Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RIv8fq9APB.exe

Overview

General Information

Sample name:RIv8fq9APB.exe
renamed because original name is a hash value
Original sample name:895dccfa0aa2a7dfc4be56e0cf045dcbaf40a7ef23849ad30a3af38793fd214c.exe
Analysis ID:1554995
MD5:607a6e4ea1d6aa1393f54ad0c3b51dd7
SHA1:d3eefc0bd98d2d176483a80fa6f9e984d1e66e9a
SHA256:895dccfa0aa2a7dfc4be56e0cf045dcbaf40a7ef23849ad30a3af38793fd214c
Tags:ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:13
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • RIv8fq9APB.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\RIv8fq9APB.exe" MD5: 607A6E4EA1D6AA1393F54AD0C3B51DD7)
    • msiexec.exe (PID: 6636 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\RIv8fq9APB.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488877 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6372 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6420 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 514532DC5754F2DEA5310FF5234A96F5 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1432 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 83139F07849E8D7972AAA3545112F408 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-13T10:10:20.237361+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749724TCP
2024-11-13T10:10:58.949766+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749947TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: RIv8fq9APB.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: RIv8fq9APB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: wininet.pdbUGP source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: RIv8fq9APB.exe
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003243B0 FindFirstFileW,GetLastError,FindClose,0_2_003243B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00342380 FindFirstFileW,FindClose,0_2_00342380
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0023A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,0_2_0023A950
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003414D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_003414D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00323DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00323DE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0032C0B0 FindFirstFileW,FindClose,FindClose,0_2_0032C0B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0033E3A0 FindFirstFileW,FindClose,0_2_0033E3A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034E610 FindFirstFileW,FindClose,0_2_0034E610
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0034B3D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034B7D0 FindFirstFileW,FindClose,0_2_0034B7D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00323A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00323A50
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0035FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0035FB20
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_0034A620
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49724
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49947
Source: RIv8fq9APB.exe, 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmp, RIv8fq9APB.exe, 00000000.00000000.1234564064.0000000000438000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 4Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: RIv8fq9APB.exeString found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shi44B7.tmp.0.drString found in binary or memory: http://.css
Source: shi44B7.tmp.0.drString found in binary or memory: http://.jpg
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi44B7.tmp.0.drString found in binary or memory: http://html4/loose.dtd
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.drString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://ocsp.digicert.com0O
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://t2.symcb.com0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://tl.symcd.com0&
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: https://www.advancedinstaller.com
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: https://www.digicert.com/CPS0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: https://www.thawte.com/cps0/
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003615E0 NtdllDefWindowProc_W,0_2_003615E0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002E1FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,0_2_002E1FB0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00280010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00280010
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00232250 NtdllDefWindowProc_W,0_2_00232250
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0023C4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_0023C4F0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00238720 NtdllDefWindowProc_W,0_2_00238720
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00238890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00238890
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00280BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00280BAA
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0022EBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_0022EBE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00280C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00280C22
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00280CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00280CE3
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00276EE0 NtdllDefWindowProc_W,0_2_00276EE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0022F190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_0022F190
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0024D320 NtdllDefWindowProc_W,0_2_0024D320
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002415F0 NtdllDefWindowProc_W,0_2_002415F0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00231670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_00231670
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0022F7C0 NtdllDefWindowProc_W,0_2_0022F7C0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00231C90 NtdllDefWindowProc_W,0_2_00231C90
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002C7F20 NtdllDefWindowProc_W,0_2_002C7F20
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5646f9.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4812.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4871.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48A1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48C1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI4812.tmpJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0023A9500_2_0023A950
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0035B3500_2_0035B350
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00337D700_2_00337D70
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002460700_2_00246070
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002441B00_2_002441B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003BE2BE0_2_003BE2BE
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0023E2900_2_0023E290
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003BE64C0_2_003BE64C
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00302A500_2_00302A50
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003D8B950_2_003D8B95
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00238CD00_2_00238CD0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00222F400_2_00222F40
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002552F00_2_002552F0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0039D5500_2_0039D550
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002435A00_2_002435A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003D36310_2_003D3631
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002476300_2_00247630
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002FB7A00_2_002FB7A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0027FA400_2_0027FA40
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003CDD6A0_2_003CDD6A
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00293FC00_2_00293FC0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 00227070 appears 53 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 0031E6D0 appears 60 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 00226FF0 appears 46 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 002299C0 appears 69 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 00229390 appears 41 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 0031E770 appears 31 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 00253810 appears 90 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: String function: 00228800 appears 223 times
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameInstaller.exe@ vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1236810027.0000000001124000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDecoder.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exeBinary or memory string: OriginalFileNameInstaller.exe@ vs RIv8fq9APB.exe
Source: RIv8fq9APB.exeBinary or memory string: OriginalFilenameDecoder.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi44B7.tmp.0.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: clean13.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00322230 FormatMessageW,GetLastError,0_2_00322230
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034C990 GetDiskFreeSpaceExW,0_2_0034C990
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00366D50 CoCreateInstance,0_2_00366D50
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002BAB40 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_002BAB40
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile created: C:\Users\user\AppData\Roaming\ConsolHQ LTDJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile created: C:\Users\user~1\AppData\Local\Temp\shi44B7.tmpJump to behavior
Source: RIv8fq9APB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile read: C:\Users\user\Desktop\RIv8fq9APB.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\RIv8fq9APB.exe "C:\Users\user\Desktop\RIv8fq9APB.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 514532DC5754F2DEA5310FF5234A96F5 C
Source: C:\Users\user\Desktop\RIv8fq9APB.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\RIv8fq9APB.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488877 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 83139F07849E8D7972AAA3545112F408
Source: C:\Users\user\Desktop\RIv8fq9APB.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\RIv8fq9APB.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488877 " AI_EUIMSI=""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 514532DC5754F2DEA5310FF5234A96F5 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 83139F07849E8D7972AAA3545112F408Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: RIv8fq9APB.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: RIv8fq9APB.exeStatic file information: File size 49202888 > 1048576
Source: RIv8fq9APB.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: RIv8fq9APB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RIv8fq9APB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: wininet.pdbUGP source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: RIv8fq9APB.exe
Source: RIv8fq9APB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RIv8fq9APB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RIv8fq9APB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RIv8fq9APB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RIv8fq9APB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: shi44B7.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00322350 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_00322350
Source: shi44B7.tmp.0.drStatic PE information: section name: .wpp_sf
Source: shi44B7.tmp.0.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0028A486 push esi; ret 0_2_0028A488
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003B6C6E push ecx; ret 0_2_003B6C81
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00303330 push ecx; mov dword ptr [esp], 3F800000h0_2_00303478
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00235BE0 push ecx; mov dword ptr [esp], ecx0_2_00235BE1
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4871.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48A1.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile created: C:\Users\user\AppData\Local\Temp\MSI45D2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4812.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4545.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile created: C:\Users\user\AppData\Local\Temp\shi44B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48C1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4871.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48A1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4812.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48C1.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4871.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI48A1.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI45D2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4812.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4545.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi44B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI48C1.tmpJump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exeEvaded block: after key decisiongraph_0-67221
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-69615
Source: C:\Users\user\Desktop\RIv8fq9APB.exeAPI coverage: 9.8 %
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65 FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003243B0 FindFirstFileW,GetLastError,FindClose,0_2_003243B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00342380 FindFirstFileW,FindClose,0_2_00342380
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0023A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,0_2_0023A950
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003414D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_003414D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00323DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00323DE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0032C0B0 FindFirstFileW,FindClose,FindClose,0_2_0032C0B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0033E3A0 FindFirstFileW,FindClose,0_2_0033E3A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034E610 FindFirstFileW,FindClose,0_2_0034E610
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0034B3D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034B7D0 FindFirstFileW,FindClose,0_2_0034B7D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00323A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00323A50
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0035FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0035FB20
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_0034A620
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003B365A VirtualQuery,GetSystemInfo,0_2_003B365A
Source: 5646f9.msi.7.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003BAD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003BAD13
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003577C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_003577C0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_00322350 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_00322350
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003CC66D mov ecx, dword ptr fs:[00000030h]0_2_003CC66D
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003D783E mov eax, dword ptr fs:[00000030h]0_2_003D783E
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003B5CA1 mov esi, dword ptr fs:[00000030h]0_2_003B5CA1
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003B5D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_003B5D0D
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_002521E0 __set_se_translator,SetUnhandledExceptionFilter,0_2_002521E0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003B6738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003B6738
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003BAD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003BAD13
Source: C:\Users\user\Desktop\RIv8fq9APB.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq utils 1.14.1\install\0beaf65\installer.msi" ai_setupexepath=c:\users\user\desktop\riv8fq9apb.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488877 " ai_euimsi=""
Source: C:\Users\user\Desktop\RIv8fq9APB.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq utils 1.14.1\install\0beaf65\installer.msi" ai_setupexepath=c:\users\user\desktop\riv8fq9apb.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488877 " ai_euimsi=""Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0034EAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_0034EAB0
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,0_2_00344050
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,0_2_003D0186
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,0_2_003D41E6
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_003D430F
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,0_2_003D4415
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_003D44E4
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_003D3B80
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: EnumSystemLocalesW,0_2_003CFC09
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,0_2_003D3D7B
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: EnumSystemLocalesW,0_2_003D3E22
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: EnumSystemLocalesW,0_2_003D3E6D
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: EnumSystemLocalesW,0_2_003D3F08
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_003D3F93
Source: C:\Users\user\Desktop\RIv8fq9APB.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0035BB20 CreateNamedPipeW,CreateFileW,0_2_0035BB20
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_003B72F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_003B72F4
Source: C:\Users\user\Desktop\RIv8fq9APB.exeCode function: 0_2_0035A240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,0_2_0035A240

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Account Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554995 Sample: RIv8fq9APB.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 13 5 msiexec.exe 3 9 2->5         started        8 RIv8fq9APB.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSI48C1.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI48A1.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI4871.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI4812.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shi44B7.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSI45D2.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSI4545.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RIv8fq9APB.exe3%ReversingLabs
RIv8fq9APB.exe6%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI4545.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4545.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI45D2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI45D2.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\shi44B7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shi44B7.tmp0%VirustotalBrowse
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dll0%VirustotalBrowse
C:\Windows\Installer\MSI4812.tmp0%ReversingLabs
C:\Windows\Installer\MSI4871.tmp0%ReversingLabs
C:\Windows\Installer\MSI48A1.tmp0%ReversingLabs
C:\Windows\Installer\MSI48C1.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.drfalse
    		high
    http://html4/loose.dtdshi44B7.tmp.0.drfalse
      		high
      https://www.advancedinstaller.comRIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drfalse
        		high
        https://www.thawte.com/cps0/RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drfalse
          		high
          http://.cssshi44B7.tmp.0.drfalse
            		high
            http://.jpgshi44B7.tmp.0.drfalse
              		high
              https://www.thawte.com/repository0WRIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.drfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1554995
                Start date and time:2024-11-13 10:09:08 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 33s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:16
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:RIv8fq9APB.exe
                renamed because original name is a hash value
                Original Sample Name:895dccfa0aa2a7dfc4be56e0cf045dcbaf40a7ef23849ad30a3af38793fd214c.exe
                Detection:CLEAN
                Classification:clean13.winEXE@8/13@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 58%
                • Number of executed functions: 65
                • Number of non-executed functions: 242
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\shi44B7.tmpsetup.exeGet hashmaliciousUnknownBrowse
                  setup.exeGet hashmaliciousUnknownBrowse
                    VirtualDesktop.Streamer.Setup.exeGet hashmaliciousUnknownBrowse
                      VirtualDesktop.Streamer.Setup.exeGet hashmaliciousUnknownBrowse
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                          Step 3 - Setup_Install.exeGet hashmaliciousXmrigBrowse
                            http://downloads.ciscocems.com/downloads/CeDAR/Setup_Cedar%208.05.08.zipGet hashmaliciousUnknownBrowse
                              Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                  teracopy.exeGet hashmaliciousUnknownBrowse
                                    C:\Users\user\AppData\Local\Temp\MSI4545.tmpIM-vL5WWvBl.msiGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\MSI4545.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:6144:PBtBN+l8CKvSHJSTHLntEToqi/9rpiAO+7lMhZeBajAt7fgcY:PB/0l1K7HLnt5DgMlgZ7AtDgcY
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: IM-vL5WWvBl.msi, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\MSI45D2.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):919520
                                      Entropy (8bit):6.451407326378623
                                      Encrypted:false
                                      SSDEEP:24576:1x90VXSK4fSa6HXr1iWn8Zlb2h4ntHurpllQ6a:Pq4Fb6HXr1iWnU84ntHurpllQ6a
                                      MD5:064278F42704CDCE52C8C527CF9AFBC7
                                      SHA1:007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
                                      SHA-256:070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
                                      SHA-512:9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\MSI648fd.LOG

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):288
                                      Entropy (8bit):3.4203475049907834
                                      Encrypted:false
                                      SSDEEP:6:QmQlfuVBRM7OYrsfc/okjxaaOEqQbr62avKpnKBlv2K84UlUlxqCH:QmQ1u6sc/7aFEVbr62aInKT8Nw
                                      MD5:2A45DEB14B61E7DCD55E76CAD5D0DA90
                                      SHA1:7B377F290FF8F029B7E9E56CDC8601BCD024B73C
                                      SHA-256:D5E2421B7489131C8F688255E6CAF3C0917B85600A28AA24459C5A091647AF03
                                      SHA-512:418882D9908FB02B38FD98E1EA0BE380E0DF468ED48860FA6D5AC29E69740F884A85BE61877BD1D2C7312429FCB0C9720D65586104B03022DA04DAEB13F1267C
                                      Malicious:false
                                      Reputation:low
                                      Preview:..C.o.n.s.o.l.e.H.Q. .U.t.i.l.s. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.3./.1.1./.2.0.2.4. . .0.4.:.1.0.:.1.3. .=.=.=.....

                                      C:\Users\user\AppData\Local\Temp\shi44B7.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5038592
                                      Entropy (8bit):6.043058205786219
                                      Encrypted:false
                                      SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                      MD5:11F7419009AF2874C4B0E4505D185D79
                                      SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                      SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                      SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: setup.exe, Detection: malicious, Browse
                                      • Filename: setup.exe, Detection: malicious, Browse
                                      • Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse
                                      • Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse
                                      • Filename: file.exe, Detection: malicious, Browse
                                      • Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse
                                      • Filename: , Detection: malicious, Browse
                                      • Filename: Bill Details.exe, Detection: malicious, Browse
                                      • Filename: Bill Details.exe, Detection: malicious, Browse
                                      • Filename: teracopy.exe, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi

                                      Download File
                                      Process:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {BE51696F-3A89-48E5-9B33-E41D97E462D1}, Number of Words: 0, Subject: ConsoleHQ Utils, Author: ConsolHQ LTD, Name of Creating Application: ConsoleHQ Utils, Template: ;1033, Comments: This installer database contains the logic and data required to install ConsoleHQ Utils., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):2201088
                                      Entropy (8bit):6.507535009201941
                                      Encrypted:false
                                      SSDEEP:49152:iYVYVKjlgZcDgcYrAvq4Fb6HXr1iWnU84ntHurpllQ6aSHCP1N0ZqgJtPAxl:xY4jluAjFnWnq1
                                      MD5:ABAD180C1B0F0863D91EBDBB6382AE08
                                      SHA1:E676F91353B4355F8A8D353E80C11EEBCC5164E2
                                      SHA-256:2BA084FDD89359762102D9AAE37627E5614ACB1079388BF9DDC0699706538445
                                      SHA-512:1302E9227BB026032191AEFAB7F3DEC438408AF865F59E8D1C8D7CD16D800582BDC5C3E99272930CD1CE679ADD591F684B9BF02FBC9BE05A6A4F3C8721AE9891
                                      Malicious:false
                                      Preview:......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`...*...a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):209920
                                      Entropy (8bit):6.447659228395253
                                      Encrypted:false
                                      SSDEEP:3072:tScXkSa4E7uzTK+NbkuO2DcUC1myXxskH9Xq4fa2KbDI0lSmb9D:Q7sO+EZ9LH2j7Mmb9
                                      MD5:A5FFDCF45D3D123139C49017B22F444E
                                      SHA1:7B3D3D293F9A34570FC91500A6580496147C7658
                                      SHA-256:8F49245444B02BF0E103C5A5850A0B2FB1F2880C917261D146E3B8BC3C166E40
                                      SHA-512:5FF195A70825EFCED761ACEEEC5A6F0D0E18C1A4074482F584EFABEF7166C957C728D71D6185E3487A1405C608D820EFA4E07C584D60A8D51625E5D8A9A89397
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..a*..2*..2*..2..3 ..2..3...2x.3...2x.3:..2x.3?..2..3?..2..3-..2*..2...2..3v..2..3+..2..^2+..2*.62+..2..3+..2Rich*..2................PE..L...?..b.........."!.....`...................p............................................@......................... ...........<....p.. .......................0 ......p...........................`...@............p..t............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc..0 ......."..................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\holder0.aiph

                                      Download File
                                      Process:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):162168834
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:0FAA7BE325FA14A48C3D34155EDC1147
                                      SHA1:6EDDAA42450A6171A444BA703DFD99DE9C880DED
                                      SHA-256:F169D54249FBB5AA644EF763EE2574DB5A409A8155C833C2991A9604F2823847
                                      SHA-512:B39A2FE2617B54C890D9D229F850DEE97851CA31F1D3F1A5DF17090A8C26F009D850CDB2C2A2921820DBFFBA55E53AC474D1CF167B01D74E341CEFC45956D12D
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\5646f9.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {BE51696F-3A89-48E5-9B33-E41D97E462D1}, Number of Words: 0, Subject: ConsoleHQ Utils, Author: ConsolHQ LTD, Name of Creating Application: ConsoleHQ Utils, Template: ;1033, Comments: This installer database contains the logic and data required to install ConsoleHQ Utils., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):2201088
                                      Entropy (8bit):6.507535009201941
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:ABAD180C1B0F0863D91EBDBB6382AE08
                                      SHA1:E676F91353B4355F8A8D353E80C11EEBCC5164E2
                                      SHA-256:2BA084FDD89359762102D9AAE37627E5614ACB1079388BF9DDC0699706538445
                                      SHA-512:1302E9227BB026032191AEFAB7F3DEC438408AF865F59E8D1C8D7CD16D800582BDC5C3E99272930CD1CE679ADD591F684B9BF02FBC9BE05A6A4F3C8721AE9891
                                      Malicious:false
                                      Preview:......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`...*...a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Windows\Installer\MSI4812.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI4871.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI48A1.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI48C1.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):919520
                                      Entropy (8bit):6.451407326378623
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:064278F42704CDCE52C8C527CF9AFBC7
                                      SHA1:007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
                                      SHA-256:070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
                                      SHA-512:9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):360001
                                      Entropy (8bit):5.362961300061858
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:B4B4EC64B2F3D717A0291116985536D3
                                      SHA1:2D19DA8BA2467793580C43090B26FC0D6770CD5C
                                      SHA-256:A04BC196A23F74479062045FDF92FDBB584BE7F25EADDDF6431967C034188C72
                                      SHA-512:66E7CB6229A7728C0F64791D2419DAC58395BB4878481A55C63219ECBD2F560A2D2F94E699425302F08C2BCC2932E69202024984F6B66122840F07DE98242E0C
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.97662894607415
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:RIv8fq9APB.exe
                                      File size:49'202'888 bytes
                                      MD5:607a6e4ea1d6aa1393f54ad0c3b51dd7
                                      SHA1:d3eefc0bd98d2d176483a80fa6f9e984d1e66e9a
                                      SHA256:895dccfa0aa2a7dfc4be56e0cf045dcbaf40a7ef23849ad30a3af38793fd214c
                                      SHA512:0a110b77bef153e208bdae89d5674dbfb7f3c83317a77cf4b8848d5cc7afade851e98f5224fbcdbeac72b3a05597228dcdede4d72231c56bd35ccc3b7b673e97
                                      SSDEEP:786432:qVbexzYbFwhkPMs2qpGgs5mh+G5OKnqKjhpiQl0dG8ciNRsrOXWn3:hUBowMy40ZO2jhpiQaGhiNZY3
                                      TLSH:6FB72331364EC52BCA6615B0292C9A9F651C7E750F71A8C7B3CC2E6E5B749C24332E27
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{.3.x...{.3.~.X.{.3.}...{.......{...x...{...~...{.3.....{.3.z...{.3.|...{...z.8.{.\.r...{.\.....{.......{.\.y...{

