787e20c663e62054d0b9c80c42b2c5ce3247ce75bfab1b02811fe6
                                    • Instruction ID: 4c35340a7e06ec1ce1aad0905a7707dd5a29d918de510f2a7a1c0eba305cbdce
                                    • Opcode Fuzzy Hash: 9ed6582864787e20c663e62054d0b9c80c42b2c5ce3247ce75bfab1b02811fe6
                                    • Instruction Fuzzy Hash: 4F517071A0030AEBEF60DFA9DC46AAE77F8BF44700F14446DEB95EB540EB7095408B61
                                    Function 010EEF3A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 241f84bb112c11c5fb2f49daa3222531d8b45c597fd7bbd776db9f8d97f6aed0
                                    • Instruction ID: 79b6338d54a36d5512fb0685db2c0da7d9d24124b031c0adb035d715ccd0b341
                                    • Opcode Fuzzy Hash: 241f84bb112c11c5fb2f49daa3222531d8b45c597fd7bbd776db9f8d97f6aed0
                                    • Instruction Fuzzy Hash: CAB15972A042479FDB15CF69C884BEEBFE5EF56310F1581AAE984AB241C335D901CBA0
                                    Function 0106C530 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 673cbb0e88710b7483f09e802f5d2eb863bd5fe82d963c8d382f53eae447a9e3
                                    • Instruction ID: da6022b30c6a5da87db158a0157e783c41b9833ba7211eb005ea83bb2b893777
                                    • Opcode Fuzzy Hash: 673cbb0e88710b7483f09e802f5d2eb863bd5fe82d963c8d382f53eae447a9e3
                                    • Instruction Fuzzy Hash: E081B170901219DFEB64DF28CD48B99BBF8EF44324F1482D9E858A7291DB749E44CF91
                                    Function 00FDAD00 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceW.KERNEL32(00000000,?,00000017,567482D4,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00FDAD49
                                    • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00FDAD58
                                    • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00FDAD63
                                    • SizeofResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,Function_001C889D,000000FF), ref: 00FDAD74
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID:
                                    • API String ID: 3473537107-0
                                    • Opcode ID: 3d779959cd2b258489642c51c40015b162b46e9dc5d63565c8cec270cd0e2258
                                    • Instruction ID: 7c42f92c977b309dc195cc0dbaa1a134b95171b131834c141c29c2e615be415b
                                    • Opcode Fuzzy Hash: 3d779959cd2b258489642c51c40015b162b46e9dc5d63565c8cec270cd0e2258
                                    • Instruction Fuzzy Hash: BB310871D05705EBDB249F74DC00BABB7B9EB04720F14462AEC51D3780EB309A04D7A2
                                    Function 00FA0D5D Relevance: 6.1, APIs: 4, Instructions: 80nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FA0DB5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA0DD3
                                    • NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00FA0DE5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA0DF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: 01783cf36d1ff4464bc46e79203af553060aa15b281ca7450695afc7b2822094
                                    • Instruction ID: ec82091d98e61febd952d9828d780dac8b4c42c0e4916eb949dc489d0ed2b7fc
                                    • Opcode Fuzzy Hash: 01783cf36d1ff4464bc46e79203af553060aa15b281ca7450695afc7b2822094
                                    • Instruction Fuzzy Hash: C031CE71A04219EFCB10CFA8D884B5DBBF1FF45324F1042A9E421AB2D0DBB1A940DB50
                                    Function 00FA0C28 Relevance: 6.0, APIs: 4, Instructions: 50nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FA0C40
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA0C5E
                                    • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?,?,000000F0,00000000,?,000000F0), ref: 00FA0C71
                                    • SetWindowLongW.USER32(FFFFFFFF,000000F0,00000000), ref: 00FA0C89
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: 2398fb71a633a4c86f51ba176c382b2266766ea419bfecfeeaeff62194d4a204
                                    • Instruction ID: 1a485bdfb6f70397e94ec16acb8c6759c9372cb8fce27279b7867c477417eb2f
                                    • Opcode Fuzzy Hash: 2398fb71a633a4c86f51ba176c382b2266766ea419bfecfeeaeff62194d4a204
                                    • Instruction Fuzzy Hash: B0115E76A04219EFDB649F98DC44A9DFBB1FB44320F21032AE426A73E0DB315D10DB40
                                    Function 00FA0C9E Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FA0CB5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA0CD3
                                    • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?,?,000000F0,00000000,?,000000F0), ref: 00FA0CE9
                                    • SetWindowLongW.USER32(FFFFFFFF,000000F0,00000000), ref: 00FA0D01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$NtdllProc_
                                    • String ID:
                                    • API String ID: 3674618424-0
                                    • Opcode ID: 7aa8e0478282c55cbcc2af268717e009583221710a4cd240ab99fdfbd58fdbfa
                                    • Instruction ID: d97816166e91979875c7a76c4732e1d27c54b88e5ab7938159a43eb74950bb64
                                    • Opcode Fuzzy Hash: 7aa8e0478282c55cbcc2af268717e009583221710a4cd240ab99fdfbd58fdbfa
                                    • Instruction Fuzzy Hash: A7115E76A04219DFDB659F98DC44A9DFBB1FB44320F20432AF866A73E0DB325910DB40
                                    Function 0106C930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 0106C9EC
                                    • FindClose.KERNEL32(00000000), ref: 0106CB37
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$AllocateCloseFileFirstHeap
                                    • String ID: %d.%d.%d.%d
                                    • API String ID: 1673784098-3491811756
                                    • Opcode ID: 62bea8b2014f0d58e683a707cfc7e69b01c0b4ef5aa9ba7b8a5f3a399a9c61e1
                                    • Instruction ID: ac89ca1160717076d0fe66f80c956c6bcf12936bea78dd60c4f4f1124e9aa2db
                                    • Opcode Fuzzy Hash: 62bea8b2014f0d58e683a707cfc7e69b01c0b4ef5aa9ba7b8a5f3a399a9c61e1
                                    • Instruction Fuzzy Hash: 2C618C70905219DFDF64DF28CD48B9EBBB4EF44314F1082D9E858AB291DB369A84DF90
                                    Function 00F5E540 Relevance: 5.3, Strings: 4, Instructions: 346COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                    • API String ID: 0-932585912
                                    • Opcode ID: a0d20daddd5cdadb52f651ce40d286c792a3e9acb523822530fdc865280bac65
                                    • Instruction ID: 48eb14c362e65f1ff6d3f8c11f085c1c32572834a6fee75ca193e25ca9ca0844
                                    • Opcode Fuzzy Hash: a0d20daddd5cdadb52f651ce40d286c792a3e9acb523822530fdc865280bac65
                                    • Instruction Fuzzy Hash: BCD1A170D04218DFDB08DFA9CC48BAEBBB1FF85305F108159D455AB385DB78AA09DBA1
                                    Function 010D411D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • VirtualQuery.KERNEL32(80000000,010D4062,0000001C,010D4257,00000000,?,?,?,?,?,?,?,010D4062,00000004,011E58EC,010D42E7), ref: 010D412E
                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,010D4062,00000004,011E58EC,010D42E7), ref: 010D4149
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: InfoQuerySystemVirtual
                                    • String ID: D
                                    • API String ID: 401686933-2746444292
                                    • Opcode ID: a1556a9b21b11c8e7ba9b868fb3d1e119ee99b02663a847c7c00e985412a9d4e
                                    • Instruction ID: 74cfc15871d4bae59a1b9ef0c1cdd0d71ce9b7b0592305f50e1af8fdc128b794
                                    • Opcode Fuzzy Hash: a1556a9b21b11c8e7ba9b868fb3d1e119ee99b02663a847c7c00e985412a9d4e
                                    • Instruction Fuzzy Hash: F501F776700219ABDB24DE29DC09BDE7BE9AFD4238F0CC264ED99D7144DA34D8418680
                                    Function 010D6437 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F53730: InitializeCriticalSectionAndSpinCount.KERNEL32(011E5C5C,00000000,567482D4,00F40000,Function_001BE9A0,000000FF,?,010D6466,?,?,?,00F46508), ref: 00F53755
                                      • Part of subcall function 00F53730: GetLastError.KERNEL32(?,010D6466,?,?,?,00F46508), ref: 00F5375F
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00F46508), ref: 010D646A
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F46508), ref: 010D6479
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 010D6474
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 450123788-631824599
                                    • Opcode ID: 9cb8ca63bfd45c95dcd95c8ce16107a7ddc5b9679852525c010f2d7ddd8a36c4
                                    • Instruction ID: 841cad1924151ca0bf509428f03909a2b3e49d746c62aa396d89757a0f9a7aff
                                    • Opcode Fuzzy Hash: 9cb8ca63bfd45c95dcd95c8ce16107a7ddc5b9679852525c010f2d7ddd8a36c4
                                    • Instruction Fuzzy Hash: 68E06D70201751CBD7B8AF68E5083467BE4AF04759F40896DD9A6C3204EBB5E084CBA1
                                    Function 010F5163 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010F51B7
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010F5201
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010F52C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: InfoLocale$ErrorLast
                                    • String ID:
                                    • API String ID: 661929714-0
                                    • Opcode ID: 01335e544f69d97fbf362da360837498fb0d52b0f818bf819079ab7bfea032e7
                                    • Instruction ID: 5ffb0e3bebbddfc32d7fe239934fbadf1344517a5d772a69b3d37fdf4db1cb09
                                    • Opcode Fuzzy Hash: 01335e544f69d97fbf362da360837498fb0d52b0f818bf819079ab7bfea032e7
                                    • Instruction Fuzzy Hash: 0861A0715006079FEBA9DF2CCC86BAA77E8FF05300F1481ADEA85C6A85E774D981CB50
                                    Function 01028230 Relevance: 4.7, APIs: 3, Instructions: 193fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,567482D4,?), ref: 010282FC
                                    • FindNextFileW.KERNEL32(000000FF,00000010,?,567482D4,?), ref: 01028455
                                    • FindClose.KERNEL32(000000FF,?,?,567482D4,?), ref: 010284B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: f81bb42af146828713696fc8284a9900dbcec1dc50d7df88f83251c669fa5b9e
                                    • Instruction ID: 9ec64c1ea2deb57a2933e7d7ef8277c559cfe88f102c2343eac0cc68436cb38c
                                    • Opcode Fuzzy Hash: f81bb42af146828713696fc8284a9900dbcec1dc50d7df88f83251c669fa5b9e
                                    • Instruction Fuzzy Hash: 9881BA74C00259DBDB24DF68C858BEEBBF8EF04304F10C299D855A7291DB706A85CB90
                                    Function 00F589B0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000004), ref: 00F589FE
                                    • GetWindowLongW.USER32(00000004,000000FC), ref: 00F58A17
                                    • SetWindowLongW.USER32(00000004,000000FC,?), ref: 00F58A29
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: e0307820a039ac21b6271a3fa6762d0fe601fb96fd70a8fcf7202930d17c1bb6
                                    • Instruction ID: c18abf776485e5dd23daac77959561a7b6487d6d21be1c026823e5d3694d2c40
                                    • Opcode Fuzzy Hash: e0307820a039ac21b6271a3fa6762d0fe601fb96fd70a8fcf7202930d17c1bb6
                                    • Instruction Fuzzy Hash: 34416FB0A01646FFDB14CFA5C908B5ABBF4FF04324F104229E565DBA90EB76A914DB90
                                    Function 00F5C750 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(00000003,000000FC), ref: 00F5C7A6
                                    • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00F5C7B8
                                    • DeleteCriticalSection.KERNEL32(?,567482D4,?,?,?,?,01102AE4,000000FF), ref: 00F5C7E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: LongWindow$CriticalDeleteSection
                                    • String ID:
                                    • API String ID: 1978754570-0
                                    • Opcode ID: 94b0f942b2a4827c48ac7d0378351e9b4202e61e61ca39f1d0a3a733b6942599
                                    • Instruction ID: e2a92064be1596f045933a400074dd9e672aee29f19a4e3db8c6f82cf15a1f3b
                                    • Opcode Fuzzy Hash: 94b0f942b2a4827c48ac7d0378351e9b4202e61e61ca39f1d0a3a733b6942599
                                    • Instruction Fuzzy Hash: 1831CF71A04346AFCB24CFA4D844B9ABBF8FF05325F104329E821A7A81D775E954DB90
                                    Function 010DBEA3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 010DBF9B
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 010DBFA5
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 010DBFB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 8feba3210f86125185f2280ee2176b12aec7eb1b5c17a7ac61a7b0ed79ea8c98
                                    • Instruction ID: dec3034b59b2ad42fe42b62406fb21396186b1ad3810d43ff589eff282fa9f89
                                    • Opcode Fuzzy Hash: 8feba3210f86125185f2280ee2176b12aec7eb1b5c17a7ac61a7b0ed79ea8c98
                                    • Instruction Fuzzy Hash: 0F31B27590132DEBCB61DF68D9887CDBBB8AF18314F5041EAE41CA7290EB709B858F45
                                    Function 00F51740 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000FC), ref: 00F51759
                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00F51767
                                    • DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,0116484C), ref: 00F51793
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$Destroy
                                    • String ID:
                                    • API String ID: 3055081903-0
                                    • Opcode ID: ecb6e7cc0b489142288144cb4399d3745bfcc2f18517c407daa4fc2d85af8a4c
                                    • Instruction ID: cb0168dd1bb889bc1927309e9b600d6d5060b9efef2b37e940fc1fa09f52ae4c
                                    • Opcode Fuzzy Hash: ecb6e7cc0b489142288144cb4399d3745bfcc2f18517c407daa4fc2d85af8a4c
                                    • Instruction Fuzzy Hash: CBF01D34505B129BD7B45B68FD04B927BE5BB09736B004B28E5BB865E4D724A8889B00
                                    Function 00F679D0 Relevance: 3.2, APIs: 2, Instructions: 241windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00F67ABB
                                    • SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00F67CA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 90917c0d176b2bd2eec877ad135fda93b0881d2af532d9cfe6c3f87db7df5d37
                                    • Instruction ID: f0fd7f4a2dc96dc59d20a5914b48fdb5a08297dc3517ffaaedf40f0049cd1930
                                    • Opcode Fuzzy Hash: 90917c0d176b2bd2eec877ad135fda93b0881d2af532d9cfe6c3f87db7df5d37
                                    • Instruction Fuzzy Hash: 07A1E171A08346AFCB18EF24C894BE9FBB5FF54318F148269E819DB285D734A940DB90
                                    Function 0105F260 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,567482D4,00000000,?,00000000), ref: 0105F34E
                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 0105F399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 2d1dabf437df797bd7de47993ec1548163f3697c8703ae92212f1eeb04494183
                                    • Instruction ID: baff7efb1e49940528bd4165ee743ce4243e422dfe31752a579d54de7fb63381
                                    • Opcode Fuzzy Hash: 2d1dabf437df797bd7de47993ec1548163f3697c8703ae92212f1eeb04494183
                                    • Instruction Fuzzy Hash: 7251AE70A0060ADFEB64DF68C848BAFBBF4FF44314F108559E955AB381D778AA05CB90
                                    Function 01043200 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,567482D4,?,00000000), ref: 0104324B
                                    • GetLastError.KERNEL32(?,00000000), ref: 01043255
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 6f7de6762a3ec978a2352c674ce79e5ccd39ce06173c503034f58ca2756db2e5
                                    • Instruction ID: 17a1216fe2fc5f7e49a1c2820277aa59302acf83a7506b1fc795501cffbaa1d0
                                    • Opcode Fuzzy Hash: 6f7de6762a3ec978a2352c674ce79e5ccd39ce06173c503034f58ca2756db2e5
                                    • Instruction Fuzzy Hash: 1E31C0B1A04219ABEB14DF98DC45BAEBBF8FB04B14F10426EE914E7380DBB599008791
                                    Function 00FA0110 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(00000000,000000FC), ref: 00FA017F
                                    • SetWindowLongW.USER32(00000000,000000FC,?), ref: 00FA018D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 4fbd5d33891f7ca129ca8713b3cb266f06256cccc3d78f2027a53b9bb6e2e3b6
                                    • Instruction ID: 7a27eb253537ce335fbc63950be45c5cfeb67a5a8db1871ac8d097be65b91c07
                                    • Opcode Fuzzy Hash: 4fbd5d33891f7ca129ca8713b3cb266f06256cccc3d78f2027a53b9bb6e2e3b6
                                    • Instruction Fuzzy Hash: 2731BD71901205EFCB10DFA9D944B9AFBF4FB05320F108369E425AB6D0DB35AA50CB90
                                    Function 0106F8A0 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,567482D4,?,00000000,00000000,00000000,011445DD,000000FF), ref: 0106F908
                                    • FindClose.KERNEL32(00000000,?,567482D4,?,00000000,00000000,00000000,011445DD,000000FF), ref: 0106F952
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 82052af6e370e811628efdc7e0933bea722622bd4a1fd771ff29c7c69a06a804
                                    • Instruction ID: 38a4e3005345f380698958378535a624e5bc4e5ba8bf99ce07ed9f5cb65d9e84
                                    • Opcode Fuzzy Hash: 82052af6e370e811628efdc7e0933bea722622bd4a1fd771ff29c7c69a06a804
                                    • Instruction Fuzzy Hash: 78219272900649DFDB24DF68DD48BEEB7B8FF44728F144269E825A72D0DB345A09CB90
                                    Function 010D63AD Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,010D5DF9,?,?,?,?,010573F1), ref: 010D63C6
                                    • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,010D5DF9,?,?,?,?,010573F1), ref: 010D63CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem$Precise
                                    • String ID:
                                    • API String ID: 743729956-0
                                    • Opcode ID: cde947bfc8ac47d8aff910c69e2a8bf33e5a406d227f497186a743c8e3408928
                                    • Instruction ID: 85e2a6d0b1bf95de089d1604d8071912385ea2deff7437fcb628725b739f8c85
                                    • Opcode Fuzzy Hash: cde947bfc8ac47d8aff910c69e2a8bf33e5a406d227f497186a743c8e3408928
                                    • Instruction Fuzzy Hash: F9D0223654033CE78B252FC8E8084EC7F5CEA04BA93008031F90567104CFA218908FD2
                                    Function 00F75680 Relevance: 1.9, Strings: 1, Instructions: 614COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 2
                                    • API String ID: 0-450215437
                                    • Opcode ID: b10e50d6bdc4b87ce910da69221b901a193ad663029d9e87551a00623e7e2c01
                                    • Instruction ID: ee7ec0b0b00829a20043b4175bcd7135238435828ef17077d503e5575909a3b0
                                    • Opcode Fuzzy Hash: b10e50d6bdc4b87ce910da69221b901a193ad663029d9e87551a00623e7e2c01
                                    • Instruction Fuzzy Hash: D732C0B1A087568BC700EF29D98056B77E6AFD4708F00893EE4CBD7241EA35E958D793
                                    Function 010F53B6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010F540A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 11dfdb38506209858c2dfa24211dd3d7cc529dd8ebc3407b874884f5e47ce409
                                    • Instruction ID: f03ba2fe4390549ed590b8caa9895b2b57edc3de22214f6a6f8482a370c0e0af
                                    • Opcode Fuzzy Hash: 11dfdb38506209858c2dfa24211dd3d7cc529dd8ebc3407b874884f5e47ce409
                                    • Instruction Fuzzy Hash: 2221C832615206AFDB289B29DC46ABA77E8EF45319F10417DEE85C7541EF34F940CB50
                                    Function 010F503D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • EnumSystemLocalesW.KERNEL32(010F5163,00000001,00000000,?,-00000050,?,010F5794,00000000,?,?,?,00000055,?), ref: 010F50AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 5cb2124c3b139351713e858b90e7eb6fe39a7087205c00746aeb818703a2300f
                                    • Instruction ID: 322d8ac15a7a7e668d0287d1fe5be92552ec9b549eceedb5b1c334a9a349931d
                                    • Opcode Fuzzy Hash: 5cb2124c3b139351713e858b90e7eb6fe39a7087205c00746aeb818703a2300f
                                    • Instruction Fuzzy Hash: 2E11E9366047059FDB189F39DC956BAB7D1FF84358B18442CE68647E40E7717542CB80
                                    Function 010F55E5 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,010F537F,00000000,00000000,?), ref: 010F5611
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 4d509701197dd1c7d0747daaec37889bf1915dea0d07482ff6357529b6069f33
                                    • Instruction ID: 6cc62e6215d0d8ca60be939ddb414c2bc47bc5cdb56775b676e893f4fc1ce7b9
                                    • Opcode Fuzzy Hash: 4d509701197dd1c7d0747daaec37889bf1915dea0d07482ff6357529b6069f33
                                    • Instruction Fuzzy Hash: 70F02D32900116BFEF289625DC0A7FE7BA4EB44754F05446CDFA6A3940EB70FE41CA90
                                    Function 010F4F4B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 010F4F9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID: utf8
                                    • API String ID: 3736152602-905460609
                                    • Opcode ID: 877ce05af70231fe777ed5e5e9d964b36323c502844dde9b30508ca7998be727
                                    • Instruction ID: 84638ebebaad7a6a7f0be49a4716b40c196453c7896e85ee6f782533757b2102
                                    • Opcode Fuzzy Hash: 877ce05af70231fe777ed5e5e9d964b36323c502844dde9b30508ca7998be727
                                    • Instruction Fuzzy Hash: 05F02832A0120AEFC724AB34DC49EFE33E8DB44315F00417DAA47D7640EA34AD058750
                                    Function 010F50D8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • EnumSystemLocalesW.KERNEL32(010F53B6,00000001,?,?,-00000050,?,010F5758,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 010F5122
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 73bd9bfac6f93ca07d9eaa2524e3f57011cff4f587f588806b0bbbd95d2c46df
                                    • Instruction ID: 212670f56fa1f18994c954d0b31c42cca08614993b811ba48064e6eefaa8aa6a
                                    • Opcode Fuzzy Hash: 73bd9bfac6f93ca07d9eaa2524e3f57011cff4f587f588806b0bbbd95d2c46df
                                    • Instruction Fuzzy Hash: AAF0F6362003056FDB245F39DC86A7A7BD5FF80368F05846CFB854BA40D6B1A842CB50
                                    Function 010F0DD9 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EBA2A: EnterCriticalSection.KERNEL32(-011E6108,?,010EDFE9,00F49F26,011DA8F8,0000000C,010EE2B4,?), ref: 010EBA39
                                    • EnumSystemLocalesW.KERNEL32(010F0DCC,00000001,011DAA38,0000000C,010F11FB,00000000), ref: 010F0E11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 6527ca22454deeb0bde1a53560283d5247c655030a582dd3aa6b83c2180156dc
                                    • Instruction ID: 1a915ff3ac185058609f96e51c90362a7130c80dfce2cb3bba15d9a01643ef1b
                                    • Opcode Fuzzy Hash: 6527ca22454deeb0bde1a53560283d5247c655030a582dd3aa6b83c2180156dc
                                    • Instruction Fuzzy Hash: EAF03776A00305DFD714EF99E402B9C77F0EB58721F10812AE518DB290D7755941CB50
                                    Function 010F4FF2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010EEA06: GetLastError.KERNEL32(?,00000008,010F0623), ref: 010EEA0A
                                      • Part of subcall function 010EEA06: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 010EEAAC
                                    • EnumSystemLocalesW.KERNEL32(010F4F4B,00000001,?,?,?,010F57B6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 010F5029
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 91bef0bb9a26f3a22d987e452f8a9db6582b37577027baeed28ef74eefba2684
                                    • Instruction ID: f27e7cdb2943cec12cf7956a97905fa3c29d96b4ae0dd488529a6d68938c3b39
                                    • Opcode Fuzzy Hash: 91bef0bb9a26f3a22d987e452f8a9db6582b37577027baeed28ef74eefba2684
                                    • Instruction Fuzzy Hash: 20F0E5363002099BCB159F3AD84AA6B7FD4EFC2654B4A409DFB498BA51D6719843C790
                                    Function 00F618D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00F5FFA7,?,?,?,?,?,?,?,?,00F5FE18,?,?), ref: 00F61920
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 75016e80b54baab99df25c921b8924577f3638881e4a4a9b61327a5b9a16b825
                                    • Instruction ID: 4751ebfa79a6a414726e8817193cee3f7b3746dc4171b1b8a45a594a0666646f
                                    • Opcode Fuzzy Hash: 75016e80b54baab99df25c921b8924577f3638881e4a4a9b61327a5b9a16b825
                                    • Instruction Fuzzy Hash: 8AF0A034005245DEE3048B64C868B69BBF6FB44366F8C45F5E098CA461C379CE90FF10
                                    Function 010F1356 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,010EB0A4,?,20001004,00000000,00000002,?,?,010EA6A6), ref: 010F138A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 24b06006e4d27c843af963a7c5eed32f9238bf3f1dd29e5e67a147bf91e0f960
                                    • Instruction ID: b35f9bbc2430d0d6f92f7b13ae03947313786bd67fd27d80011e3c27754a206b
                                    • Opcode Fuzzy Hash: 24b06006e4d27c843af963a7c5eed32f9238bf3f1dd29e5e67a147bf91e0f960
                                    • Instruction Fuzzy Hash: E8E0DF3140022CFBCF122F60DC09AAE3E1AEF007A0F008028FE6922520CB3289209B91
                                    Function 00F96FA0 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 1
                                    • API String ID: 0-2212294583
                                    • Opcode ID: 9ec933ca9020408dac1d18759edf6aaa316199356b7efdc22b893789f775de87
                                    • Instruction ID: c3630c09b781c60d1ad17be1868b7b1dd78a46a4f81f25059f669de4976d2bb5
                                    • Opcode Fuzzy Hash: 9ec933ca9020408dac1d18759edf6aaa316199356b7efdc22b893789f775de87
                                    • Instruction Fuzzy Hash: B2D126B0505789EFEB09CF64C55878AFFF4BF15308F14829DC4986B281C7BA6A18CB91
                                    Function 010DF7DC Relevance: .4, Instructions: 388COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a42b46844a97fbdb7f2cad30bc0787d630dd280245e0d94bd49130eed46dd5f1
                                    • Instruction ID: c752208c25684615a7df374d5d71008ecd67508f68c10c2f3aade34b883397ad
                                    • Opcode Fuzzy Hash: a42b46844a97fbdb7f2cad30bc0787d630dd280245e0d94bd49130eed46dd5f1
                                    • Instruction Fuzzy Hash: 15E1AA70A007079FDB65CF6CC480AAEBBF2BF48324B148699D5D79B291D730A943CB52
                                    Function 010DF44E Relevance: .3, Instructions: 344COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d9a70113b84af26a19b1f37a601d5aa6e5fd32b94cca35bc483dffb6a917fa39
                                    • Instruction ID: 0fd955579708512ee42ca36ecce185df07267fc6dc8f630c092a41f7e02fd6e1
                                    • Opcode Fuzzy Hash: d9a70113b84af26a19b1f37a601d5aa6e5fd32b94cca35bc483dffb6a917fa39
                                    • Instruction Fuzzy Hash: B0C1CC70A007478FDB64CF6CC484AAEBBE1BF49214F548699D6C7DB6A1CB20E947CB40
                                    Function 010F4801 Relevance: .3, Instructions: 327COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                    • String ID:
                                    • API String ID: 3471368781-0
                                    • Opcode ID: 57b7ee0965d92416dfad6e7f54d7deb9dceae9b12395317e3947115bf85db2e4
                                    • Instruction ID: c8482a78767c3161d5f8f6fc488a4cc5899e66c76e698ca196f9b577e90d6db2
                                    • Opcode Fuzzy Hash: 57b7ee0965d92416dfad6e7f54d7deb9dceae9b12395317e3947115bf85db2e4
                                    • Instruction Fuzzy Hash: C4B1E4356047069BDB39DF29CC82ABBB3E9EB44308F4445ADDFC3C6A81EA75A585C710
                                    Function 00F4F7D0 Relevance: .1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a578a6d572cbbe6026ad31922f0268fa9020b7c82b3ffc660240fe2a23642e70
                                    • Instruction ID: 8e34d2dedbd07808b276218a4e2f662637dbcb0a332262a3d45cc467b3fbe9e6
                                    • Opcode Fuzzy Hash: a578a6d572cbbe6026ad31922f0268fa9020b7c82b3ffc660240fe2a23642e70
                                    • Instruction Fuzzy Hash: 1771E8B1801B48CFE761CF78C94578ABBF0BB05324F14865DD4AA9B3D1D3B96648CB91
                                    Function 00FE8100 Relevance: .1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0663a9e3a234d72e066cbcf77b423a5a1ce57eb7306824bb2eea91f726fab2f9
                                    • Instruction ID: 8ec68772f902fe1fdb2672c36b295b23fd8e14fd4e58452077c4f685633200ca
                                    • Opcode Fuzzy Hash: 0663a9e3a234d72e066cbcf77b423a5a1ce57eb7306824bb2eea91f726fab2f9
                                    • Instruction Fuzzy Hash: 7D41F4B0905B49EED718CF69C50878AFBF0BB09318F20825DC4599B781D3BAA619CFD5
                                    Function 00F58840 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: faecb125012c4a4bacdf6ab2a3fd876a231a73525d86b95a6454402dd3b6a24d
                                    • Instruction ID: 6511abf753bab0dd0b699c70cd07900877b3caf57249d17204cf8effd64a1de1
                                    • Opcode Fuzzy Hash: faecb125012c4a4bacdf6ab2a3fd876a231a73525d86b95a6454402dd3b6a24d
                                    • Instruction Fuzzy Hash: 3B31EFB0405B84CEE321CF69C618347BFF4BB15718F108A4DD4A29BB91D3BAA648CB91
                                    Function 00F52330 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b7f9a3eb194bb702c8af412de4a986edb1a22fd838f46b7ec80e5e671362119c
                                    • Instruction ID: bdb50357415429f90ad20a10ef558a8938bca216a8a268485a5d80cf2d38835b
                                    • Opcode Fuzzy Hash: b7f9a3eb194bb702c8af412de4a986edb1a22fd838f46b7ec80e5e671362119c
                                    • Instruction Fuzzy Hash: C9216AB1805748CFD724CF98C54478ABBF4FB09324F1186AED456AB791E3B9AA44CF90
                                    Function 00F51D70 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b716e859c04c9572327b654ae8470468d0d8785764676cd1c94e08c0ad78be83
                                    • Instruction ID: d7d96dd16c10673653a92b2691621a47e71a0db2bd14f2c5f39d0c3542273aec
                                    • Opcode Fuzzy Hash: b716e859c04c9572327b654ae8470468d0d8785764676cd1c94e08c0ad78be83
                                    • Instruction Fuzzy Hash: 6D215BB0805748CFD724CF58C54478ABBF4FB09314F1186AED455AB791E3B9AA44CB90
                                    Function 00F6D760 Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43d52c7a88031cc3dfebc132d5ddf371d0ef186f5b18502855aeba937a61193b
                                    • Instruction ID: 5b5941a2ab5919c8a06bc2d0d7385d5395c8f1a70d9644c035b5c0850daa48ae
                                    • Opcode Fuzzy Hash: 43d52c7a88031cc3dfebc132d5ddf371d0ef186f5b18502855aeba937a61193b
                                    • Instruction Fuzzy Hash: 0811E9B5905248DFCB54CF58D544789BBF4FB08328F2086AEE8299B381D3769A16CF80
                                    Function 010F8A0E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                    • Instruction ID: b11238f3154a0a4a22aad2a8b61c7666274127ea18f0a28e8f588012fc12ab24
                                    • Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                    • Instruction Fuzzy Hash: C2E08C32A11278EBCB25DB9CC9069CAF7ECEB44B80B1140AAF601D3600C2B1DE00C7D0
                                    Function 010ED840 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 196375293714f82e9c99ca5bb7d726515ed7690d3670f28b5cdcddecd6e68249
                                    • Instruction ID: 96c9a3ddab94e48de3761ab3aaab394f00da32706698fca261481638811ffc83
                                    • Opcode Fuzzy Hash: 196375293714f82e9c99ca5bb7d726515ed7690d3670f28b5cdcddecd6e68249
                                    • Instruction Fuzzy Hash: A7C08C344009404BDE2AA95893753E433D7F391682F8004CDC69F0BA43C55E9C86E700
                                    Function 01075DA0 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON
                                    Download Yara Rule
                                    Strings
                                    • Unable to retrieve PowerShell output from file: , xrefs: 010760FE
                                    • Unable to find file , xrefs: 01075DD3
                                    • Unable to get a temp file for script output, temp path: , xrefs: 01075EAF
                                    • Unable to retrieve exit code from process., xrefs: 01076121
                                    • txt, xrefs: 01075E73
                                    • ps1, xrefs: 01075E46, 01075E58, 01075E62
                                    • powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 01075EFF
                                    • Unable to create process: , xrefs: 01075FA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
                                    • API String ID: 0-4129021124
                                    • Opcode ID: 5541f3d86e3eb4bffa53699210f00cfa1d96d91b582fb88e3aa32c09a10048a0
                                    • Instruction ID: 1f7d24fd17da9051066167961cd898c1ae9e281cbd54de2cbf34e98c2534b2f7
                                    • Opcode Fuzzy Hash: 5541f3d86e3eb4bffa53699210f00cfa1d96d91b582fb88e3aa32c09a10048a0
                                    • Instruction Fuzzy Hash: 37C1C070E0060AEFEB11DBA8CD09B9EBBF4FF04324F148259F565A7291DB759A44CB90
                                    Function 0102B0F0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 238libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • GetModuleHandleW.KERNEL32(kernel32,567482D4,?,?,00000000), ref: 0102B1F3
                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0102B23B
                                    • __Init_thread_footer.LIBCMT ref: 0102B24E
                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 0102B296
                                    • __Init_thread_footer.LIBCMT ref: 0102B2A9
                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0102B2F1
                                    • __Init_thread_footer.LIBCMT ref: 0102B304
                                      • Part of subcall function 01002620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 01002661
                                      • Part of subcall function 01002620: _wcschr.LIBVCRUNTIME ref: 0100271F
                                    Strings
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 0102B187
                                    • SetSearchPathMode, xrefs: 0102B235
                                    • kernel32, xrefs: 0102B1EE
                                    • SetDefaultDllDirectories, xrefs: 0102B2EB
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 0102B180, 0102B18F
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 0102B167, 0102B16F
                                    • kernel32.dll, xrefs: 0102B44D
                                    • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 0102B162
                                    • SetDllDirectory, xrefs: 0102B290
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
                                    • String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
                                    • API String ID: 1258094593-3455668873
                                    • Opcode ID: 3fc4824d1f3d839cf905b9ad55e0e03b947a7fe6521592873e993ba865fd26e1
                                    • Instruction ID: 2196764fa2c9beef7dd53f621e299ab9dd6fd683db63f247a95652822f45884c
                                    • Opcode Fuzzy Hash: 3fc4824d1f3d839cf905b9ad55e0e03b947a7fe6521592873e993ba865fd26e1
                                    • Instruction Fuzzy Hash: BFA13BB0900328DBDB2CDF94DA49B9EBBF5FB11218F508699D958BB380D7305948CF91
                                    Function 0104E980 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • OutputDebugStringW.KERNEL32(?,567482D4,?,?,?,0113D4D5,000000FF,?,0108127F,?,?,?,00000000), ref: 0104EB18
                                    • GetActiveWindow.USER32 ref: 0104EA7A
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    Strings
                                    • %s , xrefs: 0104F88C, 0104FBC1
                                    • TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1, xrefs: 0104F6F7
                                    • "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 0104F5F2
                                    • .msi, xrefs: 0104F587, 0104FA80
                                    • "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 0104FB1F
                                    • "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 0104F658
                                    • majorupgrade-content.mst, xrefs: 0104F596, 0104FA8F
                                    • REINSTALL=ALL REINSTALLMODE=vomus , xrefs: 0104FBD3
                                    • TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 , xrefs: 0104F73F
                                    • AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 0104F9D5
                                    • MSINEWINSTANCE=1 , xrefs: 0104F726
                                    • TRANSFORMS=:%s.mst MSINEWINSTANCE=1 , xrefs: 0104F750
                                    • .mst, xrefs: 0104F5D7, 0104F63E, 0104FAFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
                                    • String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$majorupgrade-content.mst
                                    • API String ID: 758407959-743168453
                                    • Opcode ID: 22069e7f74e84b83b9ab118aa49734bcf125b09ed287bd0cf1d601fc82beb941
                                    • Instruction ID: c2c62a7a0b42c180e1880c2470195864c4947f3c03cc0d138c52917b5d4c49bf
                                    • Opcode Fuzzy Hash: 22069e7f74e84b83b9ab118aa49734bcf125b09ed287bd0cf1d601fc82beb941
                                    • Instruction Fuzzy Hash: B851E375A002059FDB14DB6CC8447AEBBF5FF45320F1482ADE856EB391DB389901CBA1
                                    Function 00F517A0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 361stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ParentWindowlstrcmp
                                    • String ID: #32770
                                    • API String ID: 3676684576-463685578
                                    • Opcode ID: 0667ad22f64b77aaba94ded18f14ad8a031032367d8417d981c5f94a9ace26b9
                                    • Instruction ID: 7b42ef6f547a8aa149f24b857ae799e019845a6f14efb4c2169243f76ac3ece2
                                    • Opcode Fuzzy Hash: 0667ad22f64b77aaba94ded18f14ad8a031032367d8417d981c5f94a9ace26b9
                                    • Instruction Fuzzy Hash: A7E19F74E00219EFDB15CFA8C844BADBBB5BF49326F148168F911AB290D774AD48DB60
                                    Function 00F7DAD0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 246libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,567482D4,?,?,00000000,?,?,?,?,?,?,567482D4,01109E15,000000FF), ref: 00F7DB3D
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F7DB43
                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,567482D4,01109E15,000000FF,?,00F945FA,0116C86C,567482D4,567482D4), ref: 00F7DB73
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F7DB79
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                    • API String ID: 2574300362-2454113998
                                    • Opcode ID: 76c20af9d3310085a11052a0bccfdae34a3406c16a1191f825802f535f9f4419
                                    • Instruction ID: a7ac128508dffaf4adc7448b8fab9d947e7ca93efc07d446f65ea06c8f5967f5
                                    • Opcode Fuzzy Hash: 76c20af9d3310085a11052a0bccfdae34a3406c16a1191f825802f535f9f4419
                                    • Instruction Fuzzy Hash: E7A16DB1D00209EFDF25DFA8C894BEDBBB4FF58320F54802AE415A7290DB759A44DB52
                                    Function 00F73790 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 222libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,567482D4,?,?,?,?,?,?,?,567482D4,011074D5,000000FF,?,00F73AAA,011684E0), ref: 00F737F7
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F737FD
                                    • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,567482D4,011074D5,000000FF,?,00F73AAA,011684E0,567482D4,567482D4), ref: 00F7382E
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F73834
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                    • API String ID: 2574300362-2454113998
                                    • Opcode ID: b0630ef885543c84af480cfbd3f427039f6cacdf83896eaf683416ee10f9c265
                                    • Instruction ID: 39d0bed359bfb7dbc81594b250a6f6d5a2fad51730a402a13df34379b94643f3
                                    • Opcode Fuzzy Hash: b0630ef885543c84af480cfbd3f427039f6cacdf83896eaf683416ee10f9c265
                                    • Instruction Fuzzy Hash: A2815FB1D00249EFDB15DFA8D885BEDBBB4BF18310F14812EE415B7290DB749A44EB62
                                    Function 01078750 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(011E7054,567482D4,?,00000010), ref: 0107878C
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    • EnterCriticalSection.KERNEL32(00000010,567482D4,?,00000010), ref: 01078799
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 010787CB
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000), ref: 010787D4
                                    • WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,0116435C,00000001,?,?,?,00000000), ref: 01078856
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000), ref: 0107885F
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,00000000), ref: 01078895
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,?,00000000), ref: 0107889E
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,011668B8,00000002,?,?,?,00000000,?,?,?,00000000), ref: 010788FF
                                    • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,?,00000000), ref: 01078908
                                    • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,?,00000000), ref: 01078938
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
                                    • String ID: v
                                    • API String ID: 201293332-3261393531
                                    • Opcode ID: 3b750548e96a391b05f51cec2d92fbb9feab15416ed2917e4b71418c863998d5
                                    • Instruction ID: cdf10eb7e89e1f050c730e0614bb56acd502094bbd2a27d0d2910b5a13ab4289
                                    • Opcode Fuzzy Hash: 3b750548e96a391b05f51cec2d92fbb9feab15416ed2917e4b71418c863998d5
                                    • Instruction Fuzzy Hash: 8F61EE30A00649EFEB10DF68CC48BAEBBB8FF05314F048169F955E72A1D7759814DBA0
                                    Function 0106FE90 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,567482D4,?,?), ref: 0106FEF3
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 01070089
                                    • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 010700E5
                                    • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 01070135