                                      File Icon

                                      Icon Hash:9713331b4d3b2f0c

                                      Static PE Info

                                      General

                                      Entrypoint:0x596c64
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6213B2EE [Mon Feb 21 15:42:38 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:836688c7d21e39394af41ce9a8c2d728

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F426C8C9C1Dh
                                      jmp 00007F426C8C93BFh
                                      mov ecx, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], ecx
                                      pop ecx
                                      pop edi
                                      pop edi
                                      pop esi
                                      pop ebx
                                      mov esp, ebp
                                      pop ebp
                                      push ecx
                                      ret
                                      mov ecx, dword ptr [ebp-10h]
                                      xor ecx, ebp
                                      call 00007F426C8C8A13h
                                      jmp 00007F426C8C9522h
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-10h], eax
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-10h], esp
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x29cb940x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a70000x3d574.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e50000x256bc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2467780x70.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x2468000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x219f380x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x2180000x2c0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x299f880x260.rdata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x216c3f0x216e00b670db57563315716440578ee99e5466unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x2180000x85b8c0x85c0059a6fbcfc1f150b26bf16fdd47452e43False0.3120947721962617data4.605894063170113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x29e0000x89f00x6a001cea180402edcf39ea7c6193312cce32False0.14180424528301888DOS executable (block device driver 0aY)2.8670521481443174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x2a70000x3d5740x3d600bcafcb99af5b59c4990dfdae04a1c744False0.26359231797352345data5.855593973635478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x2e50000x256bc0x2580008f0f06260e93e98732bfb4145f07ccaFalse0.446171875data6.512576488264422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      IMAGE_FILE0x2a7bf00x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                      IMAGE_FILE0x2a7bf80x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                      RTF_FILE0x2a7c000x2e9Rich Text Format data, version 1, ANSI, code page 1252EnglishUnited States0.5503355704697986
                                      RTF_FILE0x2a7eec0xa1Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033EnglishUnited States0.906832298136646
                                      RT_BITMAP0x2a7f900x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                      RT_BITMAP0x2a80d00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                      RT_BITMAP0x2a88f80x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                      RT_BITMAP0x2ad1a00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                      RT_BITMAP0x2adc0c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                      RT_BITMAP0x2add600x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                      RT_ICON0x2ae5880x7c5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9958534899792675
                                      RT_ICON0x2b61e40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.142848692771797
                                      RT_ICON0x2c6a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.29470954356846474
                                      RT_ICON0x2c8fb40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3621013133208255
                                      RT_ICON0x2ca05c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.45819672131147543
                                      RT_MENU0x2ca9e40x5cdataEnglishUnited States0.8478260869565217
                                      RT_MENU0x2caa400x2adataEnglishUnited States1.0714285714285714
                                      RT_DIALOG0x2caa6c0xacdataEnglishUnited States0.7151162790697675
                                      RT_DIALOG0x2cab180x2a6dataEnglishUnited States0.5132743362831859
                                      RT_DIALOG0x2cadc00x3b4dataEnglishUnited States0.43248945147679324
                                      RT_DIALOG0x2cb1740xbcdataEnglishUnited States0.7180851063829787
                                      RT_DIALOG0x2cb2300x204dataEnglishUnited States0.560077519379845
                                      RT_DIALOG0x2cb4340x282dataEnglishUnited States0.48598130841121495
                                      RT_DIALOG0x2cb6b80xccdataEnglishUnited States0.6911764705882353
                                      RT_DIALOG0x2cb7840x146dataEnglishUnited States0.5736196319018405
                                      RT_DIALOG0x2cb8cc0x226dataEnglishUnited States0.4690909090909091
                                      RT_DIALOG0x2cbaf40x388dataEnglishUnited States0.45464601769911506
                                      RT_DIALOG0x2cbe7c0x1b4dataEnglishUnited States0.5458715596330275
                                      RT_DIALOG0x2cc0300x136dataEnglishUnited States0.6064516129032258
                                      RT_DIALOG0x2cc1680x4cdataEnglishUnited States0.8289473684210527
                                      RT_STRING0x2cc1b40x45cdataEnglishUnited States0.3844086021505376
                                      RT_STRING0x2cc6100x344dataEnglishUnited States0.37320574162679426
                                      RT_STRING0x2cc9540x2f8dataEnglishUnited States0.4039473684210526
                                      RT_STRING0x2ccc4c0x598dataEnglishUnited States0.2807262569832402
                                      RT_STRING0x2cd1e40x3aaStarOffice Gallery theme i, 1627418368 objects, 1st nEnglishUnited States0.4211087420042644
                                      RT_STRING0x2cd5900x5c0dataEnglishUnited States0.3498641304347826
                                      RT_STRING0x2cdb500x568dataEnglishUnited States0.32875722543352603
                                      RT_STRING0x2ce0b80x164dataEnglishUnited States0.5421348314606742
                                      RT_STRING0x2ce21c0x520dataEnglishUnited States0.39176829268292684
                                      RT_STRING0x2ce73c0x1a0dataEnglishUnited States0.45913461538461536
                                      RT_STRING0x2ce8dc0x18adataEnglishUnited States0.5228426395939086
                                      RT_STRING0x2cea680x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                      RT_STRING0x2cec800x624dataEnglishUnited States0.3575063613231552
                                      RT_STRING0x2cf2a40x660dataEnglishUnited States0.3474264705882353
                                      RT_STRING0x2cf9040x2e2dataEnglishUnited States0.4037940379403794
                                      RT_GROUP_ICON0x2cfbe80x4cdataEnglishUnited States0.7763157894736842
                                      RT_VERSION0x2cfc340x2f4dataEnglishUnited States0.4417989417989418
                                      RT_HTML0x2cff280x37c8ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08291316526610644
                                      RT_HTML0x2d36f00x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                      RT_HTML0x2d4a080x4faHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3626373626373626
                                      RT_HTML0x2d4f040x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                      RT_HTML0x2db9d40x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                      RT_HTML0x2dc0780x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                      RT_HTML0x2dd0c40x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                      RT_HTML0x2de6780x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                      RT_HTML0x2e06d40x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                      RT_MANIFEST0x2e3d640x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