                                    • RegCloseKey.ADVAPI32(?), ref: 01070175
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: OpenQueryValue$Close
                                    • String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                    • API String ID: 2529929805-1079072530
                                    • Opcode ID: 95ee0227d9bead950deeb78c5ca866109c1225d3895b0da4b398dd0d082e4024
                                    • Instruction ID: a8fc1100dac5063823a8edf6de8a6d3958805d90710356fe1a3620418c91e322
                                    • Opcode Fuzzy Hash: 95ee0227d9bead950deeb78c5ca866109c1225d3895b0da4b398dd0d082e4024
                                    • Instruction Fuzzy Hash: 7D02AD70D0526A9BDB64DF68CC88B9EBBF4AF45304F1042D8E849A7280DB75AF84CF54
                                    Function 010491D0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 286threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(011E711C,567482D4,?,?,00000000), ref: 010492F3
                                    • EnterCriticalSection.KERNEL32(?,567482D4,?,?,00000000,?,?,?,?,?,00000000,0113C417,000000FF), ref: 01049305
                                    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,0113C417,000000FF), ref: 01049312
                                    • GetCurrentThread.KERNEL32 ref: 0104931D
                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,0116438C,00000000), ref: 010494FE
                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 010495DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                    • String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
                                    • API String ID: 3051236879-1086252000
                                    • Opcode ID: 8b285230fde6a2742bf6c8230355fccaeeb13c39242b9c9b25075a9f9951fe36
                                    • Instruction ID: 39d5dece2930b6249ea97ac6947586b3f14bf8c502a76880dfd1e9600be320df
                                    • Opcode Fuzzy Hash: 8b285230fde6a2742bf6c8230355fccaeeb13c39242b9c9b25075a9f9951fe36
                                    • Instruction Fuzzy Hash: 44C17970504388DFEB25DFA8CC45BEE7BB8FB48308F104568E9599B281DB755708CB91
                                    Function 00F6CBB0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,567482D4), ref: 00F6CC38
                                      • Part of subcall function 00F50E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F50E96
                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00F6CD3B
                                    • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00F6CD4F
                                    • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00F6CD64
                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00F6CD79
                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00F6CD90
                                    • GetWindowRect.USER32(?,?), ref: 00F6CDC2
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00F6CE24
                                    • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00F6CE34
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateLongRect
                                    • String ID: ,$tooltips_class32
                                    • API String ID: 1954517558-3856767331
                                    • Opcode ID: ad6293418718b6b430b0b21efbc50cb5d701889140073a66f7dd8261c55c1498
                                    • Instruction ID: 8559c7fefad159723a8519980ccdd5111a9216198e738b4ec9fa3f1daeb357a6
                                    • Opcode Fuzzy Hash: ad6293418718b6b430b0b21efbc50cb5d701889140073a66f7dd8261c55c1498
                                    • Instruction Fuzzy Hash: 62914E75A00208AFDB28CFE4DC95FAEBBF9FB08304F10852AF556EA194D774A944DB50
                                    Function 01049280 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 223threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(011E711C,567482D4,?,?,00000000), ref: 010492F3
                                    • EnterCriticalSection.KERNEL32(?,567482D4,?,?,00000000,?,?,?,?,?,00000000,0113C417,000000FF), ref: 01049305
                                    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,0113C417,000000FF), ref: 01049312
                                    • GetCurrentThread.KERNEL32 ref: 0104931D
                                    • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,0116438C,00000000), ref: 010494FE
                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 010495DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                    • String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
                                    • API String ID: 3051236879-1086252000
                                    • Opcode ID: 16ec29c904c58b0c95fce6a4f86c4895bfe7b37cde0b37f5af282b828c4ad2ca
                                    • Instruction ID: 271144f8477e151fd822867c4c1d91658a1ef468f47d74778b27f8e09abd7a31
                                    • Opcode Fuzzy Hash: 16ec29c904c58b0c95fce6a4f86c4895bfe7b37cde0b37f5af282b828c4ad2ca
                                    • Instruction Fuzzy Hash: C2A17A70905388DFEF25DFA4CC45BEE7BB8AF48308F404168E959AB281DB755708CB91
                                    Function 010462D0 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0104646E
                                    • __Init_thread_footer.LIBCMT ref: 010465C7
                                    • GetStdHandle.KERNEL32(000000F5,?,567482D4,?,?), ref: 0104664F
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 01046656
                                    • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0104666A
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 01046671
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,011668B8,00000002,?,?), ref: 01046700
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 01046707
                                    • IsWindow.USER32(00000000), ref: 01046920
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                    • String ID: Error
                                    • API String ID: 2811146417-2619118453
                                    • Opcode ID: feb53171fa68f8064b257d38a63732d4f8aedf58fab2c3a3c8c177498222f1f0
                                    • Instruction ID: 70bc6a78154388c9d04ecf40a568ddeb05eeb964904843619712e61c79c89125
                                    • Opcode Fuzzy Hash: feb53171fa68f8064b257d38a63732d4f8aedf58fab2c3a3c8c177498222f1f0
                                    • Instruction Fuzzy Hash: 54223EB0D00358DFEB24DFA4C884BDEBBB4BF55324F1446A8D455AB280EB755A88CF91
                                    Function 00F4F600 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(011E7250,567482D4,00000000,?,?,?,?,?,?,00F4EE60,011007AD,000000FF), ref: 00F4F63D
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F4F6B8
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F4F75E
                                    • LeaveCriticalSection.KERNEL32(011E7250), ref: 00F4F7B3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalCursorLoadSection$EnterLeave
                                    • String ID: v$0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
                                    • API String ID: 3727441302-556780245
                                    • Opcode ID: 14312ae20503bb1a986ccd749c35f2e231f5273a83a794996d913d2db390cc56
                                    • Instruction ID: 73d8087a242e817ecf0070dd5dfc8318548c3b6dbde0c45882446702376a4c7c
                                    • Opcode Fuzzy Hash: 14312ae20503bb1a986ccd749c35f2e231f5273a83a794996d913d2db390cc56
                                    • Instruction Fuzzy Hash: 7C5128B4D01219DFDB65CFE4D848BDEBFF8BB09314F10412AE915B7280E7B955498BA0
                                    Function 00FA5A70 Relevance: 16.7, APIs: 11, Instructions: 170COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FA5AB7
                                    • GetParent.USER32 ref: 00FA5ACD
                                    • GetWindowRect.USER32(?,?), ref: 00FA5AD8
                                    • GetParent.USER32(?), ref: 00FA5AE0
                                    • GetWindow.USER32(?,00000004), ref: 00FA5B12
                                    • GetWindowRect.USER32(?,?), ref: 00FA5B20
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FA5B2D
                                    • MonitorFromWindow.USER32(?,00000002), ref: 00FA5B45
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00FA5B5F
                                    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00FA5C0D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$LongMonitorParentRect$FromInfo
                                    • String ID:
                                    • API String ID: 1820395375-0
                                    • Opcode ID: 8928953b5483951c095bf1c3f5faf418865238f83d46986c9dab0c3a98e90395
                                    • Instruction ID: f838d6df085593c3508a4f3d94fe99fa9f4a45fe9b0ae5851702444f57a3d092
                                    • Opcode Fuzzy Hash: 8928953b5483951c095bf1c3f5faf418865238f83d46986c9dab0c3a98e90395
                                    • Instruction Fuzzy Hash: 32519072E005189FDB24CFA8CD44A9EBBB9FF48725F244229E815E7284DB30AD44CB50
                                    Function 01083660 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 342libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalFree.KERNEL32(000000FF,567482D4,00000000,?,7591E010,?,00000000,01148648,000000FF), ref: 010836C3
                                    • LocalFree.KERNEL32(?,567482D4,00000000,?,7591E010,?,00000000,01148648,000000FF), ref: 0108372E
                                    • LocalFree.KERNEL32(?,567482D4,00000000,?,7591E010,?,00000000,01148648,000000FF), ref: 01083738
                                    • LoadLibraryW.KERNEL32(Advapi32.dll,567482D4,?,00000000), ref: 01083841
                                    • GetLastError.KERNEL32 ref: 0108386F
                                    • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 01083885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: FreeLocal$AddressErrorLastLibraryLoadProc
                                    • String ID: Advapi32.dll$ConvertStringSidToSidW
                                    • API String ID: 765017759-1129428314
                                    • Opcode ID: 125244b93a3a2f421f90b002e4de24d657b808f39a656bfc6497614d9d86dbbb
                                    • Instruction ID: eb50446d4cafec96243507535ee92ec226da6d734885a2af3428ec0ef3812a0d
                                    • Opcode Fuzzy Hash: 125244b93a3a2f421f90b002e4de24d657b808f39a656bfc6497614d9d86dbbb
                                    • Instruction Fuzzy Hash: A7D1BBB0D0420AEBEB10DFA9C94479EFBF4FF44714F148259E9A4AB280D775EA14CB90
                                    Function 01070B10 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 302libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01002620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 01002661
                                      • Part of subcall function 01002620: _wcschr.LIBVCRUNTIME ref: 0100271F
                                    • GetLastError.KERNEL32(567482D4,?,?,?,?,01054FE6,?,?,?), ref: 01070B7D
                                    • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 01070D0D
                                    • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 01070D66
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,01054FE6,?,?,?), ref: 01070E54
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem_wcschr
                                    • String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
                                    • API String ID: 3734293021-4043905686
                                    • Opcode ID: 3377546cb120b0d56b296ff24db916eddb7d14ca845eedeae9ac5988eaceebb4
                                    • Instruction ID: 6de72eae475fee30105375dfff80c4af02ce9328971089b8a8715133d76e5de3
                                    • Opcode Fuzzy Hash: 3377546cb120b0d56b296ff24db916eddb7d14ca845eedeae9ac5988eaceebb4
                                    • Instruction Fuzzy Hash: 9DC17B70A00209DFDB04DFA8C984B9EBBF5FF09314F1482A9E805AB395DB75A945CB91
                                    Function 01093930 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
                                    • API String ID: 0-2691827946
                                    • Opcode ID: cd85c50f90b9bbdb698d081554855543a7e7746518362c080009fa05141cd3bf
                                    • Instruction ID: 35d0a534417bcd8634cb8eb2831a64b6b5506538fc2e5e9c3f217eaaadfcad0e
                                    • Opcode Fuzzy Hash: cd85c50f90b9bbdb698d081554855543a7e7746518362c080009fa05141cd3bf
                                    • Instruction Fuzzy Hash: C9B1ADB1A04349DFDB24DF58D95479EBBF1FB41320F10826EE8699B380D7769A00DB91
                                    Function 0106E920 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: _wcschr
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
                                    • API String ID: 2691759472-1956487666
                                    • Opcode ID: 6330a8b4dc2c787daeba67156a55b0172a56a3307e7be929dfedc1f8209a710e
                                    • Instruction ID: 9319dffa54bf43a20919b01ed5783d8c967fe8154efcc3487fd93c2553941da7
                                    • Opcode Fuzzy Hash: 6330a8b4dc2c787daeba67156a55b0172a56a3307e7be929dfedc1f8209a710e
                                    • Instruction Fuzzy Hash: 1A41FB76D447079BDF11EA59CC05F9EBBFCFB10221F044679AC61E22D0E772A814C691
                                    Function 00F72BD0 Relevance: 15.4, APIs: 10, Instructions: 404memorysynchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • CreateThread.KERNEL32(00000000,00000000,00F72D20,01168468,00000000,?), ref: 00F72C9A
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00F72CB3
                                    • CloseHandle.KERNEL32(00000000), ref: 00F72CC9
                                    • CoInitializeEx.COMBASE(00000000,00000000), ref: 00F72D79
                                    • GetProcessHeap.KERNEL32(?,00000000), ref: 00F72E7B
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 00F72E81
                                    • GetProcessHeap.KERNEL32(?,00000000), ref: 00F72F00
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 00F72F06
                                    • CoUninitialize.COMBASE ref: 00F7305A
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F730DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
                                    • String ID:
                                    • API String ID: 1779960141-0
                                    • Opcode ID: 973e6587432494d3cfe7c9d3c4e5205a153f8a0ec29ecf428eed9ff937e9bb3a
                                    • Instruction ID: 21a3c5ecff7aa7b0f4fc370e555fb458b45b67d949eb5b15254f1353049b47dd
                                    • Opcode Fuzzy Hash: 973e6587432494d3cfe7c9d3c4e5205a153f8a0ec29ecf428eed9ff937e9bb3a
                                    • Instruction Fuzzy Hash: C5F16FB0D01209EFDB14CFA4C944BEEBBB8FF44314F14815EE419AB281D7759A45EBA2
                                    Function 00F63480 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantClear.OLEAUT32(?), ref: 00F634DA
                                    • VariantClear.OLEAUT32(?), ref: 00F6350C
                                    • VariantClear.OLEAUT32(?), ref: 00F63606
                                    • VariantClear.OLEAUT32(?), ref: 00F63635
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F6363C
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F63683
                                    • VariantClear.OLEAUT32(?), ref: 00F6370A
                                    • VariantClear.OLEAUT32(?), ref: 00F6373C
                                    • VariantClear.OLEAUT32(?), ref: 00F63817
                                    • VariantClear.OLEAUT32(?), ref: 00F63846
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ClearVariant$String$AllocFree
                                    • String ID:
                                    • API String ID: 1305860026-0
                                    • Opcode ID: 150b7102e20b14d6eb757d14e7b477f13e8cf498f0f52d6a3ecec4e174dd293c
                                    • Instruction ID: 4fbf628bb09df3f864b15d25a5f6096c241b137c03902d18be3cd85f13d1545b
                                    • Opcode Fuzzy Hash: 150b7102e20b14d6eb757d14e7b477f13e8cf498f0f52d6a3ecec4e174dd293c
                                    • Instruction Fuzzy Hash: D5C18B71E00218DFCB10DFA8C844BDEBBB4FF48714F148269E815E7281E779AA45DBA5
                                    Function 01073E10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 352synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • ResetEvent.KERNEL32(?,?,?), ref: 01073E9A
                                    • SetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 01073EDE
                                    • ResetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 01074078
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000,?,?,?), ref: 01074108
                                    • ResetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000), ref: 01074183
                                    • WaitForSingleObject.KERNEL32(0117F288,000000FF,?,?,?,?,?,00000001,08000000), ref: 010741A0
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 010741A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Event$Reset$Init_thread_footerObjectSingleWait$HeapProcess
                                    • String ID: FTP Server
                                    • API String ID: 3860647947-688436434
                                    • Opcode ID: 065907b17eaa67beb9085b4c26616ca18a253344ae7e44ac3bb0834aeeb299c5
                                    • Instruction ID: a13bc217db0e6171653c5a304aae8988828207d69b7c2b09b4d88862b1b2ee8f
                                    • Opcode Fuzzy Hash: 065907b17eaa67beb9085b4c26616ca18a253344ae7e44ac3bb0834aeeb299c5
                                    • Instruction Fuzzy Hash: AEE18B30A00249DFEB51DFA8C888B9EBBF5FF49314F1482A8E955EB291D774D841CB94
                                    Function 01075B90 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,010557F8), ref: 01075C83
                                    • WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 01075CC7
                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 01075CE4
                                    • CloseHandle.KERNEL32(00000000), ref: 01075CFE
                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 01075D3D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
                                    • String ID: Unable to get temp file $Unable to save script file $ps1
                                    • API String ID: 2821137686-4253966538
                                    • Opcode ID: 44056d94f2ddd262f576206cb90eaea6d355f03f77740ff82eb3b62039cebacf
                                    • Instruction ID: 44a597dfed8ae34be200ce2bc1d7c33f4437be1679678470c33e9946c257e3a6
                                    • Opcode Fuzzy Hash: 44056d94f2ddd262f576206cb90eaea6d355f03f77740ff82eb3b62039cebacf
                                    • Instruction Fuzzy Hash: C951B570E00609EFEB10DBA8CD49BDEBBB8EF44314F148298E951AB2C1D7759905CBA5
                                    Function 01064B50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLangID.KERNEL32 ref: 01064B8C
                                    • GetUserDefaultLangID.KERNEL32 ref: 01064B99
                                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 01064BAB
                                    • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 01064BBF
                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 01064BD4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                    • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                    • API String ID: 667524283-3528650308
                                    • Opcode ID: 1d82bc5c17c2b8fc18289af6e0b9b0fa7c52aeb38049ce602c6a206fcfa47617
                                    • Instruction ID: 92275237bf6143a3156668be77f02e36e09f24fc791c4b5bafec60ae4ea80677
                                    • Opcode Fuzzy Hash: 1d82bc5c17c2b8fc18289af6e0b9b0fa7c52aeb38049ce602c6a206fcfa47617
                                    • Instruction Fuzzy Hash: 8E41DD30604309DFCB94EF28E4906BAB7EABFD8225F91192EE8C5C3240E735D944CB52
                                    Function 010DA990 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 010DA9C7
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 010DA9CF
                                    • _ValidateLocalCookies.LIBCMT ref: 010DAA58
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 010DAA83
                                    • _ValidateLocalCookies.LIBCMT ref: 010DAAD8
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 010DAAEE
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 010DAB03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                    • String ID: csm
                                    • API String ID: 1385549066-1018135373
                                    • Opcode ID: a879a3cd45c6d4b3af91a4a550cc7297d65776bfe528117d6c8d6e7b98dd1356
                                    • Instruction ID: ee29476bdee5e1219939405df2b6883a8c9f1c59b16b5650abbeb67e6a2ec893
                                    • Opcode Fuzzy Hash: a879a3cd45c6d4b3af91a4a550cc7297d65776bfe528117d6c8d6e7b98dd1356
                                    • Instruction Fuzzy Hash: B141A134B0030ADFCF10DF6CC884ADEBBE5BF45214F058299E9959B252D7359A46CB92
                                    Function 00F9A6C0 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F9A6E0
                                    • SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00F9A70E
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00F9A53C), ref: 00F9A71F
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F9A753
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F9A77F
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00F9A53C), ref: 00F9A796
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F9A7BA
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F9A7D2
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00F9A53C), ref: 00F9A7E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: 90494bd97f5d0cc0d92bcc3b365cd908de60b647f912c79b3dffe954a1240101
                                    • Instruction ID: 4b6cd2bed36ea2ff479cea4e508814bf9f2d709d6e684b46d4324fac0a4a850a
                                    • Opcode Fuzzy Hash: 90494bd97f5d0cc0d92bcc3b365cd908de60b647f912c79b3dffe954a1240101
                                    • Instruction Fuzzy Hash: 8E310935704219BFEF698EA4CC42FE93762DB84370F244239F9259B2D4EB749D409780
                                    Function 0102AE10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 232fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 0102AEA9
                                    • CloseHandle.KERNEL32(00000000), ref: 0102AED0
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                      • Part of subcall function 0102CA40: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,80070057,567482D4,?,?,00000000,010FE7D0,000000FF,?,01074609), ref: 0102CA7D
                                      • Part of subcall function 0102CA40: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 0102CAAE
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?), ref: 0102AF45
                                    • CloseHandle.KERNEL32(00000000), ref: 0102AF97
                                      • Part of subcall function 0102C860: WideCharToMultiByte.KERNEL32(00000003,00000000,01054C1A,000000FF,00000000,00000000,00000000,00000000,?,?,?,01054C1A,?,?), ref: 0102C87C
                                      • Part of subcall function 0102C860: WideCharToMultiByte.KERNEL32(00000003,00000000,01054C1A,000000FF,?,-00000001,00000000,00000000,?,?,?,01054C1A,?,?), ref: 0102C8B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
                                    • String ID: .bat$EXE$open
                                    • API String ID: 4275363648-2898749727
                                    • Opcode ID: 67fb79e658728743c39418114c60277d0e75c4035562fbc48d2575e7e35dd841
                                    • Instruction ID: 58de69118a377324d383aedd40a8fea9a9de5819457ef8e91afbedb82a95b53f
                                    • Opcode Fuzzy Hash: 67fb79e658728743c39418114c60277d0e75c4035562fbc48d2575e7e35dd841
                                    • Instruction Fuzzy Hash: 81A18970A01649EFEB11CFA8C988B8DFBF4FF44314F2482A9E464AB291DB749945CF50
                                    Function 00F56CD0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00F56DBF
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00F56E13
                                    • CloseHandle.KERNEL32(00000000), ref: 00F56E70
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00F56ED4
                                    • CloseHandle.KERNEL32(00000000,?), ref: 00F56EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                    • String ID: aix$html
                                    • API String ID: 2030708724-2369804267
                                    • Opcode ID: d466f5f3dcf6838ef5d47d78221d2e70b7be2a44c77a9ce91e55772c16cedb8c
                                    • Instruction ID: aee714ac7f32b4fc75f57f86044a425454557c48e001d0d7c73fd93f716f89d8
                                    • Opcode Fuzzy Hash: d466f5f3dcf6838ef5d47d78221d2e70b7be2a44c77a9ce91e55772c16cedb8c
                                    • Instruction Fuzzy Hash: 8E618CB0900349DFEB28CFE4E949B9EBBF4EB04318F144169E411AB2C4D7BA5949DB91
                                    Function 00F42860 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(011E7028,00000000,567482D4,00000000,01137533,000000FF,?,567482D4), ref: 00F429D3
                                    • GetLastError.KERNEL32(?,567482D4), ref: 00F429DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CountCriticalErrorInitializeLastSectionSpin
                                    • String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
                                    • API String ID: 439134102-34576578
                                    • Opcode ID: a443f9934e17456aac17256e81d13870d28359c4a74c9557abd09c0d40b6f7e6
                                    • Instruction ID: ef83c5fe52a55fdb6924cc1389792725f50047047d4377ae06509212abef2f42
                                    • Opcode Fuzzy Hash: a443f9934e17456aac17256e81d13870d28359c4a74c9557abd09c0d40b6f7e6
                                    • Instruction Fuzzy Hash: 4F51A2B5900709CBEB68CF95E9047EEBFF4EB05724F504639E824AB380E7359648DB91
                                    Function 010856A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,011E7054), ref: 010856B0
                                    • LoadLibraryW.KERNEL32(Shell32.dll,?,?,011E7054), ref: 010856C3
                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 010856D3
                                    • SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0108575C
                                    • SHGetMalloc.SHELL32(?), ref: 0108579E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
                                    • String ID: SHGetSpecialFolderPathW$Shell32.dll
                                    • API String ID: 2352187698-2988203397
                                    • Opcode ID: 59c44a4e6751b0ca802649296d14545f6fba6ff03c6186b657cc3e9d2255fd8b
                                    • Instruction ID: 86e9143b1fbf411680b2a3d4be235811c62a3f6f51a70661fae3319f43bb0a49
                                    • Opcode Fuzzy Hash: 59c44a4e6751b0ca802649296d14545f6fba6ff03c6186b657cc3e9d2255fd8b
                                    • Instruction Fuzzy Hash: EC31EF75604701DBEB25BF28EC05B677BE6BF84710F58C86CE9C58B280EBB194858791
                                    Function 01022E80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 01022F10
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    • GetProcAddress.KERNEL32(SetWindowTheme), ref: 01022F4D
                                    • __Init_thread_footer.LIBCMT ref: 01022F64
                                    • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 01022F8F
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                      • Part of subcall function 01002620: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 01002661
                                      • Part of subcall function 01002620: _wcschr.LIBVCRUNTIME ref: 0100271F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
                                    • String ID: SetWindowTheme$UxTheme.dll$explorer
                                    • API String ID: 3852524043-3123591815
                                    • Opcode ID: 8c8a0719367dc0170ac4ffd1aa24614b28676edff51640c50eaa4befd1d0b2f4
                                    • Instruction ID: 3a4cb7577271b3098a224d83361a230657355337fc9650103d553db546f95d1c
                                    • Opcode Fuzzy Hash: 8c8a0719367dc0170ac4ffd1aa24614b28676edff51640c50eaa4befd1d0b2f4
                                    • Instruction Fuzzy Hash: 1721BBB0A40741EBE769DFE8BC05B99B7E4EB10B20F004238E974AB3C4D770A5818B91
                                    Function 00F59A20 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00F59A4A
                                    • GetWindow.USER32(?,00000005), ref: 00F59A57
                                    • GetWindow.USER32(00000000,00000002), ref: 00F59B92
                                      • Part of subcall function 00F598A0: GetWindowRect.USER32(?,?), ref: 00F598CC
                                      • Part of subcall function 00F598A0: GetWindowRect.USER32(?,?), ref: 00F598DC
                                    • GetWindowRect.USER32(?,?), ref: 00F59AEB
                                    • GetWindowRect.USER32(00000000,?), ref: 00F59AFB
                                    • GetWindowRect.USER32(00000000,?), ref: 00F59B15
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Rect
                                    • String ID:
                                    • API String ID: 3200805268-0
                                    • Opcode ID: 17e43d067611c9bf220acefe1b05539fc6bc28f006d24b6b7d83c5d409d1d7b2
                                    • Instruction ID: 5478985bd2e9612214a1bffe095d7b58a3f434278a277a40e43b69e4257932ef
                                    • Opcode Fuzzy Hash: 17e43d067611c9bf220acefe1b05539fc6bc28f006d24b6b7d83c5d409d1d7b2
                                    • Instruction Fuzzy Hash: 8C41BC31908700DBD324DF28C980E6BF7E9AFD6715F504A1DFA8183521EB70E988CB62
                                    Function 010D6656 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,010D6800,00000000,?,?,00F50C24,?), ref: 010D667A
                                    • HeapAlloc.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D6681
                                      • Part of subcall function 010D674C: IsProcessorFeaturePresent.KERNEL32(0000000C,010D6668,00000000,?,010D6800,00000000,?,?,00F50C24,?), ref: 010D674E
                                    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,010D6800,00000000,?,?,00F50C24,?), ref: 010D6691
                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00F50C24,?), ref: 010D66B8
                                    • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,00F50C24,?), ref: 010D66CC
                                    • InterlockedPopEntrySList.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D66DF
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00F50C24,?), ref: 010D66F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                    • String ID:
                                    • API String ID: 2460949444-0
                                    • Opcode ID: 48f544571edd3c59a6e9cf284c60a81e717e701a6a8e6b4debfeafd8cc3eb07e
                                    • Instruction ID: 3c567a081e8116c5833180042755c402dd3f850f646d826fac274744ea6d8b04
                                    • Opcode Fuzzy Hash: 48f544571edd3c59a6e9cf284c60a81e717e701a6a8e6b4debfeafd8cc3eb07e
                                    • Instruction Fuzzy Hash: 7D112B76600319EBEB315BA8AC48F6B7AADFB08798F010471FA91E7144DF22DC4087B5
                                    Function 010714F0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 454synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01073390: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0107152A,?,567482D4,?,?,?,000000FF,?,01070EF4), ref: 0107339D
                                      • Part of subcall function 01073390: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0107152A,?,567482D4,?,?,?,000000FF,?,01070EF4,?), ref: 010733BE
                                      • Part of subcall function 01073390: GetLastError.KERNEL32(?,567482D4,?,?,?,000000FF,?,01070EF4,?,?,00000000,00000000,567482D4,?,?), ref: 0107341E
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • ResetEvent.KERNEL32(?,00000000,0114499D), ref: 010715FA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01071619
                                    • WaitForSingleObject.KERNEL32(567482D4,000000FF), ref: 01071620
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
                                    • String ID: GET$attachment$filename
                                    • API String ID: 818129584-3911147371
                                    • Opcode ID: bdfed2a7579c77711ba585e2c837a5cc310d899ccbd88a87de875597f71a2dd0
                                    • Instruction ID: 2fb93639ee57ebd657c29467d5ed948999fd20b2230af278da762efd8753830b
                                    • Opcode Fuzzy Hash: bdfed2a7579c77711ba585e2c837a5cc310d899ccbd88a87de875597f71a2dd0
                                    • Instruction Fuzzy Hash: A002BD70E0120ADFDB14DFA8C944BEEBBF5BF14314F1481A9E855AB391DB749A05CBA0
                                    Function 01087C60 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 365COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • _wcschr.LIBVCRUNTIME ref: 01087D2B
                                    • _wcschr.LIBVCRUNTIME ref: 01087DD2
                                    • _wcschr.LIBVCRUNTIME ref: 01087DF1
                                      • Part of subcall function 00F49120: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00F56AC0,-00000010,?,00F5ACDD,*.*), ref: 00F49143
                                    • _wcschr.LIBVCRUNTIME ref: 01087E93
                                    • GetTickCount.KERNEL32 ref: 0108803A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
                                    • String ID: 0123456789AaBbCcDdEeFf
                                    • API String ID: 2181188311-3822820098
                                    • Opcode ID: 61d40cd01e452c45044bc7a3a29561869905c57c37349feb28417cc870a1c1db
                                    • Instruction ID: d80e80f00121e2ac2e4e9766417e05d934ecb4fab83c24f936d4949eb94b16d1
                                    • Opcode Fuzzy Hash: 61d40cd01e452c45044bc7a3a29561869905c57c37349feb28417cc870a1c1db
                                    • Instruction Fuzzy Hash: 4BD10431A04A058FDB10EF68C848BAEBBF5EF48314F24829DE5D5972D5D734E945CB90
                                    Function 01041A30 Relevance: 10.8, APIs: 7, Instructions: 294fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,567482D4,?,00000000), ref: 01041AB9
                                    • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 01041B29
                                    • CloseHandle.KERNEL32(?), ref: 01041D2E
                                    • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 01041DB5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$Read$CloseCreateHandle
                                    • String ID:
                                    • API String ID: 1724936099-0
                                    • Opcode ID: 5875948818781b9de289ab890fc563a441dc42bcc23f96264bf0f2ae246e309a
                                    • Instruction ID: 6c961f6499728509e268a7e199452c317b4e89b7b5e9c145cb209404990bacf7
                                    • Opcode Fuzzy Hash: 5875948818781b9de289ab890fc563a441dc42bcc23f96264bf0f2ae246e309a
                                    • Instruction Fuzzy Hash: 72C1A3B1D00308DBDB24DFA8CD84BEEBBF5AF48314F24816DD455AB281D774AA85CB91
                                    Function 00F54F10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(011E7008,567482D4,?,?,?,?,?,?,?,?,?,?,?,?,00000000,01101605), ref: 00F54F7A
                                    • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,01101605), ref: 00F54FFA
                                    • EnterCriticalSection.KERNEL32(011E7024,?,?,?,?,?,?,?,?,?,?,?,00000000,01101605,000000FF), ref: 00F551B3
                                    • LeaveCriticalSection.KERNEL32(011E7024,?,?,?,?,?,?,?,?,?,?,00000000,01101605,000000FF), ref: 00F551D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Enter$FileLeaveModuleName
                                    • String ID: v
                                    • API String ID: 1807155316-3261393531
                                    • Opcode ID: bb87177ca760acffb6220a634caf58f056ff7b6a103a5ac45a857f3840ec3ba1
                                    • Instruction ID: f16f32641b7609330098bf58aa417bb8148ebcf78830a88b960f86ccc9cb4f2b
                                    • Opcode Fuzzy Hash: bb87177ca760acffb6220a634caf58f056ff7b6a103a5ac45a857f3840ec3ba1
                                    • Instruction Fuzzy Hash: 9AB1A270E01649DFDB24CFA4C898BAEBBF4BF04719F144068E915EB280C775AD49DBA0
                                    Function 00F50ED0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(0116480C,00000000,00000001,01164E94,?), ref: 00F50FA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateInstance
                                    • String ID: :${
                                    • API String ID: 542301482-3766677574
                                    • Opcode ID: 678a806cc3cf342a02b2be3c93e442b5919894854d6963cefbaa89c2a64856d9
                                    • Instruction ID: 2c05abf1b54eab0448b4cb4fd1a249432582e795e00e72e69f14a12832abbedb
                                    • Opcode Fuzzy Hash: 678a806cc3cf342a02b2be3c93e442b5919894854d6963cefbaa89c2a64856d9
                                    • Instruction Fuzzy Hash: 1361BE74A002559BDF388F958840BBEB7F9EB09726F144129FE05EB2C0DB75AC84DB60
                                    Function 00F75053 Relevance: 10.7, APIs: 7, Instructions: 184memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(?), ref: 00F750E4
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F75159
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00F751BF
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00F751C5
                                    • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00F751F5
                                    • HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00F751FB
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F75213
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Free$Heap$String$Process
                                    • String ID:
                                    • API String ID: 2680101141-0
                                    • Opcode ID: fcbfab3ccd3128fced6c2acef7f63a04d3008da7064619581eefe47c115556c0
                                    • Instruction ID: 297480763b925a29df0c9a8fb8e6a2ee9f50d2e0ef24567988d3a9578c4b897a
                                    • Opcode Fuzzy Hash: fcbfab3ccd3128fced6c2acef7f63a04d3008da7064619581eefe47c115556c0
                                    • Instruction Fuzzy Hash: 2F6193B0D0161ADFDF10DFA8C8447EFBBB4BF14710F15815AE855A7281C7B89A05DBA2
                                    Function 00F525E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(011E7250,567482D4,00000000,011E726C), ref: 00F52653
                                    • LeaveCriticalSection.KERNEL32(011E7250), ref: 00F526B8
                                    • LoadCursorW.USER32(00F40000,?), ref: 00F52714
                                    • LeaveCriticalSection.KERNEL32(011E7250), ref: 00F527AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Leave$CursorEnterLoad
                                    • String ID: v$ATL:%p
                                    • API String ID: 2080323225-109518622
                                    • Opcode ID: 462196f4a459207564e7cea69254d4460ba06b13c94052b9776b948e87028e41
                                    • Instruction ID: 726e4b942fe014090402515e7e510fb8f5308c4fe06ed33b68faecf214c96a09
                                    • Opcode Fuzzy Hash: 462196f4a459207564e7cea69254d4460ba06b13c94052b9776b948e87028e41
                                    • Instruction Fuzzy Hash: 9251BD34D00B498BDB64CFA8C944BAAB7F4FF09325F00471DED96A7680E770B9848B90
                                    Function 00F6BC60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00F6BCD5
                                    • lstrcpynW.KERNEL32(?,?,00000020), ref: 00F6BD4B
                                    • MulDiv.KERNEL32(?,00000048,00000000), ref: 00F6BD88
                                    • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00F6BDBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$lstrcpyn
                                    • String ID: ?$t
                                    • API String ID: 3928028829-1995845436
                                    • Opcode ID: 5a541a52a88dc7add347912440c94c63ca9cfd1d205832a489c69211a7d8a545
                                    • Instruction ID: eb15c0ee6d533cccf931856566ea947153c7b1548b7fa94619798d13179f4e81
                                    • Opcode Fuzzy Hash: 5a541a52a88dc7add347912440c94c63ca9cfd1d205832a489c69211a7d8a545
                                    • Instruction Fuzzy Hash: D4514C71908341EFE731DFA0D849B9BBBE8AF88705F00492DF69ADA181D7749548CB52
                                    Function 0106F550 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,567482D4,?,?), ref: 0106F597
                                    • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,567482D4,0114450D), ref: 0106F60F
                                    • GetLastError.KERNEL32 ref: 0106F620
                                    • WaitForSingleObject.KERNEL32(0114450D,000000FF), ref: 0106F63C
                                    • GetExitCodeProcess.KERNEL32(0114450D,00000000), ref: 0106F64D
                                    • CloseHandle.KERNEL32(0114450D), ref: 0106F657
                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0106F672
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
                                    • String ID:
                                    • API String ID: 1153077990-0
                                    • Opcode ID: 7e44f5005821db4320ad2f3fb0729d3aea3a85cca2652df60a107160e256943a
                                    • Instruction ID: 3efedae2e7ba904834fa45e5def02877c815e7af99b03700bcfbabf58b8c6b43
                                    • Opcode Fuzzy Hash: 7e44f5005821db4320ad2f3fb0729d3aea3a85cca2652df60a107160e256943a
                                    • Instruction Fuzzy Hash: B6418C31E00389EBDB24CFA4D9087EEBBF8AF49314F108669F864A7184D7748A40CB50
                                    Function 01081C40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,01067731,00000000,567482D4,?,00000010,00000000), ref: 01081C5B
                                    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 01081C71
                                    • FreeLibrary.KERNEL32(00000000), ref: 01081CAA
                                    • FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,01067731,00000000,567482D4,?,00000010,00000000), ref: 01081CC6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Library$Free$AddressLoadProc
                                    • String ID: DllGetVersion$Shlwapi.dll
                                    • API String ID: 1386263645-2240825258
                                    • Opcode ID: 6a88769a0413039f3ea32338c69a6cce03a2fd4278c48003bec7e22d0f8cf60b
                                    • Instruction ID: 716eb3d46f9fbba67dc20a116e5f4ba21029da8120269a290dea3374623eff76
                                    • Opcode Fuzzy Hash: 6a88769a0413039f3ea32338c69a6cce03a2fd4278c48003bec7e22d0f8cf60b