                                      Imports

                                      DLLImport
                                      KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:04:10:00
                                      Start date:13/11/2024
                                      Path:C:\Users\user\Desktop\RIv8fq9APB.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\RIv8fq9APB.exe"
                                      Imagebase:0x220000
                                      File size:49'202'888 bytes
                                      MD5 hash:607A6E4EA1D6AA1393F54AD0C3B51DD7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:04:10:04
                                      Start date:13/11/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff6d13b0000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:8
                                      Start time:04:10:05
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 514532DC5754F2DEA5310FF5234A96F5 C
                                      Imagebase:0x5f0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:04:10:05
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\RIv8fq9APB.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488877 " AI_EUIMSI=""
                                      Imagebase:0xac0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:04:10:05
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 83139F07849E8D7972AAA3545112F408
                                      Imagebase:0xac0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:22.4%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:78
                                        execution_graph 67069 31ec30 67097 226540 67069->67097 67071 31ecaa 67102 31f140 67071->67102 67074 31ecf3 67117 2277d0 67074->67117 67075 2277d0 44 API calls 67075->67074 67077 31ed2c 67078 31edf0 67077->67078 67079 31ed65 67077->67079 67080 31ed49 67077->67080 67121 2ed900 67078->67121 67083 226540 44 API calls 67079->67083 67132 226b00 44 API calls 67080->67132 67085 31ed58 67083->67085 67084 31ee1c 67145 3b615a 67084->67145 67133 228e50 44 API calls 67085->67133 67087 31ee3c 67089 31ed8d 67134 226e80 67089->67134 67091 31edac 67092 2277d0 44 API calls 67091->67092 67093 31edb8 67092->67093 67094 2277d0 44 API calls 67093->67094 67095 31edd4 67093->67095 67094->67095 67095->67078 67096 2277d0 44 API calls 67095->67096 67096->67078 67098 226567 67097->67098 67099 22656e 67098->67099 67152 227650 67098->67152 67099->67071 67101 2265a0 std::_Locinfo::_Locinfo_ctor 67101->67071 67103 31f193 67102->67103 67104 31f1a8 67102->67104 67180 227070 67103->67180 67106 31f1b0 67104->67106 67107 31f1c5 67104->67107 67109 227070 44 API calls 67106->67109 67110 31f1e2 67107->67110 67111 31f1cd 67107->67111 67108 31ece0 67108->67074 67108->67075 67109->67108 67113 31f1ea 67110->67113 67114 31f1ff 67110->67114 67112 227070 44 API calls 67111->67112 67112->67108 67115 227070 44 API calls 67113->67115 67114->67108 67116 227070 44 API calls 67114->67116 67115->67108 67116->67108 67118 2277fd 67117->67118 67119 22781e std::ios_base::_Ios_base_dtor 67117->67119 67118->67077 67118->67117 67118->67119 67194 3baf1f 44 API calls 2 library calls 67118->67194 67119->67077 67122 2ed998 RegOpenKeyExW 67121->67122 67123 2ed939 67121->67123 67128 2ed991 67122->67128 67124 2ed93e GetModuleHandleW 67123->67124 67125 2ed98b 67123->67125 67126 2ed94d 67124->67126 67127 2ed966 GetProcAddress 67124->67127 67125->67122 67125->67128 67126->67084 67127->67128 67130 2ed976 67127->67130 67129 2ed9c0 67128->67129 67131 2ed9b7 RegCloseKey 67128->67131 67129->67084 67130->67128 67131->67129 67132->67085 67133->67089 67135 226ee0 67134->67135 67139 226e9f std::_Locinfo::_Locinfo_ctor 67134->67139 67136 226ef1 67135->67136 67137 226fe5 67135->67137 67140 227650 44 API calls 67136->67140 67195 227060 44 API calls 2 library calls 67137->67195 67139->67091 67144 226f28 std::_Locinfo::_Locinfo_ctor 67140->67144 67143 226f98 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 67143->67091 67144->67143 67196 3baf1f 44 API calls 2 library calls 67144->67196 67146 3b6163 IsProcessorFeaturePresent 67145->67146 67147 3b6162 67145->67147 67149 3b6775 67146->67149 67147->67087 67197 3b6738 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 67149->67197 67151 3b6858 67151->67087 67153 22769b 67152->67153 67154 22765b 67152->67154 67174 227630 44 API calls 2 library calls 67153->67174 67155 227686 67154->67155 67156 227664 67154->67156 67159 227696 67155->67159 67167 3b6199 67155->67167 67156->67153 67158 22766b 67156->67158 67161 3b6199 std::_Facet_Register 2 API calls 67158->67161 67159->67101 67160 227671 67166 22767a 67160->67166 67175 3baf1f 44 API calls 2 library calls 67160->67175 67161->67160 67166->67101 67169 3b619e std::_Facet_Register 67167->67169 67168 227690 67168->67101 67169->67168 67171 3b61ba std::_Facet_Register 67169->67171 67176 3cc243 EnterCriticalSection std::_Facet_Register 67169->67176 67177 3b7f9e 67171->67177 67173 3b6ec8 67174->67160 67176->67169 67178 3b7fe5 RaiseException 67177->67178 67179 3b7fb8 67177->67179 67178->67173 67179->67178 67181 227081 std::_Locinfo::_Locinfo_ctor 67180->67181 67182 2270bd 67180->67182 67181->67108 67183 227171 67182->67183 67186 227650 44 API calls 67182->67186 67193 227060 44 API calls 2 library calls 67183->67193 67185 227176 67187 227070 44 API calls 67185->67187 67189 227106 std::_Locinfo::_Locinfo_ctor 67186->67189 67188 2271d4 67187->67188 67188->67108 67190 227155 std::ios_base::_Ios_base_dtor 67189->67190 67192 3baf1f 44 API calls 2 library calls 67189->67192 67190->67108 67193->67185 67195->67144 67197->67151 67198 22b800 67199 22b837 67198->67199 67200 22b847 std::ios_base::_Ios_base_dtor 67198->67200 67199->67200 67205 3baf1f 44 API calls 2 library calls 67199->67205 67206 337d70 67508 35ba80 67206->67508 67208 337da0 67514 229e50 67208->67514 67211 3380c3 67594 229b10 67211->67594 67213 3380cd 67216 338163 67213->67216 67219 229e50 53 API calls 67213->67219 67214 337dd4 67937 229390 53 API calls 67214->67937 67215 337ddf 67938 2299c0 45 API calls 3 library calls 67215->67938 67221 338104 67219->67221 67220 337ddd 67529 328fc0 67220->67529 67222 338176 67221->67222 67223 33810a 67221->67223 67226 229b10 2 API calls 67222->67226 67229 23a950 117 API calls 67223->67229 67225 337e13 67227 229e50 53 API calls 67225->67227 67228 338180 67226->67228 67230 337e1b 67227->67230 67598 34cf70 67228->67598 67233 33812b 67229->67233 67230->67211 67536 30bc00 67230->67536 67956 3447e0 128 API calls 67233->67956 67235 236990 62 API calls 67238 3381f2 67235->67238 67236 338136 67957 3574c0 238 API calls 67236->67957 67237 338598 67239 33865d 67237->67239 67242 229e50 53 API calls 67237->67242 67958 343e40 67238->67958 67727 343470 67239->67727 67247 3385ad 67242->67247 67243 338141 67243->67216 67252 3385b7 67247->67252 67253 3386ac 67247->67253 67248 337e4d 67549 32dab0 67248->67549 67249 3383ac 67255 229e50 53 API calls 67249->67255 67250 338669 67257 3b615a _ValidateLocalCookies 5 API calls 67250->67257 67603 23a950 67252->67603 67259 229b10 2 API calls 67253->67259 67260 3383ba 67255->67260 67258 338686 67257->67258 67263 3386b6 67259->67263 67264 3383c4 67260->67264 67265 33868e 67260->67265 67268 3386fa 67263->67268 67272 229e50 53 API calls 67263->67272 67274 30bc00 11 API calls 67264->67274 67267 229b10 2 API calls 67265->67267 67271 338698 67267->67271 67275 229b10 2 API calls 67271->67275 67277 338748 67272->67277 67273 3385d8 67706 344050 67273->67706 67279 3383dc 67274->67279 67280 3386a2 67275->67280 67282 338946 67277->67282 67293 338770 67277->67293 67294 33877b 67277->67294 67284 3383e9 67279->67284 67974 30c5a0 45 API calls 4 library calls 67279->67974 67286 229b10 2 API calls 67280->67286 67285 229b10 2 API calls 67282->67285 67283 3385e7 67288 33860f 67283->67288 67295 338601 67283->67295 67329 3383fd 67284->67329 67975 3bf5b6 67284->67975 67289 338950 67285->67289 67286->67253 67287 338357 67287->67237 67287->67250 67973 33c6b0 49 API calls 67287->67973 67981 3574c0 238 API calls 67288->67981 67759 232970 RaiseException 67289->67759 67982 229390 53 API calls 67293->67982 67983 2299c0 45 API calls 3 library calls 67294->67983 67302 23a950 117 API calls 67295->67302 67297 338620 67297->67239 67300 338211 67300->67287 67972 343a00 46 API calls 67300->67972 67302->67288 67304 33895c 67760 33a780 391 API calls 2 library calls 67304->67760 67305 337e7f 67311 337f72 SetEvent 67305->67311 67312 337f1d 67305->67312 67306 338779 67984 321c00 102 API calls 67306->67984 67309 338991 67313 229e50 53 API calls 67309->67313 67310 3384dd 67310->67237 67323 338506 67310->67323 67581 35c100 67311->67581 67940 342ab0 67312->67940 67416 3389a2 67313->67416 67315 229e50 53 API calls 67320 33847e 67315->67320 67318 337fd7 67322 338028 67318->67322 67328 342ab0 17 API calls 67318->67328 67320->67271 67326 338488 67320->67326 67408 33805c 67322->67408 67954 35c020 122 API calls 67322->67954 67980 343a00 46 API calls 67323->67980 67324 338bee 67334 229b10 2 API calls 67324->67334 67344 23a950 117 API calls 67326->67344 67327 229e50 53 API calls 67333 337f2a 67327->67333 67335 337fe7 67328->67335 67329->67310 67329->67315 67333->67211 67338 337f32 67333->67338 67339 338bf8 67334->67339 67342 229e50 53 API calls 67335->67342 67337 338082 67955 35bc20 CloseHandle 67337->67955 67362 344730 94 API calls 67338->67362 67761 34c7e0 63 API calls _ValidateLocalCookies 67339->67761 67340 30c9e0 13 API calls 67341 338923 67340->67341 67347 30c9e0 13 API calls 67341->67347 67348 337fec 67342->67348 67343 338a5a 67350 229e50 53 API calls 67343->67350 67352 3384a6 67344->67352 67356 338932 67347->67356 67348->67211 67357 337ff4 67348->67357 67381 338a62 67350->67381 67978 3447e0 128 API calls 67352->67978 67355 338c41 67363 229e50 53 API calls 67355->67363 67374 33e580 314 API calls 67357->67374 67361 3380ad 67368 337f54 67362->67368 67369 338c4d 67363->67369 67365 229e50 53 API calls 67415 338799 67365->67415 67367 3384af 67979 3574c0 238 API calls 67367->67979 67372 33e580 314 API calls 67368->67372 67373 3391e9 67369->67373 67762 33a780 391 API calls 2 library calls 67369->67762 67378 337f61 SetEvent 67372->67378 67375 229b10 2 API calls 67373->67375 67379 338017 67374->67379 67383 3391f3 67375->67383 67376 3384ba 67376->67310 67378->67337 67953 35bdb0 122 API calls std::_Locinfo::_Locinfo_ctor 67379->67953 67381->67324 67382 338a8c 67381->67382 67995 2297c0 45 API calls 67381->67995 67391 338aa3 67382->67391 67996 2297c0 45 API calls 67382->67996 68018 232970 RaiseException 67383->68018 67997 34c7e0 63 API calls _ValidateLocalCookies 67391->67997 67393 23a950 117 API calls 67393->67416 67395 338c71 67763 228e30 67395->67763 67398 3391ff 67402 338ab3 67409 228e30 73 API calls 67402->67409 67405 23b4c0 45 API calls 67405->67416 67408->67322 67411 338ac4 67409->67411 67418 229e50 53 API calls 67411->67418 67415->67282 67415->67289 67415->67365 67429 338896 67415->67429 67452 338907 67415->67452 67985 30c9e0 67415->67985 67989 229390 53 API calls 67415->67989 67990 2299c0 45 API calls 3 library calls 67415->67990 67991 321c00 102 API calls 67415->67991 67992 33c790 46 API calls 67415->67992 67416->67324 67416->67343 67416->67393 67416->67405 67994 34c7e0 63 API calls _ValidateLocalCookies 67416->67994 67417 338cb1 68001 33db70 103 API calls 2 library calls 67417->68001 67420 338aea 67418->67420 67420->67324 67423 338af2 67420->67423 67422 338cb9 67424 229e50 53 API calls 67422->67424 67426 338b17 67423->67426 67998 2297c0 45 API calls 67423->67998 67425 338cc2 67424->67425 67425->67373 67434 338cf6 67425->67434 67435 338ce8 67425->67435 67999 34c7e0 63 API calls _ValidateLocalCookies 67426->67999 67431 229e50 53 API calls 67429->67431 67430 338b27 67432 228e30 73 API calls 67430->67432 67433 33889e 67431->67433 67446 338b37 67432->67446 67433->67282 67436 3388a6 67433->67436 67438 338cf3 67434->67438 67766 33e0a0 67434->67766 68002 33db70 103 API calls 2 library calls 67435->68002 67441 30bc00 11 API calls 67436->67441 67438->67434 67440 338d26 67442 229e50 53 API calls 67440->67442 67443 3388c0 67441->67443 67444 338d2b 67442->67444 67448 3388cd 67443->67448 67993 30ba20 47 API calls 67443->67993 67444->67373 67447 34cf70 RaiseException 67444->67447 67449 338d53 67447->67449 67448->67289 67448->67452 67450 338d57 67449->67450 67451 338d66 67449->67451 68003 23b330 67450->68003 67454 229e50 53 API calls 67451->67454 67452->67340 67455 338d6b 67454->67455 67455->67373 67798 344730 67455->67798 67459 338da7 67460 229e50 53 API calls 67459->67460 67509 229e50 53 API calls 67508->67509 67510 35babc 67509->67510 67511 229b10 2 API calls 67510->67511 67513 35bac2 67510->67513 67512 35bb18 67511->67512 67513->67208 67515 229e88 67514->67515 67527 229edc 67514->67527 68019 3b6662 EnterCriticalSection 67515->68019 67517 3b6662 4 API calls 67519 229ef6 67517->67519 67528 229f67 67519->67528 68025 3b651a 44 API calls 67519->68025 67520 229e9e GetProcessHeap 68023 3b651a 44 API calls 67520->68023 67523 229ecb 68024 3b6618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 67523->68024 67524 229f56 68026 3b6618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 67524->68026 67527->67517 67527->67528 67528->67211 67528->67214 67528->67215 67530 328fce 67529->67530 67531 329029 67530->67531 67532 328fe8 WideCharToMultiByte 67530->67532 67531->67225 67533 329004 67532->67533 67534 329025 67532->67534 67535 32900a WideCharToMultiByte 67533->67535 67534->67225 67535->67534 67537 30bc14 67536->67537 67538 30bcbc 67536->67538 67537->67538 68028 229190 7 API calls 67537->68028 67538->67248 67939 30c5a0 45 API calls 4 library calls 67538->67939 67540 30bc29 67540->67538 67541 30bc33 FindResourceW 67540->67541 67541->67538 67542 30bc47 67541->67542 68029 229250 LoadResource LockResource SizeofResource 67542->68029 67544 30bc51 67544->67538 67545 30bc5a WideCharToMultiByte 67544->67545 67545->67538 67546 30bcc7 67545->67546 67547 229b10 2 API calls 67546->67547 67548 30bcd1 67547->67548 67550 229e50 53 API calls 67549->67550 67551 32dade 67550->67551 67552 32db33 67551->67552 67556 32dae4 67551->67556 67553 229b10 2 API calls 67552->67553 67554 32db3d 67553->67554 67555 32db10 68031 325170 49 API calls 67555->68031 67556->67555 67557 32db03 67556->67557 68030 229390 53 API calls 67557->68030 67559 32db0e 67561 31fde0 67559->67561 67562 31fe25 67561->67562 67563 229e50 53 API calls 67562->67563 67566 31fe42 67562->67566 67564 31fe35 67563->67564 67565 31fe85 67564->67565 67564->67566 67568 229b10 2 API calls 67565->67568 68032 309730 67566->68032 67570 31fe8f 67568->67570 67569 31fe6f 67571 35bb20 67569->67571 67572 35bb61 67571->67572 67573 35bb4c 67571->67573 67574 23b330 45 API calls 67572->67574 67573->67305 67575 35bb72 67574->67575 68046 35c490 67575->68046 67577 35bb7d 67578 35bbb8 CreateFileW 67577->67578 67579 35bb8b CreateNamedPipeW 67577->67579 67580 35bbd3 67578->67580 67579->67578 67579->67580 67580->67305 67582 35c146 67581->67582 67583 35c130 67581->67583 67584 229e50 53 API calls 67582->67584 67583->67318 67585 35c14b 67584->67585 67586 35c232 67585->67586 67588 35c155 67585->67588 67587 229b10 2 API calls 67586->67587 67589 35c23c 67587->67589 68065 35c240 67588->68065 67591 35c177 67592 23b330 45 API calls 67591->67592 67593 35c184 67592->67593 67593->67318 67595 229b1d 67594->67595 67596 3b7f9e Concurrency::cancel_current_task RaiseException 67595->67596 67597 229b2a HeapAlloc 67596->67597 67597->67213 67599 34cf7d 67598->67599 67601 3381d8 67598->67601 67599->67601 68130 232970 RaiseException 67599->68130 67601->67235 67601->67287 67602 34cfb2 67604 23a9cd 67603->67604 67606 23a972 std::_Locinfo::_Locinfo_ctor 67603->67606 67605 229b10 2 API calls 67604->67605 67616 23a9d7 67604->67616 67608 23a9f4 67605->67608 67606->67604 67607 23a9b0 67606->67607 68136 2298a0 45 API calls 67606->68136 68137 229910 44 API calls 4 library calls 67607->68137 67610 23aa75 67608->67610 67611 23aa5e FindClose 67608->67611 68131 229710 67610->68131 67611->67610 67615 236990 62 API calls 67617 23aa9d 67615->67617 67616->67273 67618 23aac2 PathIsUNCW 67617->67618 67619 23ad05 FindFirstFileW 67617->67619 67690 23addb 67617->67690 67621 23aad7 67618->67621 67622 23ac0e 67618->67622 67620 23ad1d GetFullPathNameW 67619->67620 67619->67690 67623 23ad36 67620->67623 67679 23ae72 std::_Locinfo::_Locinfo_ctor 67620->67679 68138 22e820 67621->68138 67624 22e820 101 API calls 67622->67624 67626 23ad53 GetFullPathNameW 67623->67626 68154 2298a0 45 API calls 67623->68154 67637 23ac16 67624->67637 67631 23ad6e std::_Locinfo::_Locinfo_ctor 67626->67631 67627 229b10 2 API calls 67629 23aeed 67627->67629 67632 229650 45 API calls 67629->67632 67630 23ad51 67630->67626 67635 23ae15 67631->67635 67643 23ada5 67631->67643 67631->67679 67634 23af2d 67632->67634 67633 23aadf 67633->67619 68148 22ead0 101 API calls 67633->68148 67636 23af41 67634->67636 67655 23af90 67634->67655 67649 23ae27 67635->67649 68155 2297c0 45 API calls 67635->68155 67638 229650 45 API calls 67636->67638 67637->67619 67646 23acab 67637->67646 67637->67679 68151 2298a0 45 API calls 67637->68151 67645 23af4b 67638->67645 67640 23b23e 67644 229b10 2 API calls 67640->67644 67642 23add3 SetLastError 67642->67690 67643->67642 67650 23adca FindClose 67643->67650 67667 23b25f 67644->67667 67645->67273 68152 23b3a0 44 API calls 3 library calls 67646->68152 67647 23ab5e 67653 23b330 45 API calls 67647->67653 67648 23ae48 67663 23ae76 67648->67663 67664 23ae5c 67648->67664 67649->67648 68156 2297c0 45 API calls 67649->68156 67650->67642 67668 23ab71 67653->67668 67654 23afc1 68160 23b410 54 API calls 67654->68160 67655->67640 67655->67654 68159 23b4c0 45 API calls 67655->68159 67657 23b30c 67657->67273 67658 23abfd 68153 2368f0 44 API calls 4 library calls 67658->68153 67660 23afcc 67662 23a950 109 API calls 67660->67662 67666 23afde 67662->67666 67663->67679 68158 2297c0 45 API calls 67663->68158 67664->67679 67664->67690 68157 2297c0 45 API calls 67664->68157 67672 23b00d PathIsUNCW 67666->67672 67705 23b21a 67666->67705 67667->67657 67675 23b2c3 67667->67675 67689 23b2fb 67667->67689 68167 2298a0 45 API calls 67667->68167 67669 23abd9 67668->67669 67668->67679 68149 2298a0 45 API calls 67668->68149 68150 23b3a0 44 API calls 3 library calls 67669->68150 67680 23b022 67672->67680 67681 23b149 67672->67681 67673 229b10 2 API calls 67677 23b32b 67673->67677 68168 23b3a0 44 API calls 3 library calls 67675->68168 67678 229650 45 API calls 67678->67640 67679->67627 67679->67690 67686 22e820 101 API calls 67680->67686 67685 22e820 101 API calls 67681->67685 67684 23ace1 67684->67619 67684->67679 67692 23b151 67685->67692 67691 23b02a 67686->67691 67687 23b2ec 68169 2368f0 44 API calls 4 library calls 67687->68169 67689->67657 67689->67673 67690->67273 67691->67705 68161 22ead0 101 API calls 67691->68161 67692->67640 67698 23b1e4 67692->67698 67692->67705 68164 2298a0 45 API calls 67692->68164 67694 23b0a0 67697 23b330 45 API calls 67694->67697 67701 23b0b3 67697->67701 68165 23b3a0 44 API calls 3 library calls 67698->68165 67699 23b138 68166 2368f0 44 API calls 4 library calls 67699->68166 67701->67640 67702 23b117 67701->67702 68162 2298a0 45 API calls 67701->68162 68163 23b3a0 44 API calls 3 library calls 67702->68163 67705->67640 67705->67678 67707 229e50 53 API calls 67706->67707 67708 344092 67707->67708 67709 34409c GetLocaleInfoW 67708->67709 67710 34414b 67708->67710 68171 305030 67709->68171 67711 229b10 2 API calls 67710->67711 67712 344155 MsgWaitForMultipleObjectsEx 67711->67712 67714 344187 67712->67714 67715 3441f1 67712->67715 67718 3441a5 PeekMessageW 67714->67718 67719 3441fb 67714->67719 67715->67283 67717 3440d8 67720 3440f6 GetLocaleInfoW 67717->67720 68196 2297c0 45 API calls 67717->68196 67723 3441cd TranslateMessage DispatchMessageW 67718->67723 67724 3441db MsgWaitForMultipleObjectsEx 67718->67724 67719->67283 67722 228e30 73 API calls 67720->67722 67726 344112 67722->67726 67723->67724 67724->67714 67724->67715 67725 3440f3 67725->67720 67726->67283 67728 343e40 46 API calls 67727->67728 67729 3434a7 67728->67729 67730 3434c3 67729->67730 67731 3434ad 67729->67731 68201 343a60 246 API calls 67730->68201 67731->67250 67733 3434ce 68202 343c80 11 API calls _ValidateLocalCookies 67733->68202 67735 3434e9 67736 229e50 53 API calls 67735->67736 67757 343567 67735->67757 67741 3434fe 67736->67741 67737 343650 68206 232970 RaiseException 67737->68206 67738 3435ae 67739 3435c1 67738->67739 68204 343660 55 API calls 67738->68204 67751 3435ea 67739->67751 68205 343660 55 API calls 67739->68205 67744 343646 67741->67744 67745 343508 67741->67745 67743 34365c 67746 229b10 2 API calls 67744->67746 67748 23a950 117 API calls 67745->67748 67746->67737 67749 343526 67748->67749 67750 344050 80 API calls 67749->67750 67756 343530 67750->67756 67752 3bf5b6 ___vcrt_freefls@4 13 API calls 67751->67752 67753 343600 67751->67753 67752->67753 67753->67250 67754 343559 68203 3574c0 238 API calls 67754->68203 67756->67754 67758 23a950 117 API calls 67756->67758 67757->67737 67757->67738 67758->67754 67759->67304 67760->67309 67761->67355 67762->67395 68207 229510 67763->68207 67767 33e0f8 67766->67767 67775 33e0d7 67766->67775 67768 33e2ae 67767->67768 67769 33e126 CreateFileW 67767->67769 67776 33e118 67767->67776 67771 229b10 2 API calls 67768->67771 67770 33e14f 67769->67770 67772 33e1f7 67770->67772 67773 33e176 GetLastError 67770->67773 67774 33e2b8 67771->67774 68282 35f2f0 67772->68282 68297 322230 75 API calls 67773->68297 67775->67767 67775->67768 68295 23b4c0 45 API calls 67775->68295 67776->67769 68296 23b4c0 45 API calls 67776->68296 67780 33e200 67783 33e20a 67780->67783 67784 33e28e 67780->67784 67781 33e18d 68298 3244f0 101 API calls 67781->68298 67787 33e255 67783->67787 67788 33e20f GetLastError 67783->67788 68290 33ff30 67784->68290 67787->67440 68300 322230 75 API calls 67788->68300 67789 33e1a5 68299 32df00 73 API calls 67789->68299 67792 33e229 68301 3244f0 101 API calls 67792->68301 67795 33e1bb 67795->67440 67796 33e23d 68302 32df00 73 API calls 67796->68302 67799 34475c 67798->67799 67803 338d96 67798->67803 67800 3b6199 std::_Facet_Register 2 API calls 67799->67800 67801 344766 67800->67801 68369 3615e0 67801->68369 67804 33e580 67803->67804 67805 33e5b5 67804->67805 67812 33e6dc 67804->67812 67806 33e664 67805->67806 67819 33e5bd 67805->67819 68535 33fd80 RaiseException 67806->68535 67807 33e92f 67809 33c580 15 API calls 67807->67809 67810 33e93e 67809->67810 67814 33c580 15 API calls 67810->67814 67811 33e762 67816 33e772 67811->67816 67817 33e80d 67811->67817 67812->67807 67812->67811 67813 33e66b 67815 33ea30 67813->67815 67821 33e67f 67813->67821 67820 33e808 67814->67820 68542 232970 RaiseException 67815->68542 67823 33c580 15 API calls 67816->67823 68463 33c580 67817->68463 68534 33f950 314 API calls ___vcrt_freefls@4 67819->68534 68536 33fdd0 117 API calls 67821->68536 67828 33e77d 67823->67828 67827 33e60d 67827->67459 67851 33e925 67828->67851 68537 33fd20 RaiseException 67828->68537 67849 33e818 67849->67815 67937->67220 67938->67220 67939->67248 67941 342ae6 67940->67941 67942 342ac0 67940->67942 68735 232970 RaiseException 67941->68735 67942->67941 67944 342ad2 DeleteFileW 67942->67944 67944->67941 67944->67942 67945 342bb8 67947 3bf5b6 ___vcrt_freefls@4 13 API calls 67945->67947 67949 337f25 67945->67949 67946 342bf4 68742 232970 RaiseException 67946->68742 67947->67949 67949->67327 67950 342c00 67952 342b01 std::ios_base::_Ios_base_dtor 67952->67945 67952->67946 68736 35f6d0 67952->68736 67953->67322 67954->67337 67955->67361 67956->67236 67957->67243 67959 343e7e EnumResourceLanguagesW 67958->67959 67970 343fe1 67958->67970 67960 343ebd 67959->67960 67961 343f50 67960->67961 67962 343f0e 67960->67962 67963 344011 67960->67963 67969 343f1b __Getctype 67961->67969 68743 23b3a0 44 API calls 3 library calls 67961->68743 67965 3bf5b6 ___vcrt_freefls@4 13 API calls 67962->67965 67962->67969 68744 232970 RaiseException 67963->68744 67965->67969 67966 343fbf 67967 3bf5b6 ___vcrt_freefls@4 13 API calls 67966->67967 67966->67970 67967->67970 67968 34401d 67968->67300 67969->67963 67969->67966 67970->67300 67973->67249 67974->67284 68745 3cdbdd 67975->68745 67978->67367 67979->67376 67981->67297 67982->67306 67983->67306 67984->67415 67986 30ca4b 67985->67986 67987 30ca0d 67985->67987 67986->67415 67988 3bf5b6 ___vcrt_freefls@4 13 API calls 67987->67988 67988->67986 67989->67415 67990->67415 67991->67415 67992->67415 67993->67448 67994->67416 67995->67382 67996->67391 67997->67402 67998->67426 67999->67430 68000 33a570 391 API calls 4 library calls 68000->67417 68001->67422 68002->67438 68004 23b393 68003->68004 68006 23b346 68003->68006 68004->67451 68005 23b380 68752 2299c0 45 API calls 3 library calls 68005->68752 68006->68005 68008 23b356 68006->68008 68010 229650 45 API calls 68008->68010 68009 23b38b 68009->67451 68011 23b35c 68010->68011 68011->67451 68018->67398 68020 3b6676 68019->68020 68021 229e92 68020->68021 68027 3b66ea SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 68020->68027 68021->67520 68021->67527 68023->67523 68024->67527 68025->67524 68026->67528 68027->68020 68028->67540 68029->67544 68030->67559 68031->67559 68033 309785 68032->68033 68034 309746 68032->68034 68036 229b10 2 API calls 68033->68036 68042 309790 68033->68042 68035 309762 68034->68035 68043 2298a0 45 API calls 68034->68043 68044 229910 44 API calls 4 library calls 68035->68044 68041 3097aa 68036->68041 68039 309772 68045 229910 44 API calls 4 library calls 68039->68045 68041->67569 68042->67569 68043->68035 68044->68039 68045->68033 68047 229e50 53 API calls 68046->68047 68048 35c4ca 68047->68048 68049 35c4d0 68048->68049 68050 35c53a 68048->68050 68053 35c4f2 68049->68053 68054 35c4fd 68049->68054 68051 229b10 2 API calls 68050->68051 68052 35c544 68051->68052 68064 35bdb0 122 API calls std::_Locinfo::_Locinfo_ctor 68052->68064 68062 229390 53 API calls 68053->68062 68063 2299c0 45 API calls 3 library calls 68054->68063 68058 35c588 68058->67577 68059 35c4fb 68060 23a950 117 API calls 68059->68060 68061 35c525 68060->68061 68061->67577 68062->68059 68063->68059 68064->68058 68066 35c277 ConnectNamedPipe 68065->68066 68067 35c2b8 ReadFile 68065->68067 68066->68067 68070 35c284 GetLastError 68066->68070 68068 35c2e0 68067->68068 68069 35c34c 68067->68069 68068->68069 68071 35c2e5 68068->68071 68073 229e50 53 API calls 68069->68073 68070->68067 68072 35c291 68070->68072 68074 236990 62 API calls 68071->68074 68072->68067 68075 35c297 68072->68075 68076 35c351 68073->68076 68077 35c2f0 68074->68077 68078 229e50 53 API calls 68075->68078 68079 35c29c 68076->68079 68080 35c357 68076->68080 68114 229650 68077->68114 68078->68079 68081 229b10 2 API calls 68079->68081 68085 35c2a4 68079->68085 68080->68085 68083 35c391 68081->68083 68086 35c415 WriteFile 68083->68086 68087 35c3d6 68083->68087 68084 35c302 68084->67591 68085->67591 68088 35c432 68086->68088 68089 35c44c 68086->68089 68090 229e50 53 API calls 68087->68090 68091 229e50 53 API calls 68088->68091 68093 35c240 118 API calls 68089->68093 68092 35c3db 68090->68092 68094 35c437 68091->68094 68095 35c3e3 68092->68095 68097 229b10 2 API calls 68092->68097 68093->68094 68094->67591 68094->68092 68096 35c43d 68094->68096 68095->67591 68096->68095 68098 35c487 68097->68098 68099 229e50 53 API calls 68098->68099 68100 35c4ca 68099->68100 68101 35c4d0 68100->68101 68102 35c53a 68100->68102 68105 35c4f2 68101->68105 68106 35c4fd 68101->68106 68103 229b10 2 API calls 68102->68103 68104 35c544 68103->68104 68127 35bdb0 122 API calls std::_Locinfo::_Locinfo_ctor 68104->68127 68125 229390 53 API calls 68105->68125 68126 2299c0 45 API calls 3 library calls 68106->68126 68110 35c4fb 68111 23a950 117 API calls 68110->68111 68113 35c525 68111->68113 68112 35c588 68112->67591 68113->67591 68115 22965b 68114->68115 68116 22966a 68115->68116 68117 2296a2 68115->68117 68118 229683 68115->68118 68116->68084 68129 229850 45 API calls 68117->68129 68128 229910 44 API calls 4 library calls 68118->68128 68121 22969a 68121->68084 68122 2296a7 68123 229650 45 API calls 68122->68123 68124 2296e6 68123->68124 68124->68084 68125->68110 68126->68110 68127->68112 68128->68121 68129->68122 68130->67602 68132 229743 68131->68132 68133 229752 68131->68133 68132->68133 68134 229b10 2 API calls 68132->68134 68133->67615 68135 2297ac 68134->68135 68136->67607 68137->67604 68139 22e892 68138->68139 68140 22e862 68138->68140 68143 229e50 53 API calls 68139->68143 68145 22e8a6 68139->68145 68141 229650 45 API calls 68140->68141 68142 22e867 68141->68142 68142->67633 68143->68145 68170 22ebe0 92 API calls 4 library calls 68145->68170 68147 22e8b9 68147->67633 68148->67647 68149->67669 68150->67658 68151->67646 68152->67658 68153->67684 68154->67630 68155->67649 68156->67648 68157->67679 68158->67679 68159->67654 68160->67660 68161->67694 68162->67702 68163->67699 68164->67698 68165->67699 68166->67705 68167->67675 68168->67687 68169->67689 68170->68147 68172 229e50 53 API calls 68171->68172 68185 30506e 68172->68185 68173 3051e0 68174 229b10 2 API calls 68173->68174 68175 3051ea 68174->68175 68177 229b10 2 API calls 68175->68177 68176 3051af 68178 3b615a _ValidateLocalCookies 5 API calls 68176->68178 68179 3051f4 68177->68179 68180 3051d0 68178->68180 68182 30520b 68179->68182 68184 3bf5b6 ___vcrt_freefls@4 13 API calls 68179->68184 68180->67717 68181 3051d6 68183 229b10 2 API calls 68181->68183 68182->67717 68183->68173 68187 305239 68184->68187 68185->68173 68185->68176 68185->68181 68186 3050e7 68185->68186 68188 3050f5 68186->68188 68197 305250 HeapAlloc RaiseException std::_Facet_Register 68186->68197 68187->67717 68198 3bf527 44 API calls 3 library calls 68188->68198 68191 30510d 68191->68175 68194 305141 68191->68194 68199 2298a0 45 API calls 68191->68199 68193 305191 68193->68176 68200 305210 13 API calls ___vcrt_freefls@4 68193->68200 68194->68175 68194->68193 68194->68194 68196->67725 68197->68188 68198->68191 68199->68194 68200->68176 68201->67733 68202->67735 68203->67757 68206->67743 68209 229543 68207->68209 68222 2295e2 68207->68222 68208 229b10 2 API calls 68210 229637 68208->68210 68224 3bf4a5 68209->68224 68211 229b10 2 API calls 68210->68211 68213 229641 68211->68213 68214 229e50 53 API calls 68216 22958f 68214->68216 68230 229450 68216->68230 68219 2295c2 68240 3bf4e6 68219->68240 68222->68208 68223 228e43 68222->68223 68223->68000 68225 3bf4b9 __Getctype 68224->68225 68247 3bb5bf 68225->68247 68231 229481 68230->68231 68232 2294eb 68230->68232 68235 2294ae 68231->68235 68236 2294a1 68231->68236 68233 229b10 2 API calls 68232->68233 68234 2294f5 68233->68234 68270 2299c0 45 API calls 3 library calls 68235->68270 68269 229390 53 API calls 68236->68269 68239 2294ac 68239->68219 68246 2298a0 45 API