                                    • Instruction Fuzzy Hash: 4F21A7726043098BD714AF2DE84067BB7E5FFD9614B80096DF9D9C3201EB35D84587A3
                                    Function 010D4068 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,010D40E3,010D4046,010D42E7), ref: 010D407F
                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 010D4095
                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 010D40AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                    • API String ID: 667068680-1718035505
                                    • Opcode ID: adf9158900377ebfe116568e96a94b42933c6e3e5f96f133faae31280cb7d72f
                                    • Instruction ID: 458be76bf683e0262f3c1e5af434e322059d46f09e5c44ff707d7b3a7cd4e0bd
                                    • Opcode Fuzzy Hash: adf9158900377ebfe116568e96a94b42933c6e3e5f96f133faae31280cb7d72f
                                    • Instruction Fuzzy Hash: 59F04C31B00362DB5FF55DFA488466B2EDC9A0525C300067DFA92D7E00E770C89587D1
                                    Function 00F6E350 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00F6E3B7
                                    • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00F6E3DF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6E3F7
                                    • SendMessageW.USER32(?,0000130A,00000000,?), ref: 00F6E428
                                    • GetParent.USER32(?), ref: 00F6E504
                                    • SendMessageW.USER32(00000000,00000136,?,?), ref: 00F6E515
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$Parent
                                    • String ID:
                                    • API String ID: 1020955656-0
                                    • Opcode ID: bf6bc5e4b249a13e2c646f9ac5cfe1a1c544a1f624c6bfe22b1bb07cce530b9d
                                    • Instruction ID: 2bd2df54933814a2ea4b543c20fb74f0d319c8b47a4808a3d9f7ecb993e1a27f
                                    • Opcode Fuzzy Hash: bf6bc5e4b249a13e2c646f9ac5cfe1a1c544a1f624c6bfe22b1bb07cce530b9d
                                    • Instruction Fuzzy Hash: 2A610776900219AFDB259FE4DC09FEEBBBAFF08714F140125F619AB294C7706940CB50
                                    Function 01022C50 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 01022CBB
                                    • GetParent.USER32(00000000), ref: 01022D0E
                                    • GetWindowRect.USER32(00000000), ref: 01022D11
                                    • GetParent.USER32(00000000), ref: 01022D20
                                      • Part of subcall function 00FDFEF0: GetWindowRect.USER32(?,?), ref: 00FDFF82
                                      • Part of subcall function 00FDFEF0: GetWindowRect.USER32(?,?), ref: 00FDFF9A
                                    • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 01022E10
                                    • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 01022E23
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageRectSendWindow$Parent
                                    • String ID:
                                    • API String ID: 425339167-0
                                    • Opcode ID: 2e5aac0242055f7af1380565d76c84a677a93643bfc6736e0be1ffb9d754e257
                                    • Instruction ID: d15884218f8ecd3e689a4a2500eb52c8d38ed7a0bbee10004b3a2dba8b14071f
                                    • Opcode Fuzzy Hash: 2e5aac0242055f7af1380565d76c84a677a93643bfc6736e0be1ffb9d754e257
                                    • Instruction Fuzzy Hash: ED517974D00708ABDB24CFA8C944BDEBBF9EF59714F144329E815BB281EB706980CB60
                                    Function 01036F60 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 01036FAA
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 01036FCC
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 01036FF4
                                    • __Getctype.LIBCPMT ref: 010370D5
                                    • std::_Facet_Register.LIBCPMT ref: 01037137
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 01037161
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                    • String ID:
                                    • API String ID: 1102183713-0
                                    • Opcode ID: 6fb819f747bbcbe2bc04a4a588b95c1808752ae6e4f3918d7672e0826748a72b
                                    • Instruction ID: aef283fc5ffbae0ecdb93b33f9431a9bfd3cdd2ce73411f5d1826f7048b4cab0
                                    • Opcode Fuzzy Hash: 6fb819f747bbcbe2bc04a4a588b95c1808752ae6e4f3918d7672e0826748a72b
                                    • Instruction Fuzzy Hash: AA61BBB1C01249CBDB25CF98C540BAEBBF4BF55324F148299D895AB381E731AA84CB91
                                    Function 00F6FCA0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 370windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F6FCED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$`Dialog_`='
                                    • API String ID: 3850602802-1655181372
                                    • Opcode ID: 7c96c8841fd577828ef87ef41fbe2a33813423eb1a8369baeeafa2fbdbcc9130
                                    • Instruction ID: ac8efd390ab238aee06796ddf960436e766e7ae978cd697b46b50eb198f0cd00
                                    • Opcode Fuzzy Hash: 7c96c8841fd577828ef87ef41fbe2a33813423eb1a8369baeeafa2fbdbcc9130
                                    • Instruction Fuzzy Hash: 9CF15771900248DFDF14EF68CC89BEE7BB5BF48314F144169EC199B292DB75AA08CB91
                                    Function 010D8769 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,010D8760,010D872C,?,?,00F7254D,01041180,?,00000008), ref: 010D8777
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 010D8785
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 010D879E
                                    • SetLastError.KERNEL32(00000000,010D8760,010D872C,?,?,00F7254D,01041180,?,00000008), ref: 010D87F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: e85a3bf202ead8c17c8072b11c468ca654c5e09d3822e0baf34b65f1b71c38c4
                                    • Instruction ID: 642477103f705639357d76994d7ea5c5492e02b0d042d7d4230f61784adf74ef
                                    • Opcode Fuzzy Hash: e85a3bf202ead8c17c8072b11c468ca654c5e09d3822e0baf34b65f1b71c38c4
                                    • Instruction Fuzzy Hash: 2D01283220A3139EA73A167CACC866B3B95FB0137532282BBF570525D4EF1188528340
                                    Function 01054B10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 287COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetShortPathNameW.KERNEL32(567482D4,00000000,00000000), ref: 01054B6F
                                    • GetShortPathNameW.KERNEL32(?,?,?), ref: 01054BDD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: NamePathShort
                                    • String ID: neutral$x64$x86
                                    • API String ID: 1295925010-1541741584
                                    • Opcode ID: 93d31b41b4bc21a226251658dd7884cd9dbc7c1d42ba1aecd43952de21176568
                                    • Instruction ID: 784d352534fae147a69a359559c22750afd4032571c8128b8e81de2ba51d0531
                                    • Opcode Fuzzy Hash: 93d31b41b4bc21a226251658dd7884cd9dbc7c1d42ba1aecd43952de21176568
                                    • Instruction Fuzzy Hash: F5B1A171A04209EFDB14DFA8C848BDFBFB4EF44324F148159E815EB281EB74AA44CB94
                                    Function 0104A570 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 266COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 0104A85B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID: Close$Copy$Details >>$Send Error Report
                                    • API String ID: 4139908857-113472931
                                    • Opcode ID: b36329067c3dd82c32e377560616f0c2abd8c53af1db4e594142794b7751cadb
                                    • Instruction ID: b3de2e86a90c2c351ffff75720f36c5d309aa232048bfc2e70da7fff72ea8d2f
                                    • Opcode Fuzzy Hash: b36329067c3dd82c32e377560616f0c2abd8c53af1db4e594142794b7751cadb
                                    • Instruction Fuzzy Hash: FFA16FB0A40205EBEB24DF64CC95BEEB7B5BF54704F004129FA52BB2C0E7B1A945CB94
                                    Function 010810D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsrchr.LIBVCRUNTIME ref: 01081104
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • DeleteFileW.KERNEL32(?), ref: 010811AA
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 010812DF
                                      • Part of subcall function 01070510: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,567482D4,00000001,7508EB20,00000000), ref: 0107055F
                                      • Part of subcall function 01070510: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,567482D4,00000001,7508EB20,00000000), ref: 01070595
                                      • Part of subcall function 0106D930: LoadStringW.USER32(000000A1,?,00000514,567482D4), ref: 0106D986
                                    • _wcsrchr.LIBVCRUNTIME ref: 01081219
                                    Strings
                                    • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 0108115E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: File$DeleteInit_thread_footer_wcsrchr$CreateHeapLoadProcessReadString
                                    • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                    • API String ID: 675357196-3685554107
                                    • Opcode ID: 8aa49bb6614551c402183adfe1f00909b7abf464e879500d448a426cc600e47b
                                    • Instruction ID: d9099f0edb2fe0ef04a31c7ceda75fc05ba00178a13ef5ea204e39722919a81f
                                    • Opcode Fuzzy Hash: 8aa49bb6614551c402183adfe1f00909b7abf464e879500d448a426cc600e47b
                                    • Instruction Fuzzy Hash: 7791C071A006099FDB00EB6CCC44B9EBBF5FF55320F1882A9E855DB2A1DB35D905CB90
                                    Function 00F48860 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00F48945
                                    • __Init_thread_footer.LIBCMT ref: 00F489BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: </a>$<a href="$<a>
                                    • API String ID: 1385522511-4210067781
                                    • Opcode ID: f205cbc4cea45b91a4c858c189df07aac28defa1242bdb9c413aef09627d9366
                                    • Instruction ID: cce36d42409d2c35528349443837b8a15a65ad4fa5825af1d8a48b2d3df52de4
                                    • Opcode Fuzzy Hash: f205cbc4cea45b91a4c858c189df07aac28defa1242bdb9c413aef09627d9366
                                    • Instruction Fuzzy Hash: 6EA1A270A00704EFDB18EFA8D845BADBBB2FF45314F10466DE821AB2D0DB74A945DB91
                                    Function 01043420 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 195COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?,?,567482D4,00000000,?), ref: 0104363C
                                    • SHGetMalloc.SHELL32(?), ref: 01043665
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$FolderHeapLocationMallocProcessSpecial
                                    • String ID: %s, %.2u %s %.4u %.2u:%.2u:%.2u GMT$C:\$C:\FAKE_DIR\
                                    • API String ID: 3216538967-785558474
                                    • Opcode ID: e40feacbb1719d2ec487c0a6724248213cf7f774b613d70c538763598b8532e2
                                    • Instruction ID: 1407d62ed78eaf2994ae501b6742da62f417708332175fd1be77d01d95d50a0e
                                    • Opcode Fuzzy Hash: e40feacbb1719d2ec487c0a6724248213cf7f774b613d70c538763598b8532e2
                                    • Instruction Fuzzy Hash: 0D7190B0900319AFDB28DF99D945BAEBBF8FF08704F048519F915AB380D7749944CB94
                                    Function 00F6E140 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00F6E23D
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00F6E252
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00F6E25A
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                      • Part of subcall function 00F6FCA0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F6FCED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateCreateHeapWindow
                                    • String ID: SysTabControl32$TabHost
                                    • API String ID: 2359350451-2872506973
                                    • Opcode ID: 0260ecbb2e727417fc90ce00b6f1fbc036a0cb7775f19b9c1e4b39718c44d4b2
                                    • Instruction ID: 2652c6a4fdebc4f7a6970e5b9366ca924a0e3c058309d0e1b05103072bd3adda
                                    • Opcode Fuzzy Hash: 0260ecbb2e727417fc90ce00b6f1fbc036a0cb7775f19b9c1e4b39718c44d4b2
                                    • Instruction Fuzzy Hash: 14518D35A006059FDB14DFA9C844BAEBBF9FF49710F104269F815AB391DB75AD04CBA0
                                    Function 00F56F40 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,567482D4), ref: 00F56FE1
                                    • GetLastError.KERNEL32 ref: 00F5700A
                                    • RegCloseKey.ADVAPI32(?,00000000,00000000,?,0116438C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00F57153
                                    Strings
                                    • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00F56FD6
                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00F5704A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorEventLast
                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                    • API String ID: 1713683948-2079760225
                                    • Opcode ID: 85aee7c34ba249f26089ef22f7de7976d5bb23d3d2a7fbcf7f24792cd393ca51
                                    • Instruction ID: 2d5af2dc42b36b50dd679748563801d8c644f766075aa0a11e6e62a7c5572a1f
                                    • Opcode Fuzzy Hash: 85aee7c34ba249f26089ef22f7de7976d5bb23d3d2a7fbcf7f24792cd393ca51
                                    • Instruction Fuzzy Hash: A1619C70D04349EFDB10DF68C945B9EFBF4BF14304F208699D859A7281DBB8AA08CB91
                                    Function 010676D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
                                    • API String ID: 0-3551742416
                                    • Opcode ID: a59823622c2d85f56da7770a82d89ce173e2839998b00f4ad325956acd4a9daa
                                    • Instruction ID: 4f817f3ad057528c945a5734fecd1eb7987d12b8868fcfb3ba663f5043b0e3a2
                                    • Opcode Fuzzy Hash: a59823622c2d85f56da7770a82d89ce173e2839998b00f4ad325956acd4a9daa
                                    • Instruction Fuzzy Hash: 4221F332A012099BDB699F68D844BBAB3F9FB45B24F1046AAD925D7380FB31DD40C790
                                    Function 010DB91C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,010DB9DF,?,?,00000000,?,?,010DBA91,00000002,FlsGetValue,0115B0D0,0115B0D8), ref: 010DB9AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-
                                    • API String ID: 3664257935-2084034818
                                    • Opcode ID: 732c83c7ebdf5ac745eae647c3e019bd3a21d0235f8b5c4c3c360d215d6e2ecc
                                    • Instruction ID: ece46d4228838341f0ac7fef1b6037319bd01d7b774a80029b608d0a2144f583
                                    • Opcode Fuzzy Hash: 732c83c7ebdf5ac745eae647c3e019bd3a21d0235f8b5c4c3c360d215d6e2ecc
                                    • Instruction Fuzzy Hash: 5511A331A01365EBDF728A6C9C40B5EB7E8AF03770F121564E9A5AB284D770E9008BD6
                                    Function 010ED862 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,567482D4,?,?,00000000,01157106,000000FF,?,010ED7F2,?,?,010ED7C6,?), ref: 010ED897
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 010ED8A9
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,01157106,000000FF,?,010ED7F2,?,?,010ED7C6,?), ref: 010ED8CB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: a09334ae582d446cc8bdfb5b48547aba0f5b6d3bcf1fc4424de26092d28177df
                                    • Instruction ID: d116663a2f2231edf14451347f601bd754e63f04af4884b70ca2a5b284a2e6f1
                                    • Opcode Fuzzy Hash: a09334ae582d446cc8bdfb5b48547aba0f5b6d3bcf1fc4424de26092d28177df
                                    • Instruction Fuzzy Hash: 6901A231A14619EFDF298F95DC09BAEBBF8FB44B14F004639E821E26C0DB749940CB91
                                    Function 01048850 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 010488AE
                                    • GetProcAddress.KERNEL32(00000000), ref: 010488B5
                                    • __Init_thread_footer.LIBCMT ref: 010488CC
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                    • String ID: Dbghelp.dll$SymFromAddr
                                    • API String ID: 3268644551-642441706
                                    • Opcode ID: a5190ba7f3c453e55ee1675afd81e1fb96e8e06d750cf887e6c077d0819398a4
                                    • Instruction ID: 7021ccafea2724902276bbe7654de8a282e810a9065ba6bc41149751ab57549d
                                    • Opcode Fuzzy Hash: a5190ba7f3c453e55ee1675afd81e1fb96e8e06d750cf887e6c077d0819398a4
                                    • Instruction Fuzzy Hash: BD01F1B0A01705DFD728CFD8E885B0573E5EB08730F104379E826873C0E73464008B51
                                    Function 010D719A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • SleepConditionVariableCS.KERNELBASE(?,010D7137,00000064), ref: 010D71BD
                                    • LeaveCriticalSection.KERNEL32(011E5CD8,?,?,010D7137,00000064,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D71C7
                                    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,010D7137,00000064,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D71D8
                                    • EnterCriticalSection.KERNEL32(011E5CD8,?,010D7137,00000064,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D71DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                    • String ID: v
                                    • API String ID: 3269011525-3261393531
                                    • Opcode ID: 39075aaefa275662720d56379fb3fee606e0f4e3684587374656bd11d2628f85
                                    • Instruction ID: 85eb68216ec24a27b7f170d86a9a47d2c08b642e47d2dec47e1fc57b37f6f145
                                    • Opcode Fuzzy Hash: 39075aaefa275662720d56379fb3fee606e0f4e3684587374656bd11d2628f85
                                    • Instruction Fuzzy Hash: 9DE09239580728F7CB691FE4ED1DA8D3FAEEB04A59B000120FA19A7104CB6008A08BD2
                                    Function 00F60670 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F628C0: __Init_thread_footer.LIBCMT ref: 00F6292F
                                    • SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00F607B2
                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00F60867
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00F60906
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00F609B1
                                      • Part of subcall function 00F52A50: RaiseException.KERNEL32(?,?,00000000,00000000,010D64E7,C000008C,00000001,?,010D6518,00000000,?,00F48F47,00000000,567482D4,00000001,?), ref: 00F52A5C
                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00F60A37
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$ExceptionInit_thread_footerRaise
                                    • String ID:
                                    • API String ID: 3442259968-0
                                    • Opcode ID: ab1fab6257cff147c666e9aef337f2bf6849a4bb71814e09e204982cba302a43
                                    • Instruction ID: ad7b997b26408dd43617d48fccb8795e67ea52eae182b26b6ffb7e1293656464
                                    • Opcode Fuzzy Hash: ab1fab6257cff147c666e9aef337f2bf6849a4bb71814e09e204982cba302a43
                                    • Instruction Fuzzy Hash: D9B12AB1D01359DBEB20CF94CD54BDEBBB1BF48318F108299E9186B285D7B56A84CF90
                                    Function 00FA6D80 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 227memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA6F9E
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00FA6FA4
                                    • GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00FA6FCF
                                    • HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00FA6FD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID: _TEMP
                                    • API String ID: 3859560861-1625495653
                                    • Opcode ID: dac8ad4b62539d1baf77e51d87dffe31eed51a58e4e08e65dcdcf5d6de51cacc
                                    • Instruction ID: 674f9b10f51260e2cb04e65bdd0fb37d55bb196519b4b81b82fbfeef21de9b8a
                                    • Opcode Fuzzy Hash: dac8ad4b62539d1baf77e51d87dffe31eed51a58e4e08e65dcdcf5d6de51cacc
                                    • Instruction Fuzzy Hash: C8919CB4D01209DFDB14DFA8C984BEEBBB4FF49324F24826DE415A7280C7785A05DBA1
                                    Function 00F9A4F0 Relevance: 7.6, APIs: 5, Instructions: 144COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F9A6C0: GetWindowLongW.USER32(?,000000F0), ref: 00F9A6E0
                                      • Part of subcall function 00F9A6C0: SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00F9A70E
                                      • Part of subcall function 00F9A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00F9A53C), ref: 00F9A71F
                                      • Part of subcall function 00F9A6C0: GetWindowLongW.USER32(?,000000EC), ref: 00F9A753
                                      • Part of subcall function 00F9A6C0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F9A77F
                                      • Part of subcall function 00F9A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00F9A53C), ref: 00F9A796