calls 68239->68246 68241 3bf4fa __Getctype 68240->68241 68271 3bb7e1 68241->68271 68244 3bac4b __Getctype 44 API calls 68245 3bf522 68244->68245 68245->68222 68246->68219 68248 3bb5eb 68247->68248 68249 3bb60e 68247->68249 68264 3bae92 44 API calls 2 library calls 68248->68264 68249->68248 68252 3bb616 68249->68252 68251 3b615a _ValidateLocalCookies 5 API calls 68253 3bb740 68251->68253 68265 3bdd92 55 API calls __cftof 68252->68265 68258 3bac4b 68253->68258 68256 3bb603 68256->68251 68257 3bb697 68266 3bd2b4 13 API calls ___free_lconv_mon 68257->68266 68259 3bac57 68258->68259 68260 3bac6e 68259->68260 68267 3bacf6 44 API calls __Getctype 68259->68267 68262 229563 68260->68262 68268 3bacf6 44 API calls __Getctype 68260->68268 68262->68210 68262->68214 68262->68216 68264->68256 68265->68257 68266->68256 68267->68260 68268->68262 68269->68239 68270->68239 68272 3bb7ed 68271->68272 68274 3bb810 68271->68274 68279 3bae92 44 API calls 2 library calls 68272->68279 68277 3bb837 68274->68277 68280 3bb2c8 55 API calls 2 library calls 68274->68280 68278 3bb808 68277->68278 68281 3bae92 44 API calls 2 library calls 68277->68281 68278->68244 68279->68278 68280->68277 68281->68278 68287 35f336 68282->68287 68283 35f38b SetFilePointer 68285 35f3a4 GetLastError 68283->68285 68286 35f3b2 ReadFile 68283->68286 68284 35f33d 68284->67780 68285->68284 68285->68286 68286->68284 68286->68287 68287->68283 68287->68284 68288 35f466 SetFilePointer 68287->68288 68288->68284 68289 35f48e ReadFile 68288->68289 68289->68284 68303 340b10 68290->68303 68292 33e29c 68292->67440 68293 33ff3f 68293->68292 68322 340ff0 68293->68322 68295->67767 68296->67769 68297->67781 68298->67789 68299->67795 68300->67792 68301->67796 68302->67787 68304 340bfd 68303->68304 68305 340b5b SetFilePointer 68303->68305 68304->68293 68305->68304 68306 340c11 68305->68306 68307 229e50 53 API calls 68306->68307 68308 340c31 68307->68308 68309 340f5a 68308->68309 68312 340e20 68308->68312 68313 340c6f ReadFile 68308->68313 68310 229b10 2 API calls 68309->68310 68311 340f64 68310->68311 68358 232970 RaiseException 68311->68358 68312->68293 68313->68312 68315 340edc GetLastError 68313->68315 68355 322230 75 API calls 68315->68355 68316 340f70 68316->68293 68318 340ef9 68356 3244f0 101 API calls 68318->68356 68320 340f13 68357 32df00 73 API calls 68320->68357 68323 34102b SetFilePointer 68322->68323 68327 3412ac 68322->68327 68324 341056 GetLastError 68323->68324 68325 3410da 68323->68325 68359 322230 75 API calls 68324->68359 68326 341100 ReadFile 68325->68326 68325->68327 68329 341383 GetLastError 68326->68329 68349 341122 68326->68349 68327->68292 68366 322230 75 API calls 68329->68366 68330 341070 68360 3244f0 101 API calls 68330->68360 68333 229e50 53 API calls 68333->68349 68334 3413a0 68367 3244f0 101 API calls 68334->68367 68335 341088 68361 32df00 73 API calls 68335->68361 68337 3413f9 68340 229b10 2 API calls 68337->68340 68338 3413b5 68368 32df00 73 API calls 68338->68368 68342 341403 68340->68342 68341 34109e 68341->68292 68344 341182 ReadFile 68345 3412d9 GetLastError 68344->68345 68344->68349 68363 322230 75 API calls 68345->68363 68347 3412f6 68364 3244f0 101 API calls 68347->68364 68348 341323 68348->68327 68349->68326 68349->68327 68349->68329 68349->68333 68349->68337 68349->68344 68349->68345 68349->68348 68349->68349 68354 229650 45 API calls 68349->68354 68362 2299c0 45 API calls 3 library calls 68349->68362 68352 34130b 68365 32df00 73 API calls 68352->68365 68354->68349 68355->68318 68356->68320 68357->68309 68358->68316 68359->68330 68360->68335 68361->68341 68362->68349 68363->68347 68364->68352 68365->68348 68366->68334 68367->68338 68368->68348 68370 229e50 53 API calls 68369->68370 68371 361688 68370->68371 68372 3617e9 68371->68372 68376 229e50 53 API calls 68371->68376 68373 229b10 2 API calls 68372->68373 68378 3616ab 68376->68378 68378->68372 68464 33c5ba 68463->68464 68465 33c5cb 68463->68465 68464->68465 68466 229b10 2 API calls 68464->68466 68465->67849 68467 33c65a 68466->68467 68534->67827 68535->67813 68735->67952 68737 35f710 68736->68737 68738 35f745 68737->68738 68739 35f734 FreeLibrary 68737->68739 68740 35f799 68738->68740 68741 35f788 CloseHandle 68738->68741 68739->68738 68740->67952 68741->68740 68742->67950 68743->67961 68744->67968 68746 3cdbe8 RtlFreeHeap 68745->68746 68747 3bf5ce 68745->68747 68746->68747 68748 3cdbfd GetLastError 68746->68748 68747->67329 68749 3cdc0a ___free_lconv_mon 68748->68749 68751 3bb02f 13 API calls std::locale::_Setgloballocale 68749->68751 68751->68747 68752->68009 68753 339490 68811 33a570 391 API calls 4 library calls 68753->68811 68755 3394c5 68812 33db70 103 API calls 2 library calls 68755->68812 68757 3394cd 68782 344350 68757->68782 68760 33e0a0 139 API calls 68761 3394e6 68760->68761 68762 3394ea 68761->68762 68793 32ab60 55 API calls 68761->68793 68764 339514 68794 336200 68764->68794 68783 23b330 45 API calls 68782->68783 68784 34437e 68783->68784 68785 23b330 45 API calls 68784->68785 68786 344387 68785->68786 68813 361080 68786->68813 68788 34438f 68838 34c7e0 63 API calls _ValidateLocalCookies 68788->68838 68790 34439c 68791 228e30 73 API calls 68790->68791 68792 3394df 68791->68792 68792->68760 68793->68764 68844 33e3a0 68794->68844 68797 336253 CreateFileW 68799 336291 SetFilePointer 68797->68799 68802 336280 68797->68802 68798 336346 68810 32be90 252 API calls 68798->68810 68801 3362ba 68799->68801 68799->68802 68800 336339 CloseHandle 68800->68798 68803 305030 54 API calls 68801->68803 68802->68798 68802->68800 68804 3362c9 68803->68804 68805 3362e4 ReadFile 68804->68805 68874 2297c0 45 API calls 68804->68874 68805->68802 68807 3362f7 68805->68807 68807->68802 68875 358a60 110 API calls 68807->68875 68808 3362e1 68808->68805 68811->68755 68812->68757 68814 229650 45 API calls 68813->68814 68815 3610bf 68814->68815 68816 3610e0 GetFileVersionInfoSizeW 68815->68816 68839 2297c0 45 API calls 68815->68839 68819 361105 68816->68819 68820 3610f8 68816->68820 68818 3610dd 68818->68816 68819->68788 68820->68819 68821 36112a GetFileVersionInfoW 68820->68821 68840 2297c0 45 API calls 68820->68840 68821->68819 68822 361141 68821->68822 68825 229e50 53 API calls 68822->68825 68824 361127 68824->68821 68826 361146 68825->68826 68827 361290 68826->68827 68832 361150 68826->68832 68828 229b10 2 API calls 68827->68828 68829 36129a 68828->68829 68843 3612c0 WaitForSingleObject GetExitCodeThread TerminateThread CloseHandle 68829->68843 68831 3612a8 std::ios_base::_Ios_base_dtor 68831->68788 68833 228e30 73 API calls 68832->68833 68834 3611a8 68833->68834 68836 3611bf 68834->68836 68841 2297c0 45 API calls 68834->68841 68836->68819 68842 2299c0 45 API calls 3 library calls 68836->68842 68838->68790 68839->68818 68840->68824 68841->68836 68842->68819 68843->68831 68845 33e403 68844->68845 68846 33e447 68844->68846 68876 33fd20 RaiseException 68845->68876 68877 33fd80 RaiseException 68846->68877 68849 33e40c 68851 33e416 68849->68851 68852 33e50a 68849->68852 68850 33e44e 68850->68852 68853 33e456 68850->68853 68854 33e563 68851->68854 68855 33e41f 68851->68855 68856 229e50 53 API calls 68852->68856 68853->68854 68857 33e462 68853->68857 68879 232970 RaiseException 68854->68879 68859 229650 45 API calls 68855->68859 68860 33e51e 68856->68860 68878 33fdd0 117 API calls 68857->68878 68863 33e43d 68859->68863 68862 33e56f 68860->68862 68860->68863 68865 229b10 2 API calls 68862->68865 68869 3b615a _ValidateLocalCookies 5 API calls 68863->68869 68864 33e477 FindFirstFileW 68866 33e4a9 68864->68866 68868 33e579 68865->68868 68867 229650 45 API calls 68866->68867 68870 33e4b9 68867->68870 68871 33623c 68869->68871 68872 33e4e6 68870->68872 68873 33e4d8 FindClose 68870->68873 68871->68797 68871->68798 68872->68863 68873->68872 68874->68808 68875->68802 68876->68849 68877->68850 68878->68864 68879->68862 68880 3414d0 68881 229e50 53 API calls 68880->68881 68885 341525 68881->68885 68882 341f4f 68883 229b10 2 API calls 68882->68883 68884 341f59 68883->68884 68885->68882 68886 229e50 53 API calls 68885->68886 68887 341564 68886->68887 68887->68882 68888 229e50 53 API calls 68887->68888 68890 341582 68888->68890 68889 341681 68891 229e50 53 API calls 68889->68891 68890->68882 68890->68889 68962 3239b0 101 API calls 68890->68962 68907 3416be std::locale::_Setgloballocale 68891->68907 68893 3415b3 68894 23b330 45 API calls 68893->68894 68895 3415c0 68894->68895 68898 23b330 45 API calls 68895->68898 68896 341bf5 68950 360810 68896->68950 68901 341618 68898->68901 68899 3b6199 std::_Facet_Register 2 API calls 68899->68907 68963 342090 101 API calls 68901->68963 68902 341c43 68906 341dac CloseHandle 68902->68906 68940 341c4e 68902->68940 68904 341cf7 CreateThread 68909 341d24 68904->68909 68910 341d2b WaitForSingleObject GetExitCodeThread 68904->68910 68990 35f930 280 API calls 68904->68990 68905 341cca CreateEventW 68908 341ce1 68905->68908 68906->68940 68907->68882 68907->68896 68907->68899 68919 3417cc 68907->68919 68921 341f43 68907->68921 68929 229e50 53 API calls 68907->68929 68930 31fde0 54 API calls 68907->68930 68932 23b330 45 API calls 68907->68932 68939 324920 127 API calls 68907->68939 68907->68940 68942 341a75 std::locale::_Setgloballocale 68907->68942 68943 31f300 46 API calls 68907->68943 68944 35f7b0 68907->68944 68964 3239b0 101 API calls 68907->68964 68965 35f850 CreateFileW 68907->68965 68908->68904 68909->68910 68913 341d43 68910->68913 68914 341d6b 68910->68914 68911 341dce CloseHandle 68912 341dd8 68911->68912 68917 30c9e0 13 API calls 68912->68917 68913->68902 68915 341d59 CloseHandle 68913->68915 68914->68902 68916 341d7a CloseHandle 68914->68916 68915->68902 68916->68902 68924 341e0c std::ios_base::_Ios_base_dtor 68917->68924 68918 341e8b 68920 3bf5b6 ___vcrt_freefls@4 13 API calls 68918->68920 68923 341e9f 68918->68923 68920->68923 68972 232970 RaiseException 68921->68972 68925 3b615a _ValidateLocalCookies 5 API calls 68923->68925 68924->68918 68924->68921 68926 35f6d0 2 API calls 68924->68926 68927 341f2f 68925->68927 68926->68924 68929->68907 68930->68907 68931 31fde0 54 API calls 68931->68942 68932->68907 68934 341a9e FindFirstFileW 68935 341ae2 FindClose 68934->68935 68934->68942 68935->68942 68937 23b330 45 API calls 68937->68942 68938 35f850 281 API calls 68938->68942 68939->68907 68940->68911 68940->68912 68941 341c57 68941->68940 68942->68907 68942->68931 68942->68934 68942->68937 68942->68938 68942->68941 68943->68907 68945 35f7be LoadLibraryW 68944->68945 68946 35f7b9 68944->68946 68947 35f7d7 68945->68947 68946->68907 68948 35f7f7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 68947->68948 68949 35f7f1 68947->68949 68948->68907 68949->68907 68951 360876 CreateThread 68950->68951 68952 360848 CreateEventW 68950->68952 68953 3608b2 68951->68953 68954 36098c WaitForSingleObject GetExitCodeThread 68951->68954 68974 360bd0 68951->68974 68955 36085d 68952->68955 68958 3609dd 68953->68958 68960 360970 68953->68960 68956 341c3d 68954->68956 68957 3609b9 CloseHandle 68954->68957 68955->68951 68956->68902 68956->68904 68956->68905 68957->68956 68973 232970 RaiseException 68958->68973 68960->68954 68961 3609e9 68962->68893 68963->68889 68964->68907 68966 35f87d 68965->68966 68967 35f8f9 68966->68967 68968 229b10 2 API calls 68966->68968 68967->68907 68969 35f92b 68968->68969 68989 35f940 280 API calls ___vcrt_freefls@4 68969->68989 68971 35f939 68971->68907 68972->68882 68973->68961 68975 3609f0 RaiseException 68974->68975 68976 360bd4 68975->68976 68979 3609f0 68976->68979 68978 360bd9 68981 360a2a 68979->68981 68980 360b83 68980->68978 68981->68980 68988 232970 RaiseException 68981->68988 68983 360bc5 68984 3609f0 RaiseException 68983->68984 68985 360bd4 68984->68985 68986 3609f0 RaiseException 68985->68986 68987 360bd9 68986->68987 68987->68978 68988->68983 68989->68971 68991 2521e0 68992 2521f3 std::ios_base::_Ios_base_dtor 68991->68992 68997 3b7d0c 68992->68997 68995 252209 SetUnhandledExceptionFilter 68996 25221b 68995->68996 69002 3b7d44 68997->69002 68999 3b7d15 69000 3b7d44 __set_se_translator 54 API calls 68999->69000 69001 2521fd 69000->69001 69001->68995 69001->68996 69015 3b7d52 22 API calls 4 library calls 69002->69015 69004 3b7d49 69004->68999 69016 3cf247 EnterCriticalSection std::locale::_Setgloballocale 69004->69016 69006 3bfe16 69007 3bfe21 69006->69007 69017 3cf28c 44 API calls 7 library calls 69006->69017 69009 3bfe2b IsProcessorFeaturePresent 69007->69009 69010 3bfe4a 69007->69010 69011 3bfe37 69009->69011 69019 3cc73e 69010->69019 69018 3bad13 8 API calls 2 library calls 69011->69018 69015->69004 69016->69006 69017->69007 69018->69010 69022 3cc5a5 69019->69022 69023 3cc5e4 69022->69023 69024 3cc5d2 69022->69024 69034 3cc44e 69023->69034 69047 3b7247 GetModuleHandleW 69024->69047 69027 3cc5d7 69027->69023 69048 3cc68f GetModuleHandleExW 69027->69048 69028 3cc61b 69029 3bfe54 69028->69029 69040 3cc63c 69028->69040 69029->68999 69035 3cc45a std::_Locinfo::_Locinfo_ctor 69034->69035 69054 3ca89a EnterCriticalSection 69035->69054 69037 3cc464 69055 3cc4ba 69037->69055 69039 3cc471 std::locale::_Setgloballocale 69039->69028 69117 3cc66d 69040->69117 69043 3cc65a 69045 3cc68f std::locale::_Setgloballocale 3 API calls 69043->69045 69044 3cc64a GetCurrentProcess TerminateProcess 69044->69043 69046 3cc662 ExitProcess 69045->69046 69047->69027 69049 3cc6ce GetProcAddress 69048->69049 69050 3cc6ef 69048->69050 69049->69050 69053 3cc6e2 69049->69053 69051 3cc5e3 69050->69051 69052 3cc6f5 FreeLibrary 69050->69052 69051->69023 69052->69051 69053->69050 69054->69037 69058 3cc4c6 std::_Locinfo::_Locinfo_ctor 69055->69058 69056 3cc55b 69056->69039 69057 3cc52d 69059 3cc54a 69057->69059 69067 3cd2ed 69057->69067 69058->69056 69058->69057 69063 3cd049 69058->69063 69062 3cd2ed std::locale::_Setgloballocale 44 API calls 69059->69062 69062->69056 69064 3cd055 __EH_prolog3 69063->69064 69071 3ccda1 69064->69071 69066 3cd07c std::locale::_Init 69066->69057 69068 3cd314 69067->69068 69069 3cd2fb 69067->69069 69068->69059 69069->69068 69082 221990 69069->69082 69072 3ccdad std::_Locinfo::_Locinfo_ctor 69071->69072 69077 3ca89a EnterCriticalSection 69072->69077 69074 3ccdbb 69078 3ccf59 69074->69078 69076 3ccdc8 std::locale::_Setgloballocale 69076->69066 69077->69074 69079 3ccf70 69078->69079 69080 3ccf78 69078->69080 69079->69076 69080->69079 69081 3cdbdd ___free_lconv_mon 13 API calls 69080->69081 69081->69079 69083 2219cd 69082->69083 69090 226450 69083->69090 69085 221a67 69100 3b651a 44 API calls 69085->69100 69087 221a8d 69088 3b615a _ValidateLocalCookies 5 API calls 69087->69088 69089 221aa5 69088->69089 69089->69069 69091 2264b1 69090->69091 69097 226505 69090->69097 69092 226536 69091->69092 69093 2264b9 69091->69093 69116 2269c0 44 API calls 69092->69116 69101 226aa0 69093->69101 69097->69085 69098 226540 44 API calls 69099 2264bf 69098->69099 69099->69097 69099->69098 69100->69087 69102 226aab 69101->69102 69103 226aef 69101->69103 69105 226ada 69102->69105 69106 226ab8 69102->69106 69104 227630 44 API calls 69103->69104 69114 226ac5 69104->69114 69107 226aea 69105->69107 69109 3b6199 std::_Facet_Register RaiseException EnterCriticalSection 69105->69109 69106->69103 69108 226abf 69106->69108 69107->69099 69111 3b6199 std::_Facet_Register RaiseException EnterCriticalSection 69108->69111 69112 226ae4 69109->69112 69110 3baf1f 44 API calls 69113 226af9 69110->69113 69111->69114 69112->69099 69114->69110 69115 226ace 69114->69115 69115->69099 69122 3d783e 6 API calls std::locale::_Setgloballocale 69117->69122 69119 3cc672 69120 3cc646 69119->69120 69121 3cc677 GetPEB 69119->69121 69120->69043 69120->69044 69121->69120 69122->69119 69123 360f70 69132 360be0 69123->69132 69126 36102e GetLastError 69130 360fda 69126->69130 69127 360fca 69129 360fe1 GetFileVersionInfoW 69127->69129 69127->69130 69128 361040 DeleteFileW 69131 361047 69128->69131 69129->69126 69129->69130 69130->69128 69130->69131 69147 3229d0 69132->69147 69135 360c25 SHGetFolderPathW 69137 360c43 std::locale::_Setgloballocale 69135->69137 69136 360d8a 69138 3b615a _ValidateLocalCookies 5 API calls 69136->69138 69137->69136 69140 360cba GetTempPathW 69137->69140 69139 360db8 GetFileVersionInfoSizeW 69138->69139 69139->69126 69139->69127 69154 3b8750 69140->69154 69144 360d0e Wow64DisableWow64FsRedirection CopyFileW 69145 360d60 69144->69145 69145->69136 69146 360d78 Wow64RevertWow64FsRedirection 69145->69146 69146->69136 69148 322b00 79 API calls 69147->69148 69149 3229f9 69148->69149 69150 3b6662 4 API calls 69149->69150 69153 322aa7 69149->69153 69151 322a20 std::locale::_Setgloballocale 69150->69151 69151->69153 69158 3b6618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69151->69158 69153->69135 69153->69136 69155 360ce2 GetTempFileNameW 69154->69155 69156 360e20 69155->69156 69157 360e2a 69156->69157 69157->69144 69158->69153 69159 36f190 69170 36eab0 69159->69170 69162 36f1ba 69179 36f260 69162->69179 69165 227070 44 API calls 69165->69162 69171 227070 44 API calls 69170->69171 69172 36eac8 69171->69172 69173 36eae0 69172->69173 69174 2277d0 44 API calls 69172->69174 69251 371130 69173->69251 69174->69172 69176 36eaf8 69178 36eb1e 69176->69178 69255 2285c0 44 API calls std::ios_base::_Ios_base_dtor 69176->69255 69178->69162 69178->69165 69180 36f2aa 69179->69180 69209 36f5b1 69179->69209 69182 227070 44 API calls 69180->69182 69181 3b615a _ValidateLocalCookies 5 API calls 69183 36f1ca 69181->69183 69184 36f2d0 69182->69184 69216 36f5e0 69183->69216 69185 36f472 69184->69185 69193 36f2df 69184->69193 69186 226e80 44 API calls 69185->69186 69187 36f3c2 69186->69187 69259 228e50 44 API calls 69187->69259 69189 36f3d6 69260 228ef0 44 API calls 69189->69260 69191 227070 44 API calls 69191->69193 69192 36f3e9 69195 226e80 44 API calls 69192->69195 69193->69187 69193->69191 69201 226e80 44 API calls 69193->69201 69205 2277d0 44 API calls 69193->69205 69257 2492b0 44 API calls 69193->69257 69258 228ef0 44 API calls 69193->69258 69196 36f405 69195->69196 69198 2277d0 44 API calls 69196->69198 69199 36f411 69198->69199 69200 2277d0 44 API calls 69199->69200 69202 36f41d 69200->69202 69201->69193 69203 226e80 44 API calls 69202->69203 69215 36f44e 69202->69215 69204 36f430 69203->69204 69206 226e80 44 API calls 69204->69206 69205->69193 69206->69215 69207 36f556 69208 2277d0 44 API calls 69207->69208 69208->69209 69209->69181 69210 227070 44 API calls 69210->69215 69213 226e80 44 API calls 69213->69215 69214 2277d0 44 API calls 69214->69215 69215->69207 69215->69210 69215->69213 69215->69214 69261 2492b0 44 API calls 69215->69261 69262 228ef0 44 API calls 69215->69262 69219 36f628 69216->69219 69220 36f621 69216->69220 69217 3b615a _ValidateLocalCookies 5 API calls 69218 36f1d1 69217->69218 69226 36f7a0 69218->69226 69221 36f6e5 69219->69221 69223 227070 44 API calls 69219->69223 69263 2516f0 44 API calls 69219->69263 69220->69217 69221->69220 69264 3bfdb1 54 API calls 69221->69264 69265 370ba0 45 API calls std::_Locinfo::_Locinfo_ctor 69221->69265 69223->69219 69227 36ff65 69226->69227 69245 36f800 std::ios_base::_Ios_base_dtor std::locale::_Setgloballocale 69226->69245 69228 3b615a _ValidateLocalCookies 5 API calls 69227->69228 69229 36f1dc 69228->69229 69230 3b6199 std::_Facet_Register 2 API calls 69230->69245 69235 227070 44 API calls 69235->69245 69236 370a00 45 API calls 69236->69245 69243 2277d0 44 API calls 69243->69245 69245->69227 69245->69230 69245->69235 69245->69236 69245->69243 69249 36fce6 69245->69249 69266 370f00 69245->69266 69300 316f00 44 API calls 2 library calls 69245->69300 69301 253200 44 API calls 2 library calls 69245->69301 69302 36e710 52 API calls __Init_thread_footer 69245->69302 69303 31bf10 44 API calls 4 library calls 69245->69303 69304 228ef0 44 API calls 69245->69304 69306 320db0 44 API calls 4 library calls 69245->69306 69307 3713d0 44 API calls std::_Locinfo::_Locinfo_ctor 69245->69307 69308 370cd0 44 API calls 3 library calls 69245->69308 69309 2285c0 44 API calls std::ios_base::_Ios_base_dtor 69245->69309 69310 3711b0 69245->69310 69315 24a8a0 44 API calls std::ios_base::_Ios_base_dtor 69245->69315 69247 226e80 44 API calls 69247->69249 69249->69245 69249->69247 69250 2277d0 44 API calls 69249->69250 69305 36f040 47 API calls std::locale::_Setgloballocale 69249->69305 69250->69249 69252 371196 69251->69252 69253 371162 std::ios_base::_Ios_base_dtor 69251->69253 69252->69176 69253->69252 69256 24a8a0 44 API calls std::ios_base::_Ios_base_dtor 69253->69256 69255->69176 69256->69253 69257->69193 69258->69193 69259->69189 69260->69192 69261->69215 69262->69215 69263->69219 69264->69221 69265->69221 69267 3710f7 69266->69267 69268 370f50 69266->69268 69319 2269c0 44 API calls 69267->69319 69270 3710f2 69268->69270 69273 370fc2 69268->69273 69274 370f9b 69268->69274 69318 227630 44 API calls 2 library calls 69270->69318 69277 3b6199 std::_Facet_Register 2 API calls 69273->69277 69281 370fac 69273->69281 69274->69270 69276 370fa6 69274->69276 69279 3b6199 std::_Facet_Register 2 API calls 69276->69279 69277->69281 69279->69281 69282 3711b0 44 API calls 69281->69282 69298 371097 69281->69298 69284 371001 69282->69284 69286 371060 69284->69286 69292 371013 69284->69292 69316 371300 44 API calls std::_Facet_Register 69286->69316 69290 37106a 69317 371300 44 API calls std::_Facet_Register 69290->69317 69291 371046 69295 371130 44 API calls 69291->69295 69292->69291 69294 3711b0 44 API calls 69292->69294 69294->69292 69296 371055 69295->69296 69297 371130 44 API calls 69296->69297 69299 3710bc std::ios_base::_Ios_base_dtor 69296->69299 69297->69298 69298->69299 69320 3baf1f 44 API calls 2 library calls 69298->69320 69299->69245 69300->69245 69301->69245 69302->69245 69303->69245 69304->69245 69305->69249 69306->69245 69307->69245 69308->69245 69309->69245 69311 3b6199 std::_Facet_Register 2 API calls 69310->69311 69312 3711f9 69311->69312 69321 3716b0 69312->69321 69314 371227 69314->69245 69314->69314 69315->69245 69316->69290 69317->69296 69318->69267 69322 3716f2 69321->69322 69323 37179f 69321->69323 69324 3b6199 std::_Facet_Register 2 API calls 69322->69324 69323->69314 69325 371714 69324->69325 69326 226540 44 API calls 69325->69326 69327 37172a 69326->69327 69328 226540 44 API calls 69327->69328 69329 37173a 69328->69329 69330 3716b0 44 API calls 69329->69330 69331 37178b 69330->69331 69332 3716b0 44 API calls 69331->69332 69332->69323 69333 3cd0b0 69336 3ccdfc 69333->69336 69335 3cd0e1 69337 3cce08 std::_Locinfo::_Locinfo_ctor 69336->69337 69342 3ca89a EnterCriticalSection 69337->69342 69339 3cce16 69343 3cce57 69339->69343 69341 3cce23 69341->69335 69342->69339 69344 3ccee5 std::_Lockit::_Lockit 69343->69344 69345 3cce72 69343->69345 69344->69341 69345->69344 69352 3ccec5 69345->69352 69353 3bf5dc 69345->69353 69347 3bf5dc 44 API calls 69349 3ccedb 69347->69349 69348 3ccebb 69350 3cdbdd ___free_lconv_mon 13 API calls 69348->69350 69351 3cdbdd ___free_lconv_mon 13 API calls 69349->69351 69350->69352 69351->69344 69352->69344 69352->69347 69354 3bf5e9 69353->69354 69355 3bf604 69353->69355 69354->69355 69356 3bf5f5 69354->69356 69357 3bf613 69355->69357 69375 3cee3d 44 API calls 2 library calls 69355->69375 69374 3bb02f 13 API calls std::locale::_Setgloballocale 69356->69374 69362 3cee70 69357->69362 69361 3bf5fa std::locale::_Setgloballocale 69361->69348 69363 3cee7d 69362->69363 69364 3cee88 69362->69364 69376 3cdc17 69363->69376 69366 3cee90 69364->69366 69372 3cee99 __Getctype 69364->69372 69367 3cdbdd ___free_lconv_mon 13 API calls 69366->69367 69370 3cee85 69367->69370 69368 3cee9e 69383 3bb02f 13 API calls std::locale::_Setgloballocale 69368->69383 69369 3ceec3 RtlReAllocateHeap 69369->69370 69369->69372 69370->69361 69372->69368 69372->69369 69384 3cc243 EnterCriticalSection std::_Facet_Register 69372->69384 69374->69361 69375->69357 69377 3cdc55 69376->69377 69381 3cdc25 __Getctype 69376->69381 69386 3bb02f 13 API calls std::locale::_Setgloballocale 69377->69386 69378 3cdc40 RtlAllocateHeap 69380 3cdc53 69378->69380 69378->69381 69380->69370 69381->69377 69381->69378 69385 3cc243 EnterCriticalSection std::_Facet_Register 69381->69385 69383->69370 69384->69372 69385->69381 69386->69380 69387 3b3814 69413 3b3575 69387->69413 69389 3b3824 69390 3b3881 69389->69390 69400 3b38a5 69389->69400 69422 3b37b2 6 API calls 2 library calls 69390->69422 69392 3b388c RaiseException 69393 3b3a7a 69392->69393 69394 3b3990 69399 3b39ee GetProcAddress 69394->69399 69407 3b3a4c 69394->69407 69395 3b391d LoadLibraryExA 69396 3b397e 69395->69396 69397 3b3930 GetLastError 69395->69397 69396->69394 69401 3b3989 FreeLibrary 69396->69401 69398 3b3959 69397->69398 69409 3b3943 69397->69409 69423 3b37b2 6 API calls 2 library calls 69398->69423 69403 3b39fe GetLastError 69399->69403 69399->69407 69400->69394 69400->69395 69400->69396 69400->69407 69401->69394 69411 3b3a11 69403->69411 69405 3b3964 RaiseException 69405->69393 69425 3b37b2 6 API calls 2 library calls 69407->69425 69408 3b3a32 RaiseException 69410 3b3575 ___delayLoadHelper2@8 6 API calls 69408->69410 69409->69396 69409->69398 69412 3b3a49 69410->69412 69411->69407 69424 3b37b2 6 API calls 2 library calls 69411->69424 69412->69407 69414 3b3581 69413->69414 69415 3b35a7 69413->69415 69426 3b361b GetModuleHandleW GetProcAddress GetProcAddress DloadGetSRWLockFunctionPointers 69414->69426 69415->69389 69417 3b3586 69418 3b35a2 69417->69418 69427 3b3744 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 69417->69427 69428 3b35a8 GetModuleHandleW GetProcAddress GetProcAddress 69418->69428 69421 3b37ed 69421->69389 69422->69392 69423->69405 69424->69408 69425->69393 69426->69417 69427->69418 69428->69421 69429 30dda0 69430 30de42 RegCreateKeyExW 69429->69430 69431 30ddd9 69429->69431 69434 30de3b 69430->69434 69432 30de35 69431->69432 69433 30ddde GetModuleHandleW 69431->69433 69432->69430 69432->69434 69435 30de06 GetProcAddress 69433->69435 69436 30dded 69433->69436 69437 30de74 69434->69437 69439 30de6b RegCloseKey 69434->69439 69435->69434 69438 30de16 69435->69438 69438->69434 69439->69437 69440 307fe0 69441 308017 69440->69441 69442 308057 69440->69442 69443 3b6662 4 API calls 69441->69443 69444 308021 69443->69444 69444->69442 69448 3b651a 44 API calls 69444->69448 69446 308043 69449 3b6618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69446->69449 69448->69446 69449->69442 69450 316da0 69451 316dd8 69450->69451 69452 316deb 69450->69452 69456 3b615a _ValidateLocalCookies 5 API calls 69451->69456 69458 3074e0 56 API calls 3 library calls 69452->69458 69454 316df5 69455 2277d0 44 API calls 69454->69455 69455->69451 69457 316e3a 69456->69457 69458->69454 69459 228750 69460 22875a CloseHandle 69459->69460 69461 228768 69459->69461 69460->69461 69462 2327b1 69463 232837 69462->69463 69464 232846 CallWindowProcW 69463->69464 69465 23285c GetWindowLongW CallWindowProcW 69463->69465 69467 2328ab 69463->69467 69464->69467 69466 232890 GetWindowLongW 69465->69466 69465->69467 69466->69467 69468 23289d SetWindowLongW 69466->69468 69468->69467 69469 336660 69533 3364d0 69469->69533 69471 3366ac 69619 35a240 GetUserNameW 69471->69619 69474 227070 44 API calls 69475 336729 69474->69475 69476 3b6662 4 API calls 69475->69476 69487 3367a6 69475->69487 69479 33674c 69476->69479 69477 226540 44 API calls 69478 3367b5 69477->69478 69482 3b6199 std::_Facet_Register 2 API calls 69478->69482 69480 227070 44 API calls 69479->69480 69479->69487 69481 33678b 69480->69481 69643 3b651a 44 API calls 69481->69643 69484 336870 69482->69484 69488 227070 44 API calls 69484->69488 69485 336795 69644 3b6618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69485->69644 69487->69477 69489 3368cc 69488->69489 69490 227070 44 API calls 69489->69490 69491 336929 69490->69491 69492 226540 44 API calls 69491->69492 69493 336945 69492->69493 69494 226540 44 API calls 69493->69494 69495 336958 69494->69495 69496 226540 44 API calls 69495->69496 69497 336968 69496->69497 69498 226540 44 API calls 69497->69498 69499 33697a 69498->69499 69500 2277d0 44 API calls 69499->69500 69501 3369be 69500->69501 69502 2277d0 44 API calls 69501->69502 69503 3369d6 69502->69503 69506 2277d0 44 API calls 69503->69506 69525 336a37 std::ios_base::_Ios_base_dtor 69503->69525 69504 2277d0 44 API calls 69507 336aae 69504->69507 69505 2277d0 44 API calls 69508 336a6b 69505->69508 69509 336a14 69506->69509 69510 2277d0 44 API calls 69507->69510 69511 2277d0 44 API calls 69508->69511 69512 2277d0 44 API calls 69509->69512 69513 336aba 69510->69513 69514 336a77 69511->69514 69515 336a20 69512->69515 69516 2277d0 44 API calls 69513->69516 69517 2277d0 44 API calls 69514->69517 69518 2277d0 44 API calls 69515->69518 69520 336ac9 69516->69520 69521 336a83 69517->69521 69519 336a2c 69518->69519 69522 2277d0 44 API calls 69519->69522 69523 336ad8 69520->69523 69527 336b06 GetCurrentProcess OpenProcessToken 69520->69527 69524 2277d0 44 API calls 69521->69524 69522->69525 69528 3b615a _ValidateLocalCookies 5 API calls 69523->69528 69526 336a8e std::ios_base::_Ios_base_dtor 69524->69526 69525->69505 69525->69526 69526->69504 69529 336b20 GetTokenInformation 69527->69529 69530 336b4c 69527->69530 69531 336bd3 69528->69531 69529->69530 69530->69523 69532 336b82 CloseHandle 69530->69532 69532->69523 69534 229e50 53 API calls 69533->69534 69535 33650a 69534->69535 69536 33664f 69535->69536 69645 34ce80 56 API calls 69535->69645 69537 229b10 2 API calls 69536->69537 69538 336659 69537->69538 69541 3364d0 136 API calls 69538->69541 69540 336533 69542 336554 GetTickCount 69540->69542 69543 33654c 69540->69543 69544 3366ac 69541->69544 69646 3b5347 GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 69542->69646 69543->69542 69545 35a240 49 API calls 69544->69545 69548 3366be 69545->69548 69547 336561 69550 229e50 53 API calls 69547->69550 69549 227070 44 API calls 69548->69549 69551 336729 69549->69551 69552 336581 69550->69552 69553 3367a6 69551->69553 69554 3b6662 4 API calls 69551->69554 69552->69536 69558 336589 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 69552->69558 69555 226540 44 API calls 69553->69555 69556 33674c 69554->69556 69569 3367b5 69555->69569 69556->69553 69557 227070 44 API calls 69556->69557 69559 33678b 69557->69559 69560 228e30 73 API calls 69558->69560 69649 3b651a 44 API calls 69559->69649 69563 3365bb 69560->69563 69561 3b6199 std::_Facet_Register 2 API calls 69564 336870 69561->69564 69647 34ce80 56 API calls 69563->69647 69571 227070 44 API calls 69564->69571 69565 336795 69650 3b6618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69565->69650 69568 3365cc 69648 34cfc0 128 API calls 69568->69648 69569->69561 69574 3368cc 69571->69574 69572 3365da 69573 229650 45 API calls 69572->69573 69575 3365e9 69573->69575 69576 227070 44 API calls 69574->69576 69575->69471 69577 336929 69576->69577 69578 226540 44 API calls 69577->69578 69579 