                                      • Part of subcall function 00F9A6C0: GetWindowLongW.USER32(?,000000F0), ref: 00F9A7BA
                                      • Part of subcall function 00F9A6C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F9A7D2
                                      • Part of subcall function 00F9A6C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00F9A53C), ref: 00F9A7E3
                                    • GetWindowRect.USER32(?,?), ref: 00F9A589
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F9A5B0
                                    • GetWindowRect.USER32(?,00000000), ref: 00F9A5FB
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,00000000), ref: 00F9A632
                                    • SetWindowTextW.USER32(?,567482D4), ref: 00F9A674
                                      • Part of subcall function 00FA5A70: GetWindowLongW.USER32(?,000000F0), ref: 00FA5AB7
                                      • Part of subcall function 00FA5A70: GetParent.USER32 ref: 00FA5ACD
                                      • Part of subcall function 00FA5A70: GetWindowRect.USER32(?,?), ref: 00FA5AD8
                                      • Part of subcall function 00FA5A70: GetParent.USER32(?), ref: 00FA5AE0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Long$Rect$Parent$Text
                                    • String ID:
                                    • API String ID: 1351983003-0
                                    • Opcode ID: d3ead7f1d47c99acecbd8d3b3ee8762f73c4e3f854945d4f8d95abfce161163f
                                    • Instruction ID: e25aeef58ab96ed90f69993d719b7938d8088d51272572af27c2db221f143260
                                    • Opcode Fuzzy Hash: d3ead7f1d47c99acecbd8d3b3ee8762f73c4e3f854945d4f8d95abfce161163f
                                    • Instruction Fuzzy Hash: 47513C71E00509AFDB04DFA4CD85AEEFBB9FF08314F108225E825A7294EB34B955CB90
                                    Function 00F4FD30 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ItemMessageSendWindow
                                    • String ID:
                                    • API String ID: 799199299-0
                                    • Opcode ID: 0b6286ba7e85bf2e8703141de17950a321b261a88be7cd0102002832fc67244e
                                    • Instruction ID: b75ed0ec3e11c0f7f875a4d9656d2a7e9d79789fdb2272b20d457c984a864606
                                    • Opcode Fuzzy Hash: 0b6286ba7e85bf2e8703141de17950a321b261a88be7cd0102002832fc67244e
                                    • Instruction Fuzzy Hash: B5419236200105DFC7298F54D894A67BBE9FF48322B044839E95DC6163D731EC58FB60
                                    Function 0103CCA0 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0103CCD4
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0103CCF6
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0103CD1E
                                    • std::_Facet_Register.LIBCPMT ref: 0103CE07
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0103CE31
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                    • String ID:
                                    • API String ID: 459529453-0
                                    • Opcode ID: 5bd5f1ac6d2b6ebeb8c6b4fb3d45486a08d14b4378a8ae0a219ff5f699ef7a27
                                    • Instruction ID: f1fa0ee39e83543cba37bbe89dab7e2c606623889d13f528bc90c100e3c55346
                                    • Opcode Fuzzy Hash: 5bd5f1ac6d2b6ebeb8c6b4fb3d45486a08d14b4378a8ae0a219ff5f699ef7a27
                                    • Instruction Fuzzy Hash: 8B51CE70900249DFEB25DF98D544BAEBBF8FF50314F14819EE495EB280E775AA05CB90
                                    Function 00F97B30 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00F97B59
                                    • CoInitializeEx.COMBASE(00000000,00000002), ref: 00F97B69
                                    • SendMessageW.USER32(?,000005FA,?,00000000), ref: 00F97C81
                                      • Part of subcall function 00FA6100: EnterCriticalSection.KERNEL32(567482D4,567482D4), ref: 00FA6140
                                      • Part of subcall function 00FA6100: GetCurrentThreadId.KERNEL32 ref: 00FA6153
                                      • Part of subcall function 00FA6100: LeaveCriticalSection.KERNEL32(?), ref: 00FA61D1
                                      • Part of subcall function 00FA0200: SetLastError.KERNEL32(0000000E,?,00F988CB,?,?,?,?), ref: 00FA0218
                                    • GetLastError.KERNEL32(?,?,0116D550,00000000), ref: 00F97BF3
                                    • ShowWindow.USER32(?,0000000A,?,?,0116D550,00000000), ref: 00F97C05
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
                                    • String ID:
                                    • API String ID: 2782539745-0
                                    • Opcode ID: ae2efc3551f62ac9826b64bad91fb8bee49a48039b75bc3e67cc9fa38dcf0ed4
                                    • Instruction ID: 1cee802b24e149ec99f4dbfa4ba4a7b2d5594e339c65da066ac43441cd61e8b2
                                    • Opcode Fuzzy Hash: ae2efc3551f62ac9826b64bad91fb8bee49a48039b75bc3e67cc9fa38dcf0ed4
                                    • Instruction Fuzzy Hash: BB31B0B0D00348EBEF14EFA0CC49BDEBBB5AF10708F104529E421AB280DBB95A45DB91
                                    Function 01083D20 Relevance: 7.6, APIs: 6, Instructions: 98memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalFree.KERNEL32(?,00000000,?,7591E010,010840FA,00000001,00000001), ref: 01083D39
                                    • LocalFree.KERNEL32(?,00000000,?,7591E010,010840FA,00000001,00000001), ref: 01083D49
                                    • GetLastError.KERNEL32(?,7591E010,010840FA,00000001,00000001), ref: 01083D87
                                    • LocalAlloc.KERNEL32(00000040,00000014,?,7591E010,010840FA,00000001,00000001), ref: 01083DC6
                                    • GetLastError.KERNEL32(?,7591E010,010840FA,00000001,00000001), ref: 01083DE0
                                    • LocalFree.KERNEL32(?,?,7591E010,010840FA,00000001,00000001), ref: 01083DF1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Local$Free$ErrorLast$Alloc
                                    • String ID:
                                    • API String ID: 3879364810-0
                                    • Opcode ID: bf482d0e824b2190792c16885943bab853f43225d16bd5c1f81976e5c052197e
                                    • Instruction ID: 71867d1628c85552cdca4267dc98e612e31df4f6380b70b8b16c60a385e374a9
                                    • Opcode Fuzzy Hash: bf482d0e824b2190792c16885943bab853f43225d16bd5c1f81976e5c052197e
                                    • Instruction Fuzzy Hash: 51314B706047059FE774EF69E848B5BBBE8FF84B14F00493EE586CA180E775E4088B61
                                    Function 00F4DB80 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$Init
                                    • String ID:
                                    • API String ID: 3740757921-0
                                    • Opcode ID: 02c1a2ccd74f07eea4340029d00c62f9e1d26ead2d5d4cd5d68a02f8570d4029
                                    • Instruction ID: 24f763033b560d5fc8c79401133eca6d8bd9768ce44cac314b0a33dce74f56d5
                                    • Opcode Fuzzy Hash: 02c1a2ccd74f07eea4340029d00c62f9e1d26ead2d5d4cd5d68a02f8570d4029
                                    • Instruction Fuzzy Hash: C6310971D05248EFDB05CFA8C944BDEBBF8EF49304F10819AE460E7250D7B5AA44CBA1
                                    Function 00F74A70 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F74ABA
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F74AC0
                                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00F74AE3
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,01107786,000000FF), ref: 00F74B0B
                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,01107786,000000FF), ref: 00F74B11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess$FormatMessage
                                    • String ID:
                                    • API String ID: 1606019998-0
                                    • Opcode ID: d3c5681e073445b958ed56e015c0c06cf065bfad01b4c9a7d018baba7a3c0752
                                    • Instruction ID: c64629bfcdde1902bfbaa52a9f85fcaef44f30757eefae322ff2b8cfb6119b70
                                    • Opcode Fuzzy Hash: d3c5681e073445b958ed56e015c0c06cf065bfad01b4c9a7d018baba7a3c0752
                                    • Instruction Fuzzy Hash: 0C112EB1E44219ABEB10DF94DC45BEFBBB8FB04B14F104519E514AB6C0D7B5A90487A1
                                    Function 00F61090 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F6109B
                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00F610F8
                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00F61147
                                    • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00F61158
                                    • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00F61165
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow
                                    • String ID:
                                    • API String ID: 312131281-0
                                    • Opcode ID: be434d88858d76e7914a88715f90a4ae53fb04aa9883ebba6a8a1c245fb04312
                                    • Instruction ID: 58622ddb23f1cc00da4f794389bf450f542b513a2e2cbaf4fd7563a56174c8b2
                                    • Opcode Fuzzy Hash: be434d88858d76e7914a88715f90a4ae53fb04aa9883ebba6a8a1c245fb04312
                                    • Instruction Fuzzy Hash: 8A214F31918346AAD220DF51CD45B1ABBF5BFEE758F202B1EF1D4211A4E7F191848F86
                                    Function 01075200 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 417COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: _wcschr
                                    • String ID: realm
                                    • API String ID: 2691759472-4204190682
                                    • Opcode ID: 0748c66a2f477453fc461f383150bc03a5f5aea07e6f50f6f50ec78c60973422
                                    • Instruction ID: b44b9dc2163d0a727384b9a4a9efca88a75ee74d75f1bfa9ef9c145872d402f9
                                    • Opcode Fuzzy Hash: 0748c66a2f477453fc461f383150bc03a5f5aea07e6f50f6f50ec78c60973422
                                    • Instruction Fuzzy Hash: 73F1AB71A006499FDB01CF6CCC48BDEBBB9AF45324F148299E855DB291DB74EA44CB90
                                    Function 00F66060 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                      • Part of subcall function 01022A60: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00F60408,00000000,80004005), ref: 01022AC8
                                      • Part of subcall function 01022A60: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01022AF8
                                    • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00F6621D
                                    • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00F66234
                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00F66290
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateHeapWindow
                                    • String ID: QuickSelectionList
                                    • API String ID: 3168177373-3633591268
                                    • Opcode ID: d55370ece7f66c61004ac2935fcea2327a36e1168b29ec0d48a655546f60be11
                                    • Instruction ID: 4e7654670819073c0b3f085a71722513abdaa3968fb01e6eb207308bfbe864cd
                                    • Opcode Fuzzy Hash: d55370ece7f66c61004ac2935fcea2327a36e1168b29ec0d48a655546f60be11
                                    • Instruction Fuzzy Hash: 5581AE71A00205AFDB14DF68C884BEEF7F5FF88324F148259E965A7291DB75AD00CBA0
                                    Function 01079450 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 209COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010856A0: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,011E7054), ref: 010856B0
                                      • Part of subcall function 010856A0: LoadLibraryW.KERNEL32(Shell32.dll,?,?,011E7054), ref: 010856C3
                                      • Part of subcall function 010856A0: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 010856D3
                                    • PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,011E7054), ref: 010794E3
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
                                    • String ID: ADVINST_LOGS$Everyone
                                    • API String ID: 3321256476-3921853867
                                    • Opcode ID: 41228ed62027b4abba466050d1bb25d7ee9543f01cb074b8371e8c3bed1f3612
                                    • Instruction ID: 5843c74332cc0a049b2f358353c1854eb0cd7e44012d3f4d421d0dfefdacc608
                                    • Opcode Fuzzy Hash: 41228ed62027b4abba466050d1bb25d7ee9543f01cb074b8371e8c3bed1f3612
                                    • Instruction Fuzzy Hash: 5C917CB1D01209DFDB00DFA8C944BDEFBF5EF18328F244259E855AB291D7755A04CBA0
                                    Function 00F99A90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01041F70: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 01041FB4
                                      • Part of subcall function 01041F70: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01041FBF
                                    • GetCurrentThreadId.KERNEL32 ref: 00F99BFC
                                    • SendMessageW.USER32(?,00000127,00030003,00000000), ref: 00F99C85
                                    Strings
                                    • AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 00F99B29
                                    • AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00F99BA0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$CurrentThread
                                    • String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                    • API String ID: 2377075789-1831360935
                                    • Opcode ID: 8587ecb84f0bd5572ac54f5272e3963098384d775a86c4e6c36b8c8553aa3a88
                                    • Instruction ID: 0b6b1723d06d6bef1f3bbd0415b50d54feee2b35e3d63191920b6ad8549a2855
                                    • Opcode Fuzzy Hash: 8587ecb84f0bd5572ac54f5272e3963098384d775a86c4e6c36b8c8553aa3a88
                                    • Instruction Fuzzy Hash: DC81E470A04208DFDF04EF68C995B9DBBB5AF54300F1441ACEC06AF296CB74AE08DB91
                                    Function 00F9C560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00F9C59E
                                    • SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 00F9C778
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Rect
                                    • String ID: AiDlgHeight$AiDlgWeight
                                    • API String ID: 3200805268-871102398
                                    • Opcode ID: c380204ebc84819f4b4cfebf94f9c6748cc6bda9d7ac6190b9782d5de9772111
                                    • Instruction ID: d28530ce2a111d376675ceebae1d2a8a1804bcbac4b96c456384e637e6bf6354
                                    • Opcode Fuzzy Hash: c380204ebc84819f4b4cfebf94f9c6748cc6bda9d7ac6190b9782d5de9772111
                                    • Instruction Fuzzy Hash: CA617C71D00209EFDF14DFA8D949B9EBBB4EF58314F148129E815AB280D734AA08CFD1
                                    Function 010806F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,567482D4,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 01080724
                                      • Part of subcall function 01046130: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,80004005,?,?,?,00000000,0113B90D,000000FF), ref: 01046148
                                      • Part of subcall function 01046130: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,80004005,?,?,?,00000000,0113B90D,000000FF), ref: 0104617A
                                      • Part of subcall function 00F52A50: RaiseException.KERNEL32(?,?,00000000,00000000,010D64E7,C000008C,00000001,?,010D6518,00000000,?,00F48F47,00000000,567482D4,00000001,?), ref: 00F52A5C
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateExceptionHeapObjectRaiseSingleWait
                                    • String ID: *.*$.jar$.pack
                                    • API String ID: 2917691982-3892993289
                                    • Opcode ID: aaa824e7a4cf95d8ca0533cf7a87d2d60002811a96c1731f6fb5d29a55c9a0d2
                                    • Instruction ID: 5afb09b0224ae230e68657114f30a1526eb2dbb10e151ec0016169830551d9f1
                                    • Opcode Fuzzy Hash: aaa824e7a4cf95d8ca0533cf7a87d2d60002811a96c1731f6fb5d29a55c9a0d2
                                    • Instruction Fuzzy Hash: 60518370A0460ADFDB10EFA9C844BAEBBF4FF04324F148269E5A5A7295D734D945CF90
                                    Function 00FA5EC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(0184ED38,567482D4,0184ED38), ref: 00FA5F01
                                    • GetCurrentThreadId.KERNEL32 ref: 00FA5F11
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00FA5F37
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 63478b10e42832f78ec00a3040f5597f2be8be567d852d3e848ca60ff32f9541
                                    • Instruction ID: df128ad0e5f572131b78e89151093488822f97a24473cd74579f726bf34f3586
                                    • Opcode Fuzzy Hash: 63478b10e42832f78ec00a3040f5597f2be8be567d852d3e848ca60ff32f9541
                                    • Instruction Fuzzy Hash: A741E0B1900A16AFDB24CF58C944AAAF7A8FB45724F148329E825D7284E731ED44CBD0
                                    Function 00F52A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00F52AA6
                                    • EnterCriticalSection.KERNEL32(011E7250), ref: 00F52AC6
                                    • LeaveCriticalSection.KERNEL32(011E7250), ref: 00F52AEA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 53bd19ec2a69edcc51757d9dd1971cb9b815124a728beb4751b9621937abb537
                                    • Instruction ID: 24de787739edd1952e013dc7828200f9d149e9891c20414d6bf13d3cc0964575
                                    • Opcode Fuzzy Hash: 53bd19ec2a69edcc51757d9dd1971cb9b815124a728beb4751b9621937abb537
                                    • Instruction Fuzzy Hash: 4D219C71904749EBDB24CFA8D904B8ABBE8FB05B20F10862EE865D7780D7B5A544CB91
                                    Function 00FA6100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(567482D4,567482D4), ref: 00FA6140
                                    • GetCurrentThreadId.KERNEL32 ref: 00FA6153
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00FA61D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: 6f3ed226dbded1ad1077de24ab6787d86dbdf452b870f54f81fb0a9aa95045b1
                                    • Instruction ID: 93622ea9c1d9f31b2ceaba805412a5e743a9802d35b3976f3e9d27a4e648eb40
                                    • Opcode Fuzzy Hash: 6f3ed226dbded1ad1077de24ab6787d86dbdf452b870f54f81fb0a9aa95045b1
                                    • Instruction Fuzzy Hash: B731ABB1900344DFDB21CF58C844B9EBBF4EB09714F184569E8A6E3391E3B99A44CB90
                                    Function 00F74EE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00F74F22
                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F74F28
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoOriginateLanguageException$combase.dll
                                    • API String ID: 2574300362-3996158991
                                    • Opcode ID: 376f0e2f2fccf2137419d451e2c34fa3ff906ffa0e619bc54e6ba1e2e408036a
                                    • Instruction ID: 199e39df2d355efee513da6eb195ae558456cb5fd459bd82740e690eb2196400
                                    • Opcode Fuzzy Hash: 376f0e2f2fccf2137419d451e2c34fa3ff906ffa0e619bc54e6ba1e2e408036a
                                    • Instruction Fuzzy Hash: AF3143B1905209EFDB15DFA4C945BEEB7F4FB14320F10852EE828A72C0D7796A44DB92
                                    Function 01073390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0107152A,?,567482D4,?,?,?,000000FF,?,01070EF4), ref: 0107339D
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0107152A,?,567482D4,?,?,?,000000FF,?,01070EF4,?), ref: 010733BE
                                    • GetLastError.KERNEL32(?,567482D4,?,?,?,000000FF,?,01070EF4,?,?,00000000,00000000,567482D4,?,?), ref: 0107341E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateEvent$ErrorLast
                                    • String ID: AdvancedInstaller
                                    • API String ID: 1131763895-1372594473
                                    • Opcode ID: 92f07d1259a0c74d234168fd93b35fe431e1eb11885f525d2833eb954c9da29c
                                    • Instruction ID: e943d58917a9f91d06a2d7eed71a1d0bbcd59e8574a0bf22a3682968defd0ab2
                                    • Opcode Fuzzy Hash: 92f07d1259a0c74d234168fd93b35fe431e1eb11885f525d2833eb954c9da29c
                                    • Instruction Fuzzy Hash: C4117C71B40302EBE3258B25CC89F5ABBA5FB84708F204428F6159F280DB71F851DB94
                                    Function 01022970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01022E80: __Init_thread_footer.LIBCMT ref: 01022F10
                                      • Part of subcall function 01022E80: GetProcAddress.KERNEL32(SetWindowTheme), ref: 01022F4D
                                      • Part of subcall function 01022E80: __Init_thread_footer.LIBCMT ref: 01022F64
                                      • Part of subcall function 01022E80: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 01022F8F
                                    • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 010229C2
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 010229E0
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 010229E8
                                      • Part of subcall function 00F50E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F50E96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                    • String ID: SysListView32