336945 69578->69579 69580 226540 44 API calls 69579->69580 69581 336958 69580->69581 69582 226540 44 API calls 69581->69582 69583 336968 69582->69583 69584 226540 44 API calls 69583->69584 69585 33697a 69584->69585 69586 2277d0 44 API calls 69585->69586 69587 3369be 69586->69587 69588 2277d0 44 API calls 69587->69588 69589 3369d6 69588->69589 69592 2277d0 44 API calls 69589->69592 69611 336a37 std::ios_base::_Ios_base_dtor 69589->69611 69590 2277d0 44 API calls 69593 336aae 69590->69593 69591 2277d0 44 API calls 69594 336a6b 69591->69594 69595 336a14 69592->69595 69596 2277d0 44 API calls 69593->69596 69597 2277d0 44 API calls 69594->69597 69598 2277d0 44 API calls 69595->69598 69599 336aba 69596->69599 69600 336a77 69597->69600 69601 336a20 69598->69601 69602 2277d0 44 API calls 69599->69602 69603 2277d0 44 API calls 69600->69603 69604 2277d0 44 API calls 69601->69604 69606 336ac9 69602->69606 69607 336a83 69603->69607 69605 336a2c 69604->69605 69608 2277d0 44 API calls 69605->69608 69609 336ad8 69606->69609 69613 336b06 GetCurrentProcess OpenProcessToken 69606->69613 69610 2277d0 44 API calls 69607->69610 69608->69611 69614 3b615a _ValidateLocalCookies 5 API calls 69609->69614 69612 336a8e std::ios_base::_Ios_base_dtor 69610->69612 69611->69591 69611->69612 69612->69590 69615 336b20 GetTokenInformation 69613->69615 69616 336b4c 69613->69616 69617 336bd3 69614->69617 69615->69616 69616->69609 69618 336b82 CloseHandle 69616->69618 69617->69471 69618->69609 69620 35a2d4 GetLastError 69619->69620 69621 35a31e GetEnvironmentVariableW 69619->69621 69620->69621 69623 35a2df 69620->69623 69622 35a35e 69621->69622 69630 35a3a2 69621->69630 69624 35a365 69622->69624 69652 253200 44 API calls 2 library calls 69622->69652 69625 35a2e9 69623->69625 69651 253200 44 API calls 2 library calls 69623->69651 69628 35a38a GetEnvironmentVariableW 69624->69628 69626 35a30c GetUserNameW 69625->69626 69626->69621 69628->69630 69631 35a3ea 69630->69631 69633 227070 44 API calls 69630->69633 69632 226e80 44 API calls 69631->69632 69634 35a3ff 69632->69634 69633->69631 69635 226e80 44 API calls 69634->69635 69636 35a415 69635->69636 69637 2277d0 44 API calls 69636->69637 69638 35a421 69637->69638 69639 2277d0 44 API calls 69638->69639 69640 35a42d 69639->69640 69641 3b615a _ValidateLocalCookies 5 API calls 69640->69641 69642 3366be 69641->69642 69642->69474 69643->69485 69644->69487 69645->69540 69646->69547 69647->69568 69648->69572 69649->69565 69650->69553 69651->69626 69652->69628 69653 333cc0 69654 333cf2 69653->69654 69655 333d1a GetShortPathNameW 69653->69655 69706 30bb60 HeapAlloc RaiseException 69654->69706 69657 333d2b 69655->69657 69674 333cff 69655->69674 69658 229e50 53 API calls 69657->69658 69664 333d30 69658->69664 69659 333cf7 69660 229710 2 API calls 69659->69660 69660->69674 69661 333e17 69662 229b10 2 API calls 69661->69662 69663 333e21 69662->69663 69666 229e50 53 API calls 69663->69666 69664->69661 69665 333e0d 69664->69665 69667 333d71 69664->69667 69707 2298a0 45 API calls 69664->69707 69668 229b10 2 API calls 69665->69668 69669 333e61 69666->69669 69667->69665 69671 333d7d GetShortPathNameW 69667->69671 69668->69661 69672 33402f 69669->69672 69676 333e6b 69669->69676 69671->69674 69677 333d97 std::_Locinfo::_Locinfo_ctor 69671->69677 69673 229b10 2 API calls 69672->69673 69675 334039 69673->69675 69709 334040 69676->69709 69677->69665 69678 333db4 69677->69678 69708 30ba20 47 API calls 69678->69708 69681 333dca 69683 23b330 45 API calls 69681->69683 69682 333ec2 69684 333fe5 69682->69684 69685 227070 44 API calls 69682->69685 69683->69674 69843 2269d0 44 API calls std::ios_base::_Ios_base_dtor 69684->69843 69687 333f02 69685->69687 69689 334040 310 API calls 69687->69689 69688 333ff1 69690 3b615a _ValidateLocalCookies 5 API calls 69688->69690 69691 333f15 69689->69691 69692 334029 69690->69692 69693 2277d0 44 API calls 69691->69693 69694 333f24 69693->69694 69694->69684 69695 227070 44 API calls 69694->69695 69696 333f66 69695->69696 69697 334040 310 API calls 69696->69697 69698 333f79 69697->69698 69699 2277d0 44 API calls 69698->69699 69700 333f88 69699->69700 69700->69684 69701 227070 44 API calls 69700->69701 69702 333fc6 69701->69702 69703 334040 310 API calls 69702->69703 69704 333fd9 69703->69704 69705 2277d0 44 API calls 69704->69705 69705->69684 69706->69659 69707->69667 69708->69681 69710 229e50 53 API calls 69709->69710 69711 334078 69710->69711 69712 3342e3 69711->69712 69713 334082 69711->69713 69714 229b10 2 API calls 69712->69714 69717 236990 62 API calls 69713->69717 69715 3342ed 69714->69715 69716 229b10 2 API calls 69715->69716 69718 3342f7 69716->69718 69719 3340ac 69717->69719 69720 33471a 69718->69720 69722 334399 69718->69722 69723 33461e 69718->69723 69725 236990 62 API calls 69719->69725 69721 229e50 53 API calls 69720->69721 69724 334740 69721->69724 69929 34fc00 164 API calls _ValidateLocalCookies 69722->69929 69727 229e50 53 API calls 69723->69727 69728 334a5b 69724->69728 69740 334764 69724->69740 69753 3347ab 69724->69753 69729 3340c6 69725->69729 69731 334623 69727->69731 69732 229b10 2 API calls 69728->69732 69733 229e50 53 API calls 69729->69733 69730 33439e 69734 3343a6 69730->69734 69735 33449c 69730->69735 69731->69728 69844 33ea50 69731->69844 69736 334a65 69732->69736 69737 3340cf 69733->69737 69739 229e50 53 API calls 69734->69739 69933 22af80 71 API calls _ValidateLocalCookies 69735->69933 69737->69715 69741 3340d9 69737->69741 69743 3343ab 69739->69743 69940 313c70 55 API calls 2 library calls 69740->69940 69754 334104 69741->69754 69755 3340f9 69741->69755 69742 3344b0 69746 3344ca 69742->69746 69749 2277d0 44 API calls 69742->69749 69743->69728 69930 32df00 73 API calls 69743->69930 69750 2277d0 44 API calls 69746->69750 69747 334675 69938 3244f0 101 API calls 69747->69938 69748 334776 69759 228e30 73 API calls 69748->69759 69749->69746 69751 33450f 69750->69751 69934 34ff90 56 API calls std::ios_base::_Ios_base_dtor 69751->69934 69764 229e50 53 API calls 69753->69764 69926 2299c0 45 API calls 3 library calls 69754->69926 69925 229390 53 API calls 69755->69925 69765 334794 69759->69765 69761 33451e 69935 313c70 55 API calls 2 library calls 69761->69935 69762 334102 69770 236990 62 API calls 69762->69770 69763 3343e2 69767 33446f 69763->69767 69771 229e50 53 API calls 69763->69771 69794 3347fd 69764->69794 69768 2277d0 44 API calls 69765->69768 69932 32db40 242 API calls 69767->69932 69774 3347a6 69768->69774 69769 334534 69779 236990 62 API calls 69769->69779 69775 33412a 69770->69775 69776 3343f9 69771->69776 69773 334686 69778 227070 44 API calls 69773->69778 69782 229e50 53 API calls 69774->69782 69927 31f980 45 API calls 2 library calls 69775->69927 69776->69728 69798 334403 69776->69798 69777 33447c 69787 2277d0 44 API calls 69777->69787 69781 3346f5 69778->69781 69783 33454c 69779->69783 69939 313e80 54 API calls _ValidateLocalCookies 69781->69939 69786 3348c9 69782->69786 69788 31f300 46 API calls 69783->69788 69784 334149 69792 236990 62 API calls 69784->69792 69786->69728 69800 229e50 53 API calls 69786->69800 69790 334a3c 69787->69790 69791 334584 69788->69791 69789 33470b 69793 2277d0 44 API calls 69789->69793 69795 3b615a _ValidateLocalCookies 5 API calls 69790->69795 69807 30c9e0 13 API calls 69791->69807 69799 33415c 69792->69799 69793->69720 69794->69728 69802 228e30 73 API calls 69794->69802 69797 334a55 69795->69797 69797->69682 69798->69798 69803 33442b 69798->69803 69814 33443c 69798->69814 69809 236990 62 API calls 69799->69809 69805 3348f8 69800->69805 69801 334453 69801->69767 69806 334873 69802->69806 69808 23a950 117 API calls 69803->69808 69805->69728 69811 334902 SHGetFolderPathW 69805->69811 69812 228e30 73 API calls 69806->69812 69813 3345b4 69807->69813 69808->69814 69810 334173 69809->69810 69928 34f880 133 API calls std::_Locinfo::_Locinfo_ctor 69810->69928 69821 334982 69811->69821 69822 33492f 69811->69822 69816 33488b 69812->69816 69818 2277d0 44 API calls 69813->69818 69931 3574c0 238 API calls 69814->69931 69941 2269d0 44 API calls std::ios_base::_Ios_base_dtor 69816->69941 69820 3345ed 69818->69820 69824 3345f6 69820->69824 69825 33460a 69820->69825 69943 354900 151 API calls 69821->69943 69822->69821 69830 334945 PathFileExistsW 69822->69830 69936 334a70 15 API calls 69824->69936 69937 334a70 15 API calls 69825->69937 69829 334998 69837 334605 69829->69837 69944 32db40 242 API calls 69829->69944 69830->69821 69833 334956 69830->69833 69831 334619 69831->69720 69942 2299c0 45 API calls 3 library calls 69833->69942 69834 334196 69835 33428c 69834->69835 69836 33425c PathFileExistsW 69834->69836 69840 3b615a _ValidateLocalCookies 5 API calls 69835->69840 69836->69835 69838 334267 69836->69838 69837->69777 69838->69835 69842 227070 44 API calls 69838->69842 69841 3342dd 69840->69841 69841->69682 69842->69835 69843->69688 69845 33ea81 69844->69845 69846 33eb04 69844->69846 69961 33fd20 RaiseException 69845->69961 69963 33fd80 RaiseException 69846->69963 69849 33ea8a 69851 33eb73 69849->69851 69853 33ea9d 69849->69853 69850 33eb0b 69850->69851 69854 33eb17 69850->69854 69945 232970 RaiseException 69851->69945 69856 31fde0 54 API calls 69853->69856 69964 33fdd0 117 API calls 69854->69964 69855 33eb7f 69858 229650 45 API calls 69855->69858 69859 33eab4 69856->69859 69861 33ebb4 69858->69861 69862 23b330 45 API calls 69859->69862 69860 33eb2c 69863 23b330 45 API calls 69860->69863 69864 33ec27 69861->69864 69865 33ebcc 69861->69865 69866 33eac7 69862->69866 69867 33eb02 69863->69867 69869 33ec22 69864->69869 69967 342090 101 API calls 69864->69967 69965 33fd20 RaiseException 69865->69965 69872 31f300 46 API calls 69866->69872 69867->69747 69946 323de0 69869->69946 69870 33ebee 69876 33ed43 69870->69876 69880 33ebff 69870->69880 69874 33eaf7 69872->69874 69962 340000 HeapAlloc RaiseException RaiseException 69874->69962 69875 33ec3b 69878 23a950 117 API calls 69875->69878 69971 232970 RaiseException 69876->69971 69892 33ec4d 69878->69892 69966 3239b0 101 API calls 69880->69966 69881 33ed4f 69883 33ed81 69881->69883 69898 33ee46 69881->69898 69972 33ff90 HeapAlloc RaiseException RaiseException 69883->69972 69884 33ec10 69889 23a950 117 API calls 69884->69889 69885 33ecff 69885->69747 69887 33ec99 69969 33fd80 RaiseException 69887->69969 69888 33ee93 69974 33fdd0 117 API calls 69888->69974 69889->69869 69891 33ed8c 69912 33ed9c 69891->69912 69973 33ff90 HeapAlloc RaiseException RaiseException 69891->69973 69892->69887 69893 33ed39 69892->69893 69897 33ec88 69892->69897 69902 229b10 2 API calls 69893->69902 69894 33eef4 69900 229b10 2 API calls 69894->69900 69896 33ee9f 69903 23b330 45 API calls 69896->69903 69897->69887 69968 23b4c0 45 API calls 69897->69968 69898->69888 69898->69894 69899 33ee7c 69898->69899 69905 33ee6a 69898->69905 69899->69894 69906 33ee81 69899->69906 69907 33eefe 69900->69907 69901 33eca2 69901->69876 69914 33ecb6 69901->69914 69902->69876 69908 33ee7a 69903->69908 69905->69906 69910 33ee71 69905->69910 69906->69888 69913 33ee88 69906->69913 69908->69747 69917 23b330 45 API calls 69910->69917 69912->69908 69918 31fde0 54 API calls 69912->69918 69923 33ee01 69912->69923 69915 23b330 45 API calls 69913->69915 69970 3239b0 101 API calls 69914->69970 69915->69908 69917->69908 69920 33edee 69918->69920 69919 33ecc7 69921 23a950 117 API calls 69919->69921 69922 23b330 45 API calls 69920->69922 69921->69869 69922->69923 69924 33ee2c 69923->69924 69975 232970 RaiseException 69923->69975 69924->69747 69925->69762 69926->69762 69927->69784 69928->69834 69929->69730 69930->69763 69931->69801 69932->69777 69933->69742 69934->69761 69935->69769 69936->69837 69937->69831 69938->69773 69939->69789 69940->69748 69941->69774 69942->69821 69943->69829 69944->69837 69945->69855 69947 229650 45 API calls 69946->69947 69948 323e23 69947->69948 69949 23a950 117 API calls 69948->69949 69950 323e6a 69949->69950 69976 307720 69950->69976 69952 323f84 69983 3077d0 69952->69983 69955 323f20 GetFileAttributesW 69958 323e72 69955->69958 69956 3b615a _ValidateLocalCookies 5 API calls 69957 323fcd 69956->69957 69957->69885 69958->69952 69958->69955 69959 323f69 FindNextFileW 69958->69959 69960 323de0 118 API calls 69958->69960 69959->69952 69959->69958 69960->69955 69961->69849 69963->69850 69964->69860 69965->69870 69966->69884 69967->69875 69968->69887 69969->69901 69970->69919 69971->69881 69972->69891 69973->69912 69974->69896 69975->69894 69977 307782 std::locale::_Setgloballocale 69976->69977 69978 229e50 53 API calls 69977->69978 69979 30779a 69978->69979 69980 229b10 2 API calls 69979->69980 69981 3077a0 69979->69981 69982 3077ce 69980->69982 69981->69958 69984 307821 69983->69984 69985 30786a 69984->69985 69986 30785d FindClose 69984->69986 69985->69956 69986->69985 69987 3b5d0d GetProcessHeap HeapAlloc 69988 3b5d29 69987->69988 69989 3b5d25 69987->69989 69997 3b5a9f 69988->69997 69991 3b5d34 69992 3b5d50 69991->69992 69994 3b5d44 69991->69994 70011 3b5bab 15 API calls std::locale::_Setgloballocale 69992->70011 69995 3b5d6e 69994->69995 69996 3b5d5d GetProcessHeap HeapFree 69994->69996 69996->69989 69998 3b5ab9 LoadLibraryExA 69997->69998 69999 3b5aac DecodePointer 69997->69999 70000 3b5b4a 69998->70000 70001 3b5ad2 69998->70001 69999->69991 70000->69991 70012 3b5b4f GetProcAddress EncodePointer 70001->70012 70003 3b5ae2 70003->70000 70013 3b5b4f GetProcAddress EncodePointer 70003->70013 70005 3b5af9 70005->70000 70014 3b5b4f GetProcAddress EncodePointer 70005->70014 70007 3b5b10 70007->70000 70015 3b5b4f GetProcAddress EncodePointer 70007->70015 70009 3b5b27 70009->70000 70010 3b5b2e DecodePointer 70009->70010 70010->70000 70011->69994 70012->70003 70013->70005 70014->70007 70015->70009 70016 284bf0 70021 33cfa0 GetLastError 70016->70021 70017 284c67 70018 284cb8 SetWindowLongW 70017->70018 70019 284c9e 70017->70019 70018->70019 70022 33cfaa 70021->70022 70023 229b10 2 API calls 70022->70023 70024 33cfb8 70023->70024 70025 33d01d 70024->70025 70026 33d016 70024->70026 70027 33cfde 70024->70027 70025->70017 70026->70025 70029 33d054 DestroyWindow 70026->70029 70028 320f40 5 API calls 70027->70028 70030 33cfed 70028->70030 70029->70017 70035 33d210 6 API calls 70030->70035 70033 2859b0 16 API calls 70034 33d000 70033->70034 70034->70017 70036 33d2a2 SetWindowPos 70035->70036 70038 3b615a _ValidateLocalCookies 5 API calls 70036->70038 70039 33cff7 70038->70039 70039->70033 70040 3b69c0 70041 3b6199 std::_Facet_Register 2 API calls 70040->70041 70042 3b69f5 70041->70042 70043 2e1fb0 GetSystemDirectoryW 70044 2e20bb 70043->70044 70045 2e1fff 70043->70045 70046 3b615a _ValidateLocalCookies 5 API calls 70044->70046 70045->70044 70047 229e50 53 API calls 70045->70047 70048 2e210b 70046->70048 70049 2e200f 70047->70049 70050 2e2019 70049->70050 70051 2e2113 70049->70051 70054 2e2035 70050->70054 70055 2e2043 70050->70055 70052 229b10 2 API calls 70051->70052 70053 2e211d 70052->70053 70056 3b6199 std::_Facet_Register 2 API calls 70053->70056 70068 229390 53 API calls 70054->70068 70069 2299c0 45 API calls 3 library calls 70055->70069 70058 2e2272 70056->70058 70070 2378a0 44 API calls 2 library calls 70058->70070 70059 2e2041 70062 23a950 117 API calls 70059->70062 70064 2e2082 70062->70064 70063 2e22ba 70065 23a950 117 API calls 70064->70065 70066 2e20a9 _wcschr 70065->70066 70066->70044 70067 2e20bf LoadLibraryExW 70066->70067 70067->70044 70068->70059 70069->70059 70070->70063