                                    • API String ID: 605634508-78025650
                                    • Opcode ID: 3a83a35b2da5e45307783747d022213e70f69797708b30b8cb56c98e1bc44e6c
                                    • Instruction ID: 171095742c0d7118872e0f6efda8d8fccf497d02407be814578d045d2fb88a05
                                    • Opcode Fuzzy Hash: 3a83a35b2da5e45307783747d022213e70f69797708b30b8cb56c98e1bc44e6c
                                    • Instruction Fuzzy Hash: D2117C35301211ABE6289A55CC05F5BFBEAFFC5750F014619FA44AB2A1C7B1AD40CB91
                                    Function 00F527E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(011E7250), ref: 00F5281C
                                    • GetCurrentThreadId.KERNEL32 ref: 00F52830
                                    • LeaveCriticalSection.KERNEL32(011E7250), ref: 00F5286F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CurrentEnterLeaveThread
                                    • String ID: v
                                    • API String ID: 2351996187-3261393531
                                    • Opcode ID: c96f8200bcd8de646e6f2b758dc0a5dd08fcf2712e4afc517ac474bc0462c292
                                    • Instruction ID: 1fb61a1ef49b489134208334ad902001ffdb6f7a89ea8ee5e9f936e9a92f51fd
                                    • Opcode Fuzzy Hash: c96f8200bcd8de646e6f2b758dc0a5dd08fcf2712e4afc517ac474bc0462c292
                                    • Instruction Fuzzy Hash: E011BE31E04705DBDB28CF99D80475ABBE4EB56B26F10466EEC26A7380C7706844D7D1
                                    Function 010233D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 0102341B
                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 01023433
                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0102343B
                                      • Part of subcall function 00F50E60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F50E96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$CreateLong
                                    • String ID: RichEdit20W
                                    • API String ID: 4015368215-4173859555
                                    • Opcode ID: 7c13f0d0fb8e3db43d9400ade4d0fec9c81be4881f505bf15ec30e705f37a983
                                    • Instruction ID: bc4b6fe51a9effb49c0954792c24adad575e65ea8659c5ba83f5a4316831912b
                                    • Opcode Fuzzy Hash: 7c13f0d0fb8e3db43d9400ade4d0fec9c81be4881f505bf15ec30e705f37a983
                                    • Instruction Fuzzy Hash: 66016D35301214BFE6289A55DC05F5BFBEAFFC9B50F158219FA08AB290C6B1AC40CB91
                                    Function 00FA48F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 00FA4941
                                    • GetParent.USER32(?), ref: 00FA494A
                                    • SendMessageW.USER32(?,00000411,00000000,?), ref: 00FA495F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Parent$MessageSend
                                    • String ID: ,
                                    • API String ID: 2251359880-3772416878
                                    • Opcode ID: 036700fd0fde6c46847ee8ee01f4d45806d04d1a8f913fe659294252942c4044
                                    • Instruction ID: 09dceaff913209ec0efbe6d57428965c62acdbaf66c761990ab424a798574d43
                                    • Opcode Fuzzy Hash: 036700fd0fde6c46847ee8ee01f4d45806d04d1a8f913fe659294252942c4044
                                    • Instruction Fuzzy Hash: EE1187B1905301AFD720DF68D844B1BFBE4FB8E320F00492AF56592250D7B1E864CF92
                                    Function 0105B670 Relevance: 6.4, APIs: 4, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                      • Part of subcall function 0105B460: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 0105B48D
                                    • _wcsrchr.LIBVCRUNTIME ref: 0105B6DE
                                    • _wcsrchr.LIBVCRUNTIME ref: 0105B73E
                                    • _wcschr.LIBVCRUNTIME ref: 0105B9D2
                                    • _wcschr.LIBVCRUNTIME ref: 0105BA5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer_wcschr_wcsrchr$FileHeapModuleNameProcess
                                    • String ID:
                                    • API String ID: 1360097548-0
                                    • Opcode ID: 73b7011f09fbb6df45bd4786f8750e2fe7245ff3d4fb987fb0fabffaea07a0cd
                                    • Instruction ID: 2c8c56381c4eff725753fe196933fd564d406fdaed9130e1390c77f07e333391
                                    • Opcode Fuzzy Hash: 73b7011f09fbb6df45bd4786f8750e2fe7245ff3d4fb987fb0fabffaea07a0cd
                                    • Instruction Fuzzy Hash: 03F1D471A00609DFEB44DFA8C844BAFFBF5FF54310F148269E955AB291EB74A904CB90
                                    Function 00F60270 Relevance: 6.3, APIs: 4, Instructions: 291windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00F603B8
                                    • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00F603CD
                                      • Part of subcall function 00F49AE0: RtlAllocateHeap.NTDLL(?,00000000,?,567482D4,00000000,010FE9A0,000000FF,?,?,011DACAC,?,0107C8E8,80004005,567482D4), ref: 00F49B2A
                                      • Part of subcall function 01022A60: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00F60408,00000000,80004005), ref: 01022AC8
                                      • Part of subcall function 01022A60: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01022AF8
                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00F60503
                                    • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00F605FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend$AllocateHeapWindow
                                    • String ID:
                                    • API String ID: 3168177373-0
                                    • Opcode ID: 8c86afbcebed3a3aef3bf4e312fd94580bd71d0acd01b66db0a0a1e93f2e7482
                                    • Instruction ID: c567561b7ba331b26808c2aca69f0e0c8236d986f55512f74fc98ea10906d8a8
                                    • Opcode Fuzzy Hash: 8c86afbcebed3a3aef3bf4e312fd94580bd71d0acd01b66db0a0a1e93f2e7482
                                    • Instruction Fuzzy Hash: 81B17271A01209DFDB18DFA8C895BEEFBB5FF48314F144219E415AB290DBB5A944CF90
                                    Function 00F4EFB0 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00F4F07A
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F4F0C6
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F4F0E8
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F4F243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: String$Free$Alloc
                                    • String ID:
                                    • API String ID: 986138563-0
                                    • Opcode ID: edc777bb456abba265abc3435caa91f747273335e35cf2129f76bc1858b4eb3b
                                    • Instruction ID: 45aebc739ca6f211d69b024d14413e33ef86440b52630ea168d9aef821e8c079
                                    • Opcode Fuzzy Hash: edc777bb456abba265abc3435caa91f747273335e35cf2129f76bc1858b4eb3b
                                    • Instruction Fuzzy Hash: 54A16375A00209DFDB15DFA8CC44BAFBBB8EF84724F104169E919DB380D7749A05DB61
                                    Function 00F68500 Relevance: 6.3, APIs: 4, Instructions: 268windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00F685D8
                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00F68607
                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00F687CE
                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00F687F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 95b6bf7a2d23be13f5c2c00f5aad67846617653e0cebe91d406e0d9438afc163
                                    • Instruction ID: 756243262d5ad8c697ad508142f9942f89e7dbf739baacfffe8eb9413d9b58b9
                                    • Opcode Fuzzy Hash: 95b6bf7a2d23be13f5c2c00f5aad67846617653e0cebe91d406e0d9438afc163
                                    • Instruction Fuzzy Hash: 3EA17F71900204DFCF15DF68D894AEEBBB5FF48360F154669E802AB295DB70EC46DB90
                                    Function 00F64160 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: d81c4223a23e695e3cd166c888b0dbb6145094380c9f4f5cd0734e3e32ac43ad
                                    • Instruction ID: 40d3f83c7c6d648b73b2787f99c1e2433e2b12cd109312e52e45905576b5e9c3
                                    • Opcode Fuzzy Hash: d81c4223a23e695e3cd166c888b0dbb6145094380c9f4f5cd0734e3e32ac43ad
                                    • Instruction Fuzzy Hash: 87A16875D00218DFCB10DFA8C884B9EBBB5FF48314F258269E804E7391E778AA45DB95
                                    Function 00F631F0 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 5d68b71cf55fe84a65f147fb6dfe48bed23350659ad064ff5e04856bfc448843
                                    • Instruction ID: 87f67b8ff7c0e11a065fe6812307009b7a2c13957eefd7c2ac756b51c4cbeb02
                                    • Opcode Fuzzy Hash: 5d68b71cf55fe84a65f147fb6dfe48bed23350659ad064ff5e04856bfc448843
                                    • Instruction Fuzzy Hash: 8E81BD30E00348DBDB10DFA8C944B9EFBB5EF44714F248259E815AB391E778AA45DB91
                                    Function 00F54710 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F547B0
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F547F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: FreeString
                                    • String ID:
                                    • API String ID: 3341692771-0
                                    • Opcode ID: 763f346dde748e56fbf455440bacf18c50e4d20e45b7b573d0685314616c75d9
                                    • Instruction ID: 34acfd0738afc687b13a44e788a68f92e74d1ddbbe3a7792bc868d6a1767aa21
                                    • Opcode Fuzzy Hash: 763f346dde748e56fbf455440bacf18c50e4d20e45b7b573d0685314616c75d9
                                    • Instruction Fuzzy Hash: 1061CE72A04249EFCB20CF58D844B9ABBB8FB48725F10416AFD159B380D776ED54DBA0
                                    Function 0106CDA0 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(00000000,567482D4), ref: 0106CE16
                                    • _wcsrchr.LIBVCRUNTIME ref: 0106CE40
                                    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 0106CEC3
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0106CF0F
                                      • Part of subcall function 0106CCC0: RegOpenKeyExW.ADVAPI32(00000000,567482D4,00000000,00020019,00000002,567482D4,00000001,00000010,00000002,0106C00C,567482D4,00000000,?), ref: 0106CD5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Close$OpenQueryValue_wcsrchr
                                    • String ID:
                                    • API String ID: 213811329-0
                                    • Opcode ID: 7b131838a145f187d99e47dd153ca61a9da71fe0ba203fd0b5832aaf7c02aa27
                                    • Instruction ID: 206feb4dc6524a3dd00e410b13fb4f234cf1eece727a0528056d89246ad440a7
                                    • Opcode Fuzzy Hash: 7b131838a145f187d99e47dd153ca61a9da71fe0ba203fd0b5832aaf7c02aa27
                                    • Instruction Fuzzy Hash: 1D51E371905749AFE710CF68C944B9EBFB9EF44320F148269ED65A73C0D7759A04CB90
                                    Function 00FDFEF0 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00FDFF82
                                    • GetWindowRect.USER32(?,?), ref: 00FDFF9A
                                    • GetWindowRect.USER32(?,?), ref: 00FE0006
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00FE002A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Long
                                    • String ID:
                                    • API String ID: 3486571012-0
                                    • Opcode ID: 701ab2afc601215be8c801332f48a26a321266f6742dda2b97f1109dff72758f
                                    • Instruction ID: b79d2a4211abbc0b5e8d6b651aa2b8faa373fc5e876780ee4da5b7729915af00
                                    • Opcode Fuzzy Hash: 701ab2afc601215be8c801332f48a26a321266f6742dda2b97f1109dff72758f
                                    • Instruction Fuzzy Hash: 0941D036A083059FC750DF64C840E6BB7E9FF99718F04462EF949DB200E730E9898B52
                                    Function 00F5CF60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(567482D4,567482D4,?), ref: 00F5CF9F
                                    • EnterCriticalSection.KERNEL32(?,567482D4,?), ref: 00F5CFAC
                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00F5D083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: b507adaaacb5ee241c282f20984d47919bfd2f28376cacabe91a98bcfcb8a015
                                    • Instruction ID: 7dd839ef5900cb52a5600c9ac73595d1b282980b750b994c4a3e997e08848e35
                                    • Opcode Fuzzy Hash: b507adaaacb5ee241c282f20984d47919bfd2f28376cacabe91a98bcfcb8a015
                                    • Instruction Fuzzy Hash: D841E5356017458FCB31CF78C840BAABBF6EF45325F104529EAA6D7381CB31A91ADB90
                                    Function 0105D570 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 0105D5CF
                                    • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 0105D5DC
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0105D5F9
                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0105D61B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: bc31d84b4dbbd14ae3bb828e5bf4a66f8a4fb0ccf498e16e4c8dc324175c6c27
                                    • Instruction ID: b18a394563f82ef3a999bee13ca63e5f86c990474154098c54fc3821b9f9b637
                                    • Opcode Fuzzy Hash: bc31d84b4dbbd14ae3bb828e5bf4a66f8a4fb0ccf498e16e4c8dc324175c6c27
                                    • Instruction Fuzzy Hash: E22125B6740306BBE7205F99EC81F67775CEB54B48F20012AFA459B1C0E7A17905CBA4
                                    Function 00F963F8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(00000010,?,00000060), ref: 00F96432
                                    • GetWindowRect.USER32(?,?), ref: 00F96481
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F964AA
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 00F9653C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$LongRect
                                    • String ID:
                                    • API String ID: 463821813-0
                                    • Opcode ID: db9c1bb24e72bd9466ea157100b9c62187811a1475943b0414b5b907f43ca675
                                    • Instruction ID: 508c87214931ac267dace65736f41ca59b3362c1b1b6bb60e0ebe895f3591f55
                                    • Opcode Fuzzy Hash: db9c1bb24e72bd9466ea157100b9c62187811a1475943b0414b5b907f43ca675
                                    • Instruction Fuzzy Hash: 50418C71108345AFD745CFA8D844E6AFBF4FF88304F008A2AF99597264E731A895CF41
                                    Function 01046130 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,80004005,?,?,?,00000000,0113B90D,000000FF), ref: 01046148
                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,80004005,?,?,?,00000000,0113B90D,000000FF), ref: 0104617A
                                    • GetStdHandle.KERNEL32(000000F5,?,567482D4,00000000,010FE9A0,000000FF,?,80070057,?,-00000001,?,?,?,80004005,?,?), ref: 010461E6
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,567482D4,00000000,010FE9A0,000000FF,?,80070057,?,-00000001,?,?,?,80004005,?,?), ref: 010461ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AttributeConsoleHandleText
                                    • String ID:
                                    • API String ID: 3849414675-0
                                    • Opcode ID: b8e2dfe4a3b7ef806742d222cc8a3e00338989981c10891577ba8b3bda1a12e1
                                    • Instruction ID: c68fb7682c6f9e66b54f157c7b33cdca3b837a4757c700daff5359b58309b09a
                                    • Opcode Fuzzy Hash: b8e2dfe4a3b7ef806742d222cc8a3e00338989981c10891577ba8b3bda1a12e1
                                    • Instruction Fuzzy Hash: F621F672304215EFDB149B98DC89F5ABBA9EB85731F20427EF625D76D0CB356801CB60
                                    Function 00F999A0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 00F99A2F
                                    • GetParent.USER32(00000000), ref: 00F99A37
                                    • GetParent.USER32(00000000), ref: 00F99A3C
                                    • SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 00F99A4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Parent$MessageSend
                                    • String ID:
                                    • API String ID: 2251359880-0
                                    • Opcode ID: 7d612f03d5d3a58eee5bcc9aacd33ff57531bf971836e2233acc2ffe497465de
                                    • Instruction ID: 7b5bc9e6a95c3d3aad125e19b9f7c39bd63cdd9253b5bf22f342cf660ea8c041
                                    • Opcode Fuzzy Hash: 7d612f03d5d3a58eee5bcc9aacd33ff57531bf971836e2233acc2ffe497465de
                                    • Instruction Fuzzy Hash: 7E212F32708105AFEF248AACEC84EAEF799EF90728F05403AF400C6154EB75DC81D760
                                    Function 00F58AF0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F58B39
                                    • GetParent.USER32(?), ref: 00F58B6D
                                      • Part of subcall function 010D67B8: GetProcessHeap.KERNEL32(00000008,00000008,?,00F50E77,?,?,00F50C24,?), ref: 010D67BD
                                      • Part of subcall function 010D67B8: HeapAlloc.KERNEL32(00000000,?,?,00F50C24,?), ref: 010D67C4
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00F58BA0
                                    • ShowWindow.USER32(?,00000000), ref: 00F58BB6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$HeapLong$AllocParentProcessShow
                                    • String ID:
                                    • API String ID: 78937335-0
                                    • Opcode ID: e693eeef0cb24c41be748b43149a0803da52cfb0030ef6e22f2aec52d21e0097
                                    • Instruction ID: 889e65e8527b8520080f9c855a5ca049569c4c01afea0e914aaa984453b2c46b
                                    • Opcode Fuzzy Hash: e693eeef0cb24c41be748b43149a0803da52cfb0030ef6e22f2aec52d21e0097
                                    • Instruction Fuzzy Hash: B321E174A007019FC324EF69C804E6BBBE9FF99625B404A2DF896D3650EB30E804CB61
                                    Function 00F5CD90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,567482D4), ref: 00F5CDFA
                                    • EnterCriticalSection.KERNEL32(?,567482D4), ref: 00F5CE07
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F5CE58
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: 445b7048ee93bcc5e7440d75fee2876ce6d573842add3c4514e8de1238579946
                                    • Instruction ID: 2ba00364a3f5e95d323ee015d6e0c115cf353b30b37ae1f172d8a5d9fac8bb99
                                    • Opcode Fuzzy Hash: 445b7048ee93bcc5e7440d75fee2876ce6d573842add3c4514e8de1238579946
                                    • Instruction Fuzzy Hash: 2721E132900345DFDF11CF64C844BE9BBB4EB16329F1005A9DC59AB386C331594ADBA0
                                    Function 00F5CE80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,567482D4), ref: 00F5CEEA
                                    • EnterCriticalSection.KERNEL32(?,567482D4), ref: 00F5CEF7
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F5CF3E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: 9e1055a7c61b7c676b62502a158504e2f27418584c00bf75a2e412363c56e6d8
                                    • Instruction ID: e6fcdda210eefc81ef06c5ac287e115317cb636f3aa192a25bfdd11007569cc6
                                    • Opcode Fuzzy Hash: 9e1055a7c61b7c676b62502a158504e2f27418584c00bf75a2e412363c56e6d8
                                    • Instruction Fuzzy Hash: AD21B076A00345DFDF11CF64C844BA9BBB4FF15329F1005A9ED69AB286D7329909CBA0
                                    Function 00F5CCD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(?,567482D4,?), ref: 00F5CD2D
                                    • EnterCriticalSection.KERNEL32(?,567482D4,?), ref: 00F5CD3A
                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F5CD62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterInitializeLeave
                                    • String ID: v
                                    • API String ID: 3991485460-3261393531
                                    • Opcode ID: 603eda3aadc5122f74430056026a972ab9f2333cb3b07723ade613e967e60f8d
                                    • Instruction ID: 25c4ef17478735952c1bb1e7ee2718bd5de04c3d335d92484de173d84bfe2e3b
                                    • Opcode Fuzzy Hash: 603eda3aadc5122f74430056026a972ab9f2333cb3b07723ade613e967e60f8d
                                    • Instruction Fuzzy Hash: 2221E136D04349DFCF15CF24C840BEABF74EB16228F1006A9DC6AA7381C7325A09DBA0
                                    Function 01082070 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(00000001,?,567482D4,?,?,00000000,010FE7D0,000000FF,?,01082058,00000000,80004005,?,?,0106485D,?), ref: 010820A7
                                    • GetExitCodeThread.KERNEL32(00000001,01082058,?,?,00000000,010FE7D0,000000FF), ref: 010820C1
                                    • TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,010FE7D0,000000FF), ref: 010820D9
                                    • CloseHandle.KERNEL32(00000001,?,?,00000000,010FE7D0,000000FF,?,01082058,00000000,80004005,?,?,0106485D,?,567482D4,?), ref: 010820E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                    • String ID:
                                    • API String ID: 3774109050-0
                                    • Opcode ID: 4bc6b535faaf5783bd047ffbba2924b2833aaff9b7eec75315a8801250a810e1
                                    • Instruction ID: 8bc28d7fcfd28374c9cc56644316f6c3dafab924c2252c55ed7df063b956c5cf
                                    • Opcode Fuzzy Hash: 4bc6b535faaf5783bd047ffbba2924b2833aaff9b7eec75315a8801250a810e1
                                    • Instruction Fuzzy Hash: EB016931504709EFDB349F58DC09B66BBE9FB04720F008A29F9A692A90E775A880CB50
                                    Function 00F4D8F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00F4D966
                                    • SendMessageW.USER32(?,00000000,00000000), ref: 00F4DA62
                                      • Part of subcall function 00F4F1A0: SysFreeString.OLEAUT32(00000000), ref: 00F4F243
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateFreeMessageSendStringWindow
                                    • String ID: AtlAxWin140
                                    • API String ID: 4045344427-3842940177
                                    • Opcode ID: a29b341378b9e58aafa87c6a2733a37d133e41d79f722e6078493dbdb580b2cd
                                    • Instruction ID: b458963e9917baa90ab4b636262ed1c8e317dde9f75abf3f8f1066b9049792ba
                                    • Opcode Fuzzy Hash: a29b341378b9e58aafa87c6a2733a37d133e41d79f722e6078493dbdb580b2cd
                                    • Instruction Fuzzy Hash: A1911374600209EFDB14CF68C888B5ABBB9FF49724F1085A9FC299B391CB75E901DB50
                                    Function 00FAEF10 Relevance: 5.4, APIs: 4, Instructions: 419memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00FAF126
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00FAF12C
                                      • Part of subcall function 00FB0AC0: GetProcessHeap.KERNEL32(?,?,567482D4,00000000), ref: 00FB0B7A
                                      • Part of subcall function 00FB0AC0: HeapFree.KERNEL32(00000000,?,?,567482D4,00000000), ref: 00FB0B80
                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAF337
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAF33D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: c97de6c4801003fe0f7b3b54df45462e150cc43e5c5b9987f9b993ba04fae191
                                    • Instruction ID: b29b5884216385a65a4662d65afa065cd36409ecdfd058f7b077707584802b4b
                                    • Opcode Fuzzy Hash: c97de6c4801003fe0f7b3b54df45462e150cc43e5c5b9987f9b993ba04fae191
                                    • Instruction Fuzzy Hash: DEF19DB0D00249DFDB14DFA8C945BEEBBB4FF15314F2041ADE815AB281DB75AA08DB91
                                    Function 010783E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F49E20: GetProcessHeap.KERNEL32 ref: 00F49E75
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49EA7
                                      • Part of subcall function 00F49E20: __Init_thread_footer.LIBCMT ref: 00F49F32
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0114240F,000000FF), ref: 01078563
                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0114240F,000000FF), ref: 010785F1
                                    Strings
                                    • << Advanced Installer (x86) Log >>, xrefs: 010784CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                    • String ID: << Advanced Installer (x86) Log >>
                                    • API String ID: 3699736680-396061572
                                    • Opcode ID: db80ecd5fb0fa5ae5fd1d4f35a33f0310a01d5aa01f17f27499388fc9fc851b8
                                    • Instruction ID: b52812a6cbc5514b80bc3506a29ebcf2f936554629c3b9969497c7a284e38db6
                                    • Opcode Fuzzy Hash: db80ecd5fb0fa5ae5fd1d4f35a33f0310a01d5aa01f17f27499388fc9fc851b8
                                    • Instruction Fuzzy Hash: 3E61CC30A05685DFEB14CFA8D948B8AFFF4FB46314F1482ADE8509B781DB749A44CB90
                                    Function 00F8D0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010D7112: EnterCriticalSection.KERNEL32(011E5CD8,?,?,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D711D
                                      • Part of subcall function 010D7112: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49EC6,011E6904,567482D4,?,?,010FEF2D,000000FF,?,0107C88C,567482D4), ref: 010D715A
                                    • __Init_thread_footer.LIBCMT ref: 00F8D24D
                                      • Part of subcall function 010D70C8: EnterCriticalSection.KERNEL32(011E5CD8,?,?,00F49F37,011E6904,01157320), ref: 010D70D2
                                      • Part of subcall function 010D70C8: LeaveCriticalSection.KERNEL32(011E5CD8,?,00F49F37,011E6904,01157320), ref: 010D7105
                                      • Part of subcall function 010D70C8: RtlWakeAllConditionVariable.NTDLL ref: 010D717C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
                                    • API String ID: 2296764815-2445763458
                                    • Opcode ID: 6b303b6e25c6a37670d173f680ef32ab8303f5669678b8b729e7229bb2020911
                                    • Instruction ID: bec1a7413c51d18401da002351a35d4d3d3baa03eca11cdcaf763a65ca4907f4
                                    • Opcode Fuzzy Hash: 6b303b6e25c6a37670d173f680ef32ab8303f5669678b8b729e7229bb2020911
                                    • Instruction Fuzzy Hash: 8271D370805249EFEB15DFA8C905BDEBBF4BF14314F148259E814672C1D7B95A08EBE2
                                    Function 01034AB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathIsUNCW.SHLWAPI(?,567482D4), ref: 01034B51
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Path
                                    • String ID: \\?\$\\?\UNC\
                                    • API String ID: 2875597873-3019864461
                                    • Opcode ID: 25c1001b1fc71e99c7e9ae41ae71818cdc55f4d19449a9fc51956ff39913d630
                                    • Instruction ID: 1b771733fc10865340e26c36a7b0fb6aa8269d6377268d8a67edee66e2fe0c53
                                    • Opcode Fuzzy Hash: 25c1001b1fc71e99c7e9ae41ae71818cdc55f4d19449a9fc51956ff39913d630
                                    • Instruction Fuzzy Hash: CA51E570E006089BDB18DF68D895BEEFBF9FF85304F10861DD851AB281DB756948CBA1
                                    Function 01079700 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?,567482D4,?,?,011E7054), ref: 0107973F
                                    • CreateDirectoryW.KERNEL32(?,00000000,?,011E7054), ref: 010797A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryPathTemp
                                    • String ID: ADVINST_LOGS
                                    • API String ID: 2885754953-2492584244
                                    • Opcode ID: 2cb9a3e8ed1c8ce21e91fca03331931c8cf13f0c1318a39c7c50e1ee680c2a78
                                    • Instruction ID: 93f444436ed03ea259c85a9628937fa37ec2e2bcc8c6eff7e375a1e31749981b
                                    • Opcode Fuzzy Hash: 2cb9a3e8ed1c8ce21e91fca03331931c8cf13f0c1318a39c7c50e1ee680c2a78
                                    • Instruction Fuzzy Hash: 8351C775D00219CBDBB49F68C8447B9B3F4FF04728F1446EED89997291EB354981CB94
                                    Function 00F57200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,0116438C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,567482D4), ref: 00F57370
                                      • Part of subcall function 0102EBE0: GetModuleHandleW.KERNEL32(Advapi32.dll,567482D4,?,?,?,00000000,?,Function_001BEE20,000000FF), ref: 0102EC23
                                    • CloseHandle.KERNEL32(?,567482D4), ref: 00F573A9
                                    Strings
                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00F57268
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: CloseHandle$Module
                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                    • API String ID: 1412095732-2431777889
                                    • Opcode ID: 42e3ff96db907c17e32aa0f8728beb1ac84a6f4a1c7e8596691b8eae2e747ef5
                                    • Instruction ID: 972a41775d02f64cd49c5107fcb6dbce4fbf35def23eca5a995e0a4cd07e832d
                                    • Opcode Fuzzy Hash: 42e3ff96db907c17e32aa0f8728beb1ac84a6f4a1c7e8596691b8eae2e747ef5
                                    • Instruction Fuzzy Hash: B5515B70D04348DADB24EFA4C949BDEBBB4BF14314F108159E855B7281DBB86A48DBA1
                                    Function 01048250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,567482D4,0117A83C), ref: 010482A8
                                    • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 010483B2
                                      • Part of subcall function 0103AA10: std::locale::_Init.LIBCPMT ref: 0103AAED
                                      • Part of subcall function 010381D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 010382A5
                                    Strings
                                    • Failed to get Windows error message [win32 error 0x, xrefs: 010482C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                    • String ID: Failed to get Windows error message [win32 error 0x
                                    • API String ID: 1983821583-3373098694
                                    • Opcode ID: 7a8507dbd9f997c0b1dbccb0e2aba89b1bc57374675789f4b38813e2a2478a79
                                    • Instruction ID: 0d05071f53b1b31bc4d9f022f2ccfa8e866a43c2f65236170d86290044cb4f91
                                    • Opcode Fuzzy Hash: 7a8507dbd9f997c0b1dbccb0e2aba89b1bc57374675789f4b38813e2a2478a79
                                    • Instruction Fuzzy Hash: 2D418271A00319DBDB20DF98C948BAFB7F8FF44704F108969E455EB290D7B49A08CB91
                                    Function 01092EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,0117B440,00000001,567482D4,00000000), ref: 01092F9E
                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 01092FBB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Event$CreateOpen
                                    • String ID: _pbl_evt
                                    • API String ID: 2335040897-4023232351
                                    • Opcode ID: ff788dbfb747d3c053cd048d4369885e4d818b4b7c4ab7ff602b4f6793af230c
                                    • Instruction ID: 3b36fd48c77a4d8559df460399fb65707cd2d055de39cbd8dbaa9c8db0b6e879
                                    • Opcode Fuzzy Hash: ff788dbfb747d3c053cd048d4369885e4d818b4b7c4ab7ff602b4f6793af230c
                                    • Instruction Fuzzy Hash: 8A312871D04209EFDB10DFA8D955BEEBBB4EF18714F108529E821B7280DB746A09CBA1
                                    Function 01037770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0103779B
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 010377FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 3988782225-1405518554
                                    • Opcode ID: ea548946804deeaea126ee2ef7de290f33a7d228aa788fc9841b88f890c508d5
                                    • Instruction ID: 2f593e2e98959eddfba50b2ee6c3a448b1914c20248a913fdbf3df27ac298430
                                    • Opcode Fuzzy Hash: ea548946804deeaea126ee2ef7de290f33a7d228aa788fc9841b88f890c508d5
                                    • Instruction Fuzzy Hash: E321ED70A05784DFD720CF69C90078ABFE8AF15314F14869DD485CBB81D3B5AA04CBA1
                                    Function 00FAE3B0 Relevance: 5.3, APIs: 4, Instructions: 316memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00FAE62B
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00FAE631
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00FAE700
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00FAE706
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 7e417a510c5db4b60f39b4c4740b875ff53b5f9d013420e027f960495637c2aa
                                    • Instruction ID: a1788727a0c562e63f6bf33d9960a27c72185767e3bb434593259a4e67950cf1
                                    • Opcode Fuzzy Hash: 7e417a510c5db4b60f39b4c4740b875ff53b5f9d013420e027f960495637c2aa
                                    • Instruction Fuzzy Hash: 3FD19BB0D00308DFDB14DFA8C894BEEBBB9BF55314F244169D415AB291DB34AE09EB91
                                    Function 00F614E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000005), ref: 00F61554
                                    Strings
                                    • d, xrefs: 00F61520
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00F61529
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                    • API String ID: 975332729-3547446826
                                    • Opcode ID: b648f2cada1774a09bc9fcde9f652db333d71afa1aa43b22a3d5e7b83ad1b8c1
                                    • Instruction ID: f49766055e3be80aa72b90b6b8c118aea3f63420b30da1563eee504c8a1fd99d
                                    • Opcode Fuzzy Hash: b648f2cada1774a09bc9fcde9f652db333d71afa1aa43b22a3d5e7b83ad1b8c1
                                    • Instruction Fuzzy Hash: 23212774D05298EEDF08DFE4E948BCDBFB0BF14308F148098E041AB295D7B95A08CB91
                                    Function 00F4D349 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00F4D395
                                    • d, xrefs: 00F4D389
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: ae0a40a1809bc053a4683ca1cb80a606c44fbb52491c28e43557705f290cde18
                                    • Instruction ID: 266e4b6b53dbe642efc313dd35cfcc5466b8c2a8d88014161ce40eb8d22a45ed
                                    • Opcode Fuzzy Hash: ae0a40a1809bc053a4683ca1cb80a606c44fbb52491c28e43557705f290cde18
                                    • Instruction Fuzzy Hash: 51213674D05298EECB08DFE4E9587CEBBB0BF14304F248088E041AB395DBB95A08CB91
                                    Function 00F4CF7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00F4CFC4
                                    • d, xrefs: 00F4CFBB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 682a21257c2cd2d0a5863da267e0c57053a0ac93e18cf00ca8ac760ca79b207e
                                    • Instruction ID: 7be6ce5c418b3c896cb4646962e242957031b50f768cbd0ee268e884e3e5a42f
                                    • Opcode Fuzzy Hash: 682a21257c2cd2d0a5863da267e0c57053a0ac93e18cf00ca8ac760ca79b207e
                                    • Instruction Fuzzy Hash: 48213674D05298EECB08DFE4E9587CEBFB1BF15308F148088E041AB295DBB95A08CB91
                                    Function 00F615AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(0000000D), ref: 00F6161B
                                    Strings
                                    • d, xrefs: 00F615E5
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00F615EE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                    • API String ID: 975332729-3547446826
                                    • Opcode ID: 07f2ece05594ba44d45f468297290fb9697583a259bdb5fcb3654bc87ad52c18
                                    • Instruction ID: 24019c059dcd873a0beb90bf206637c2034e829638da5751e441ccbd6b3626ed
                                    • Opcode Fuzzy Hash: 07f2ece05594ba44d45f468297290fb9697583a259bdb5fcb3654bc87ad52c18
                                    • Instruction Fuzzy Hash: 73213374D04288EEDF08DFE4E958BDDBFB1BF14308F148098E041AB295DBB95A09DB91
                                    Function 00F4D412 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00F4D459
                                    • d, xrefs: 00F4D44D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 4952b4a85ed010f92cbf7388a640ba2a26d56b49f66fc4833b61a7c41a71d3c4
                                    • Instruction ID: 2b85f5490de5b44216377281f018e3c66a12a6b0499327833ef141f695f6310f
                                    • Opcode Fuzzy Hash: 4952b4a85ed010f92cbf7388a640ba2a26d56b49f66fc4833b61a7c41a71d3c4
                                    • Instruction Fuzzy Hash: B5214774D04288EADF09DFE4E9587CEBFB0BF54308F248158D0406B295DBB94A09DB51
                                    Function 00F4D03F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • d, xrefs: 00F4D07A
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00F4D083
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                    • API String ID: 2558294473-4014065217
                                    • Opcode ID: 73d17faff6127c38ad6ae5f439734ea98b9c28e38d543a798e515b9a2ec141fa
                                    • Instruction ID: 9a0d2c261f405f1c796494f3fdec3d68c442bb7dc22359d5c282f250ef896912
                                    • Opcode Fuzzy Hash: 73d17faff6127c38ad6ae5f439734ea98b9c28e38d543a798e515b9a2ec141fa
                                    • Instruction Fuzzy Hash: DC214474D08288EEDF08DFE4E9587CDBFB0BF14308F248098E041AB295DBB94A09DB51
                                    Function 00FA1310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA136F
                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00F9FEE9,00000000,567482D4,?,?), ref: 00FA1388
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Window$Create
                                    • String ID: tooltips_class32
                                    • API String ID: 870168347-1918224756
                                    • Opcode ID: 8ea6c43fac8c531126d384e58c5a85902ba0ed351a411573fb0dbb0077842e23
                                    • Instruction ID: 4725d6377b6300e081445ebfb332d0b224067f7d13578b5acbb2511dd27abe30
                                    • Opcode Fuzzy Hash: 8ea6c43fac8c531126d384e58c5a85902ba0ed351a411573fb0dbb0077842e23
                                    • Instruction Fuzzy Hash: 4C01F0353803127AF76886A4DC1AFA672D9D740B55F348238BB15FE0C0E6A2AA20C608
                                    Function 00F61671 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000013), ref: 00F616A4
                                    Strings
                                    • Unknown exception, xrefs: 00F61679
                                    • D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00F61689
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Parent
                                    • String ID: D:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                    • API String ID: 975332729-3529215713
                                    • Opcode ID: 7005f40ea0189e81de4753696adf6658ebc9093b1fc65fe04bec2422d8a4b0df
                                    • Instruction ID: b94236192d3ec0628fab71422e9ac85b28449b4741964834c9fc019d42c4f3c0
                                    • Opcode Fuzzy Hash: 7005f40ea0189e81de4753696adf6658ebc9093b1fc65fe04bec2422d8a4b0df
                                    • Instruction Fuzzy Hash: 2D016134D0528CEFCB05EBE4D918ADDBFB1AF55304F548098D4016B296DBB55A08EB91
                                    Function 00F4D4D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00F4D4F3
                                    • Unknown exception, xrefs: 00F4D4E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                    • API String ID: 2558294473-1308700304
                                    • Opcode ID: af708f65f3d8a069a13264a07cff191043c5885e2dd7c9aa98e64540ef6380cc
                                    • Instruction ID: e978a1c200fb89b1adea4bbcd006af169f825eac605bdafbe9a12ee4f5579ab8
                                    • Opcode Fuzzy Hash: af708f65f3d8a069a13264a07cff191043c5885e2dd7c9aa98e64540ef6380cc
                                    • Instruction Fuzzy Hash: EA019234D0528CEBCB05EBE4D9146CEBFB56F55304F24819CD401AB386DBB45B08DB92
                                    Function 00F4D100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00F4D118
                                    • Unknown exception, xrefs: 00F4D108
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: D:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                    • API String ID: 2558294473-1308700304
                                    • Opcode ID: 7b4897c69ab9bf1efaca4fa975cd3bf699873a98a8479294e3c60e3468013316
                                    • Instruction ID: 4011624e379bfe19bb0dd9bba01175775758f7bd549b233bde850620ab585c04
                                    • Opcode Fuzzy Hash: 7b4897c69ab9bf1efaca4fa975cd3bf699873a98a8479294e3c60e3468013316
                                    • Instruction Fuzzy Hash: 52019234D0528CEBCB05EBE4D9146DDBFB56F55304F14809CE401AB285DBB44A08DB92
                                    Function 00F81EB0 Relevance: 5.2, APIs: 4, Instructions: 235memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00F820B1
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00F820B7
                                    • GetProcessHeap.KERNEL32(?,?), ref: 00F82143
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 00F82149
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 89f7e3cffb9e7b57f4230187b32d08212e48e5b7971f3d0ce1fc1fd70c7ffd9b
                                    • Instruction ID: fc60b0a03dcbace104788c00000138a7311fbb0a8f0a8ac43899ba05b502cdf1
                                    • Opcode Fuzzy Hash: 89f7e3cffb9e7b57f4230187b32d08212e48e5b7971f3d0ce1fc1fd70c7ffd9b
                                    • Instruction Fuzzy Hash: 0091E2B0D01248EFDB14EFA4C844BEEFBB5FF54324F20425AE41167291DB74AA05DBA1
                                    Function 00F80CD0 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(?,?,?,?), ref: 00F80E11
                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00F80E17
                                    • GetProcessHeap.KERNEL32(?,?,?,?), ref: 00F80EA3
                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00F80EA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2127150603.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                    • Associated: 00000000.00000002.2127136507.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127391147.00000000011DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127405021.00000000011E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127415610.00000000011E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f40000_L7eGkXK1vw.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: c9706aae12ef2dc04abb7cb21550fe921f45e997c0fc7f57601c894744651255
                                    • Instruction ID: 8b3ab929aa68c668627422bec4890168a453527ca6d44d938d832aff0d428041
                                    • Opcode Fuzzy Hash: c9706aae12ef2dc04abb7cb21550fe921f45e997c0fc7f57601c894744651255
                                    • Instruction Fuzzy Hash: 4961BDB1E05248EFDF14EBA4D844BDEBBB5BF10324F10465AE411A7281DF74AA09DBA1