                                        Executed Functions

                                        Function 00337D70 Relevance: 45.5, APIs: 2, Strings: 23, Instructions: 1745COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        • SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00337F67
                                        • SetEvent.KERNEL32(?), ref: 00337FC5
                                          • Part of subcall function 00342AB0: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,79276D7D), ref: 00342ADB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
                                        • String ID: WD$%hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$T`L$T`L$T`L$T`L$T`L$T`L$h[D$hE$lEhE$}m'y$>D
                                        • API String ID: 4144826820-120009902
                                        • Opcode ID: 83464f53d08b21b5f24ce5bab6e46bf7b140d227d969ff84fedc33e86d5a97c8
                                        • Instruction ID: 66dabd8c02ee83ed5f61c45d9ba0a991c42cf91f1639385699e4aab4382c5896
                                        • Opcode Fuzzy Hash: 83464f53d08b21b5f24ce5bab6e46bf7b140d227d969ff84fedc33e86d5a97c8
                                        • Instruction Fuzzy Hash: 16E2D17090060ADFDB01DFA8C889BAEFBB5FF45314F158269E415EB292EB749D04CB91
                                        Function 0035B350 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 551COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 780 35b350-35b37d 781 35b395-35b39e call 229e50 780->781 782 35b37f-35b392 780->782 785 35b3a4-35b3e2 call 228e30 781->785 786 35b56a-35b5b9 call 229b10 call 229e50 781->786 794 35b3e4 785->794 795 35b3e7-35b402 785->795 796 35b5bf-35b5d6 786->796 797 35b769-35b76e call 229b10 786->797 794->795 803 35b525 795->803 804 35b408-35b414 795->804 805 35b5e0-35b5f3 796->805 801 35b773-35b78a call 229b10 797->801 813 35b965-35b96a 801->813 814 35b790-35b799 801->814 806 35b527-35b530 803->806 804->803 822 35b41a-35b426 804->822 807 35b5f5-35b5ff call 2298a0 805->807 808 35b602-35b606 805->808 810 35b535-35b54a 806->810 811 35b532 806->811 807->808 821 35b60e-35b613 808->821 819 35b554-35b567 810->819 820 35b54c-35b54f 810->820 811->810 817 35b802-35b807 814->817 818 35b79b-35b7e2 call 320f40 SetWindowTextW call 2859b0 GetDlgItem SendMessageW 814->818 817->813 826 35b80d-35b81a 817->826 852 35b7e6-35b7ff 818->852 820->819 824 35b731 821->824 825 35b619-35b61b 821->825 827 35b428 822->827 828 35b42b-35b441 822->828 831 35b733-35b74b 824->831 825->824 830 35b621-35b634 call 3bf76b 825->830 832 35b877-35b87f 826->832 833 35b81c-35b84f GetDlgItem * 2 SendMessageW 826->833 827->828 844 35b443-35b445 828->844 845 35b44a-35b46b 828->845 830->801 853 35b63a-35b640 830->853 839 35b755-35b768 831->839 840 35b74d-35b750 831->840 835 35b8a4-35b8ac 832->835 836 35b881-35b8a1 EndDialog 832->836 841 35b855-35b859 833->841 842 35b851-35b853 833->842 835->813 846 35b8b2-35b8c5 GetDlgItem 835->846 840->839 843 35b85a-35b872 SendMessageW 841->843 842->843 843->852 849 35b515-35b51e 844->849 859 35b474-35b4a2 call 332440 845->859 860 35b46d-35b46f 845->860 850 35b8c7-35b8d3 846->850 851 35b93c-35b93f call 229710 846->851 849->806 858 35b520-35b523 849->858 866 35b96d-35b98d call 229b10 call 35b9a0 850->866 867 35b8d9-35b8eb 850->867 863 35b944-35b962 EndDialog 851->863 853->801 857 35b646-35b659 call 229e50 853->857 857->797 874 35b65f-35b687 857->874 858->806 887 35b4b5-35b4ef call 229e50 call 22ebe0 call 23b330 859->887 888 35b4a4-35b4b3 call 3b6a15 859->888 860->849 891 35b98f-35b997 call 3b6168 866->891 892 35b99a-35b99d 866->892 871 35b8ed-35b8f6 call 2298a0 867->871 872 35b8f9-35b907 867->872 871->872 882 35b922-35b924 872->882 883 35b909-35b90e 872->883 885 35b696-35b6b7 call 3bf76b 874->885 886 35b689-35b693 call 2298a0 874->886 882->866 894 35b926-35b92c 882->894 889 35b914-35b920 call 3bf76b 883->889 890 35b910-35b912 883->890 885->801 912 35b6bd-35b6c0 885->912 886->885 915 35b4f1-35b4f4 887->915 916 35b4f9-35b506 call 3b6a15 887->916 908 35b508-35b50e 888->908 889->882 890->894 891->892 894->866 902 35b92e-35b93a 894->902 902->863 908->849 912->801 914 35b6c6-35b6dc call 22e780 912->914 921 35b702-35b707 914->921 922 35b6de-35b6ef 914->922 915->916 916->908 923 35b712-35b723 921->923 924 35b709-35b70d call 23b330 921->924 925 35b6f1-35b6f4 922->925 926 35b6f9-35b6fd 922->926 928 35b725-35b728 923->928 929 35b72d-35b72f 923->929 924->923 925->926 926->805 928->929 929->831
                                        Strings
                                        • PackageCode, xrefs: 0035B69B
                                        • SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 0035B3BE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
                                        • API String ID: 0-2409377028
                                        • Opcode ID: bc4fbf20363c9da86182066754ad03ac8f5145aab214bde6bfb01dd41911ad37
                                        • Instruction ID: c2318e324d605178ff84a0a0c8a7bf40d33be439388b6ac0a31eddefaf9c6272
                                        • Opcode Fuzzy Hash: bc4fbf20363c9da86182066754ad03ac8f5145aab214bde6bfb01dd41911ad37
                                        • Instruction Fuzzy Hash: 5612FF71A00205AFDB11DFA8DC49FAEFBB8EF84311F154169F905AB2A1DB759904CBA0
                                        Function 0023A950 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 877fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNEL32(00000000), ref: 0023AA5F
                                        • PathIsUNCW.SHLWAPI(00000001,*.*), ref: 0023AAC3
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 0023AD0C
                                        • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 0023AD26
                                        • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 0023AD5A
                                        • FindClose.KERNEL32(00000000), ref: 0023ADCB
                                        • SetLastError.KERNEL32(0000007B), ref: 0023ADD5
                                        • PathIsUNCW.SHLWAPI(?,?,79276D7D,?,00000000), ref: 0023B00E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Path$Find$CloseFullName$ErrorFileFirstLast
                                        • String ID: *.*$\\?\$\\?\UNC\
                                        • API String ID: 2310598285-1700010636
                                        • Opcode ID: 30abc0e2adbad6279d89f503ec71bce3c42b22d96fab01527c364b1bfc4e9ee5
                                        • Instruction ID: 16fecf4fe98073b4075a640b768df8a432c981fc3f4dcfb2407253c8aab51437
                                        • Opcode Fuzzy Hash: 30abc0e2adbad6279d89f503ec71bce3c42b22d96fab01527c364b1bfc4e9ee5
                                        • Instruction Fuzzy Hash: 896234B1A106169FDB14DF68C889BAEF7B5FF84310F148278E955DB2A1DB31AD10CB90
                                        Function 0034EAB0 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1327 34eab0-34eb0d GetCurrentProcess OpenProcessToken 1329 34eb1c-34eb3d GetTokenInformation 1327->1329 1330 34eb0f-34eb17 GetLastError 1327->1330 1332 34eb3f-34eb48 GetLastError 1329->1332 1333 34eb6b-34eb6f 1329->1333 1331 34ebda-34ebed 1330->1331 1336 34ebfd-34ec19 call 3b615a 1331->1336 1337 34ebef-34ebf6 CloseHandle 1331->1337 1335 34ebbe GetLastError 1332->1335 1338 34eb4a-34eb69 call 342c10 GetTokenInformation 1332->1338 1334 34eb71-34eba0 AllocateAndInitializeSid 1333->1334 1333->1335 1340 34ebc4 1334->1340 1341 34eba2-34ebbc EqualSid FreeSid 1334->1341 1335->1340 1337->1336 1338->1333 1338->1335 1344 34ebc6-34ebd3 call 3b6a15 1340->1344 1341->1344 1344->1331
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0034EAF8
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0034EB05
                                        • GetLastError.KERNEL32 ref: 0034EB0F
                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 0034EB39
                                        • GetLastError.KERNEL32 ref: 0034EB3F
                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 0034EB65
                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0034EB98
                                        • EqualSid.ADVAPI32(00000000,?), ref: 0034EBA7
                                        • FreeSid.ADVAPI32(?), ref: 0034EBB6
                                        • CloseHandle.KERNEL32(00000000), ref: 0034EBF0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                        • String ID:
                                        • API String ID: 695978879-0
                                        • Opcode ID: 019598b4363889f36414737645e3e58c0093175681485fe0c483fea27647c1cc
                                        • Instruction ID: b72bc3afdc60c433e50bbec8926b8b5963efb816e7fcc811e8cf8f5f8aa835fc
                                        • Opcode Fuzzy Hash: 019598b4363889f36414737645e3e58c0093175681485fe0c483fea27647c1cc
                                        • Instruction Fuzzy Hash: 2F413B71904219EFDF119FA4CD59BEEBBB8FF08314F144029E411B6290DB79AA04CB68
                                        Function 003414D0 Relevance: 15.7, APIs: 10, Instructions: 749COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapProcess
                                        • String ID:
                                        • API String ID: 275895251-0
                                        • Opcode ID: bbd6fb35390964f5cdf5915b0fee2f352c5c059fb7735caa98394b6b3058560f
                                        • Instruction ID: 478258bb447899a5345a783487bd516fda209f51cd763fe080bf2041d0f9b333
                                        • Opcode Fuzzy Hash: bbd6fb35390964f5cdf5915b0fee2f352c5c059fb7735caa98394b6b3058560f
                                        • Instruction Fuzzy Hash: 8162BF70A00649DFDB11CFA8C884B9EFBF5BF45314F1582A9E415AF291DB70AE89CB50
                                        Function 00344050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1554 344050-344096 call 229e50 1557 34409c-3440e6 GetLocaleInfoW call 305030 1554->1557 1558 34414b-344185 call 229b10 MsgWaitForMultipleObjectsEx 1554->1558 1569 3440f6-34412d GetLocaleInfoW call 228e30 1557->1569 1570 3440e8-3440f3 call 2297c0 1557->1570 1562 344187-344199 1558->1562 1563 3441f1-3441fa 1558->1563 1565 3441a0-3441a3 1562->1565 1567 3441a5-3441cb PeekMessageW 1565->1567 1568 3441fb-344204 1565->1568 1573 3441cd-3441d9 TranslateMessage DispatchMessageW 1567->1573 1574 3441db-3441ef MsgWaitForMultipleObjectsEx 1567->1574 1577 344137-34414a 1569->1577 1578 34412f-344132 1569->1578 1570->1569 1573->1574 1574->1563 1574->1565 1578->1577
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • GetLocaleInfoW.KERNEL32(?,00000002,0044337C,00000000), ref: 003440C1
                                        • GetLocaleInfoW.KERNEL32(?,00000002,00343B85,-00000001,00000078,-00000001), ref: 003440FD
                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00344181
                                        • PeekMessageW.USER32(?,00000000), ref: 003441C7
                                        • TranslateMessage.USER32(00000000), ref: 003441D2
                                        • DispatchMessageW.USER32(00000000), ref: 003441D9
                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 003441EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
                                        • String ID: %d-%s
                                        • API String ID: 445213441-1781338863
                                        • Opcode ID: 012461787df68664b101614bd35352b0c7b81de9f0339827ee5a36578ef87a27
                                        • Instruction ID: 1f4a3093f624ba0ba788ace93f61f2843fccf07431a928c4734a0334d23e1a05
                                        • Opcode Fuzzy Hash: 012461787df68664b101614bd35352b0c7b81de9f0339827ee5a36578ef87a27
                                        • Instruction Fuzzy Hash: 55511271A40315ABE710DF94DC45FAEBBE8EF48724F104629F614AB2C1DB71A944CBA0
                                        Function 00322350 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 85libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1707 322350-3223a9 LoadLibraryW 1708 3223d4-322419 1707->1708 1709 3223ab-3223b9 GetProcAddress 1707->1709 1715 32241c-32242c 1708->1715 1709->1708 1710 3223bb-3223c8 1709->1710 1712 3223cb-3223cd 1710->1712 1712->1708 1714 3223cf-3223d2 1712->1714 1714->1715 1717 32242e-322435 FreeLibrary 1715->1717 1718 32243c-32244f 1715->1718 1717->1718
                                        APIs
                                        • LoadLibraryW.KERNEL32(ComCtl32.dll,79276D7D,00000000,?,00000000), ref: 0032238E
                                        • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003223B1
                                        • FreeLibrary.KERNEL32(00000000), ref: 0032242F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: ,(E$=-;$ComCtl32.dll$LoadIconMetric
                                        • API String ID: 145871493-4103588746
                                        • Opcode ID: 5cf10f3ff9e1de1894823654c655421e06cff950970ef9fe5d609bb2d049a9b1
                                        • Instruction ID: f69f6a85d54679387378743ce7447f7266244a4b350d714542b81940730b0689
                                        • Opcode Fuzzy Hash: 5cf10f3ff9e1de1894823654c655421e06cff950970ef9fe5d609bb2d049a9b1
                                        • Instruction Fuzzy Hash: 3B31D571A00218ABDF158FA5DC44BAFBFF8EB48720F01412EF915A7280D7B98D04CB94
                                        Function 0035A240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1759 35a240-35a2d2 GetUserNameW 1760 35a2d4-35a2dd GetLastError 1759->1760 1761 35a31e-35a35c GetEnvironmentVariableW 1759->1761 1760->1761 1764 35a2df-35a2e7 1760->1764 1762 35a3a2-35a3ac 1761->1762 1763 35a35e-35a363 1761->1763 1767 35a3b7-35a3bd 1762->1767 1768 35a3ae-35a3b5 1762->1768 1765 35a365-35a379 1763->1765 1766 35a37b-35a385 call 253200 1763->1766 1769 35a2ff-35a307 call 253200 1764->1769 1770 35a2e9-35a2fd 1764->1770 1773 35a38a-35a39c GetEnvironmentVariableW 1765->1773 1766->1773 1775 35a3c0-35a3db 1767->1775 1768->1775 1771 35a30c-35a31c GetUserNameW 1769->1771 1770->1771 1771->1761 1773->1762 1776 35a3dd-35a3e5 call 227070 1775->1776 1777 35a3ea-35a449 call 226e80 * 2 call 2277d0 * 2 call 3b615a 1775->1777 1776->1777
                                        APIs
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 0035A2CE
                                        • GetLastError.KERNEL32 ref: 0035A2D4
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 0035A31C
                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0035A352
                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 0035A39C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EnvironmentNameUserVariable$ErrorLast
                                        • String ID: UserDomain
                                        • API String ID: 3567734997-2275544873
                                        • Opcode ID: f306a9fab76091b8b4f52157e9ae0e648f15e2cf0ba5b05f8a8b5a57f08ada78
                                        • Instruction ID: 0984600ceb759ad57396fa3d8a5e4d06d277b436067eeba69a92beb6e5fae44a
                                        • Opcode Fuzzy Hash: f306a9fab76091b8b4f52157e9ae0e648f15e2cf0ba5b05f8a8b5a57f08ada78
                                        • Instruction Fuzzy Hash: 7C612771A10219DFDF14DFA8C855BEEBBB4FF08305F24412DE401A7290DB75AA49CBA5
                                        Function 002E1FB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002E1FF1
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • _wcschr.LIBVCRUNTIME ref: 002E20AF
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 002E20C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
                                        • String ID: Kernel32.dll
                                        • API String ID: 1122257418-1926710522
                                        • Opcode ID: 35d7ec51df9b4282dc2fef9fa0c5505a8d43fdae512ef074a2527918bff7cf03
                                        • Instruction ID: 1d1520cec29b8243f365313ad0a4322c91f94ccbecb15f2d8b4dffc48906ad29
                                        • Opcode Fuzzy Hash: 35d7ec51df9b4282dc2fef9fa0c5505a8d43fdae512ef074a2527918bff7cf03
                                        • Instruction Fuzzy Hash: 45A18CB0500645EFE714CF65C818B9ABBF4FF04318F20825DE8199B6C1D7BAA618CF90
                                        Function 0034C990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0034CA6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DiskFreeSpace
                                        • String ID: \$\$\
                                        • API String ID: 1705453755-3791832595
                                        • Opcode ID: 504ee9cf0d24fce0c16b516b749b36f6d78e1179864e1d3498d0efb818aaff70
                                        • Instruction ID: 8710638e5202de761bc3c370ef5a406f9defaecf5f0e2ee82f6936d13c1ac90d
                                        • Opcode Fuzzy Hash: 504ee9cf0d24fce0c16b516b749b36f6d78e1179864e1d3498d0efb818aaff70
                                        • Instruction Fuzzy Hash: 1A41F732D253598BCBB1DF2484416ABB3F4FF95354F166A2EE8D89B140E730AD8583C6
                                        Function 0035BB20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,}m'y,79276D7D,?,?,?,00000000,00426015), ref: 0035BBA8
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,}m'y,79276D7D,?,?,?,00000000,00426015,000000FF), ref: 0035BBCA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Create$FileNamedPipe
                                        • String ID: }m'y$}m'y
                                        • API String ID: 1328467360-2486897750
                                        • Opcode ID: b5ade0ac5867b400b5e45006bfc8735ee1437bf317b27e012a2f8fc34b6705d1
                                        • Instruction ID: a0d81e5ede32a9e65f4e3349d542fb6b157b8c7acaccb1074d94d024a537b6fa
                                        • Opcode Fuzzy Hash: b5ade0ac5867b400b5e45006bfc8735ee1437bf317b27e012a2f8fc34b6705d1
                                        • Instruction Fuzzy Hash: 9131B631684745AFD721CF14CC01FA6FBA4EB05720F10866EFDA55B6D0DB75A904CB54
                                        Function 003B5D0D Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000008,?,00230DC7,?,?,00230B74,?), ref: 003B5D12
                                        • HeapAlloc.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5D19
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00230B74,?), ref: 003B5D5F
                                        • HeapFree.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5D66
                                          • Part of subcall function 003B5BAB: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,003B5D55,00000000,?,?,00230B74,?), ref: 003B5BCF
                                          • Part of subcall function 003B5BAB: HeapAlloc.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5BD6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Alloc$Free
                                        • String ID:
                                        • API String ID: 1864747095-0
                                        • Opcode ID: 3f7dd3d97d0c6ca75e9b0e21bf6bedd9972978fe5a7eca3849dfc687cd1a9fdc
                                        • Instruction ID: 1a4682e13a02f8adf4c6fd6543e36b167e6a1b2d604a2be893b360b6e15390db
                                        • Opcode Fuzzy Hash: 3f7dd3d97d0c6ca75e9b0e21bf6bedd9972978fe5a7eca3849dfc687cd1a9fdc
                                        • Instruction Fuzzy Hash: 4FF0B436A04F1257C7672BB8BC0CB9B6B79AF84765713512CF206C6554DF20C8014B64
                                        Function 003243B0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 0032444F
                                        • FindClose.KERNEL32(00000000), ref: 003244AE
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Find$AllocCloseFileFirstHeap
                                        • String ID:
                                        • API String ID: 2507753907-0
                                        • Opcode ID: f285f729637149022b48ba033a06466ead1f6eaa6317b13c4bb86c5908bfbde6
                                        • Instruction ID: ec8b4ae6555f8f5499b8354312df393b1be4262cada088ed0c68bec1e10f23f4
                                        • Opcode Fuzzy Hash: f285f729637149022b48ba033a06466ead1f6eaa6317b13c4bb86c5908bfbde6
                                        • Instruction Fuzzy Hash: E1310130905228CBCB29EF56E848BAAB7B4FB44728F20826EE91997780D7715D44CF90
                                        Function 00342380 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapProcess
                                        • String ID:
                                        • API String ID: 275895251-0
                                        • Opcode ID: 1d487762a135128d9df2800a826c16f92f0f54c55a77ef521c0e80d408fcf2a2
                                        • Instruction ID: 638a3f4b7d5a63a384245be4ce2f745929009bace0865ff2f425e9c308c8b921
                                        • Opcode Fuzzy Hash: 1d487762a135128d9df2800a826c16f92f0f54c55a77ef521c0e80d408fcf2a2
                                        • Instruction Fuzzy Hash: A8E17D30A00649DFDB15CFA8CC84BAEBBF4FF44324F558269E815BB292DB74A945CB50
                                        Function 00323DE0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69f844551d38be4a5361f7bc6d482e04e26fcdad745c0263898cd4642d499755
                                        • Instruction ID: 43d3c30239a3e39c7cc4a8f17047050f514040e0c944de5c36e920f5df168837
                                        • Opcode Fuzzy Hash: 69f844551d38be4a5361f7bc6d482e04e26fcdad745c0263898cd4642d499755
                                        • Instruction Fuzzy Hash: A741A031A01659EBDB25DF68ED55BEEB3B4FF10310F158229E8159B2D1EB349E04CB50
                                        Function 002521E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • __set_se_translator.LIBVCRUNTIME ref: 002521F8
                                        • SetUnhandledExceptionFilter.KERNEL32(00320760), ref: 0025220E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled__set_se_translator
                                        • String ID:
                                        • API String ID: 2480343447-0
                                        • Opcode ID: d7bd6590b3a210c114ff602f195b603321a888f39b32b8eb339c41979f153ff9
                                        • Instruction ID: aa446b758205609377a192789863a60b622fe4470ad9a51734ed7e81e58c5325
                                        • Opcode Fuzzy Hash: d7bd6590b3a210c114ff602f195b603321a888f39b32b8eb339c41979f153ff9
                                        • Instruction Fuzzy Hash: 14E0263A9003106EC7435B54AC0AF8A3F20AB92712F094029F70857193CB7064088761
                                        Function 00366D50 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00322890: __Init_thread_footer.LIBCMT ref: 00322970
                                        • CoCreateInstance.COMBASE(004431D8,00000000,00000001,0045F490,000000B0), ref: 00366DCE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateInit_thread_footerInstance
                                        • String ID:
                                        • API String ID: 3436645735-0
                                        • Opcode ID: 5ff6d17bcc02e06b126fdb3304cdd62baebc284af7538168e49ff9fab8ff3f9e
                                        • Instruction ID: 144671e479cd84866ef853ab3361893a125bdee9d31267174593a941f72b3f71
                                        • Opcode Fuzzy Hash: 5ff6d17bcc02e06b126fdb3304cdd62baebc284af7538168e49ff9fab8ff3f9e
                                        • Instruction Fuzzy Hash: A011AD71604745EBD720DF59D805B9ABBF8EB45B10F10466EF8159B7C0C7BAA504CB90
                                        Function 003615E0 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                        • String ID:
                                        • API String ID: 3807588171-0
                                        • Opcode ID: 081100779804c42074acd52f3e9c9b5ea629ec69382fee8b541923bfc4ac355a
                                        • Instruction ID: b37b6d1194776ee68b0c881988260e1edd67eabf97ddfe279090bf47de8ad369
                                        • Opcode Fuzzy Hash: 081100779804c42074acd52f3e9c9b5ea629ec69382fee8b541923bfc4ac355a
                                        • Instruction Fuzzy Hash: 856157B1500B04DFE721CF64C54838ABBE0FF04308F148A5ED88A9B782D7B9A609CF95
                                        Function 00322BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00322C0E
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00322C55
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00322C74
                                        • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00322CA3
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00322D18
                                        • RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00322D81
                                        • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00322DE4
                                        • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00322E36
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00322ED3
                                        • GetProcAddress.KERNEL32(00000000), ref: 00322EDA
                                        • __Init_thread_footer.LIBCMT ref: 00322EEE
                                        • GetCurrentProcess.KERNEL32(?), ref: 00322F11
                                        • IsWow64Process.KERNEL32(00000000), ref: 00322F18
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00322F52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                        • String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
                                        • API String ID: 1906320730-525127412
                                        • Opcode ID: b11d04d71d6379991f830e20db5ca35345c49cd474b420ce2523c5f953f700f1
                                        • Instruction ID: bc2a40ebf92ad413f9a6b63538fa22ccfec8fee7b4f31e866068d3309afffa98
                                        • Opcode Fuzzy Hash: b11d04d71d6379991f830e20db5ca35345c49cd474b420ce2523c5f953f700f1
                                        • Instruction Fuzzy Hash: 8AA19371900328EEDB61CF10DD45FDAB7F8FB04705F1181AAE948A6191EB785E88CF94
                                        Function 00344960 Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 220COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 603 344960-34499f 604 3449e4-3449ef 603->604 605 3449a1-3449b5 call 3b6662 603->605 607 344a34-344a5c call 322b00 604->607 608 3449f1-344a05 call 3b6662 604->608 605->604 613 3449b7-3449e1 call 344e60 call 3b651a call 3b6618 605->613 617 344b01-344b03 607->617 618 344a62-344a69 607->618 608->607 615 344a07-344a31 call 345750 call 3b651a call 3b6618 608->615 613->604 615->607 620 344b08-344b0e 617->620 622 344a70-344a76 618->622 624 344b10-344b13 620->624 625 344b2e-344b30 620->625 627 344a96-344a98 622->627 628 344a78-344a7b 622->628 631 344b15-344b1d 624->631 632 344b2a-344b2c 624->632 633 344b33-344b35 625->633 629 344a9b-344a9d 627->629 635 344a92-344a94 628->635 636 344a7d-344a85 628->636 638 344c03 629->638 639 344aa3-344aaa call 229e50 629->639 631->625 641 344b1f-344b28 631->641 632->633 633->638 642 344b3b-344b44 call 229e50 633->642 635->629 636->627 637 344a87-344a90 636->637 637->622 637->635 646 344c05-344c27 call 30c9e0 638->646 653 344ab0-344ace 639->653 654 344c28-344c2d call 229b10 639->654 641->620 641->632 642->654 656 344b4a-344b66 642->656 664 344ad0-344ad9 call 229390 653->664 665 344adb-344ae2 call 2299c0 653->665 659 344c32-344c3f call 232970 654->659 662 344b73-344b7a call 2299c0 656->662 663 344b68-344b71 call 229390 656->663 672 344b7f-344b91 call 321c00 662->672 663->672 674 344ae7-344afc call 321c00 664->674 665->674 679 344b94-344ba9 672->679 674->679 680 344bb3-344bbc 679->680 681 344bab-344bae 679->681 682 344bbe 680->682 683 344bff-344c01 680->683 681->680 684 344bc0-344bc2 682->684 683->646 684->659 685 344bc4-344bc6 684->685 685->659 686 344bc8-344bda call 22e780 685->686 686->638 689 344bdc-344bdf 686->689 689->659 690 344be1-344bf3 call 22e780 689->690 690->638 693 344bf5-344bf8 690->693 693->683 694 344bfa-344bfd 693->694 694->684
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 003449DC
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                          • Part of subcall function 00232970: RaiseException.KERNEL32(?,?,00000000,00000000,003B5A3C,C000008C,00000001,?,003B5A6D,00000000,?,002291C7,00000000,79276D7D,00000001,?), ref: 0023297C
                                        • __Init_thread_footer.LIBCMT ref: 00344A2C
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AllocConditionExceptionHeapRaiseVariableWake
                                        • String ID: YL$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$XiL$`iL$hiL$shfolder.dll
                                        • API String ID: 4172833244-868295239
                                        • Opcode ID: 90b5034877f2f7d942b81ac381d338906b69b185afb2f1fa86337f1420396daf
                                        • Instruction ID: b33d39d91dec0fac1e5598fc721847b44afbe79cdc82313de587c46fae8444e3
                                        • Opcode Fuzzy Hash: 90b5034877f2f7d942b81ac381d338906b69b185afb2f1fa86337f1420396daf
                                        • Instruction Fuzzy Hash: 907117B09002069BDB12EBA8D846BBAB3E1EF20314F268679E5519F391E735ED04CB55
                                        Function 00322F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 695 322f80-322ff8 RegOpenKeyExW 697 323262-32327b 695->697 698 322ffe-32302f RegQueryValueExW 695->698 699 32328e-3232a9 call 3b615a 697->699 700 32327d-323284 RegCloseKey 697->700 701 323031-323043 call 329180 698->701 702 32307f-3230aa RegQueryValueExW 698->702 700->699 711 323054-32306b call 329180 701->711 712 323045-323052 701->712 702->697 703 3230b0-3230c1 702->703 706 3230c3-3230cb 703->706 707 3230cd-3230cf 703->707 706->706 706->707 707->697 710 3230d5-3230dc 707->710 713 3230e0-3230ee call 329180 710->713 718 323072-323078 711->718 719 32306d 711->719 714 32307a 712->714 721 3230f0-3230f4 713->721 722 3230f9-323107 call 329180 713->722 714->702 718->714 719->718 723 323234 721->723 727 323112-323120 call 329180 722->727 728 323109-32310d 722->728 725 32323b-323248 723->725 729 32325a-32325c 725->729 730 32324a 725->730 734 323122-323126 727->734 735 32312b-323139 call 329180 727->735 728->723 729->697 729->713 732 323250-323258 730->732 732->729 732->732 734->723 738 323144-323152 call 329180 735->738 739 32313b-32313f 735->739 742 323154-323158 738->742 743 32315d-32316b call 329180 738->743 739->723 742->723 746 323176-323184 call 329180 743->746 747 32316d-323171 743->747 750 323186-32318a 746->750 751 32318f-32319d call 329180 746->751 747->723 750->723 754 3231a9-3231b7 call 329180 751->754 755 32319f-3231a4 751->755 759 3231c0-3231ce call 329180 754->759 760 3231b9-3231be 754->760 756 323231 755->756 756->723 763 3231d0-3231d5 759->763 764 3231d7-3231e5 call 329180 759->764 760->756 763->756 767 3231e7-3231ec 764->767 768 3231ee-3231fc call 329180 764->768 767->756 771 323205-323213 call 329180 768->771 772 3231fe-323203 768->772 775 323215-32321a 771->775 776 32321c-32322a call 329180 771->776 772->756 775->756 776->725 779 32322c 776->779 779->756
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00322FF0
                                        • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 0032302B
                                        • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 003230A6
                                        • RegCloseKey.KERNEL32(00000000), ref: 0032327E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpen
                                        • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                        • API String ID: 1586453840-3149529848
                                        • Opcode ID: d892376ea692c36bcae282193b8ec776b31366814e6e7a77c5518dfb62b3e950
                                        • Instruction ID: e584966a22b0968b8f4ea89ca5e30296704500f6cf325e3e1be009f67f0d7c41
                                        • Opcode Fuzzy Hash: d892376ea692c36bcae282193b8ec776b31366814e6e7a77c5518dfb62b3e950
                                        • Instruction Fuzzy Hash: 4F710A3070033997EB129B25FC45BAA7269FF40740F1185B6DD06AB682EB3CDE59CB46
                                        Function 003364D0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 495COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1178 3364d0-33650c call 229e50 1181 336512-33654a call 34ce80 1178->1181 1182 33664f-33670e call 229b10 call 3364d0 call 35a240 1178->1182 1190 336554-336583 GetTickCount call 3b5347 call 3b6dd0 call 229e50 1181->1190 1191 33654c-33654f 1181->1191 1197 336710-336719 1182->1197 1190->1182 1207 336589-336610 call 3dcce0 call 228e30 call 34ce80 call 34cfc0 call 229650 1190->1207 1191->1190 1197->1197 1199 33671b-336740 call 227070 1197->1199 1205 336742-336756 call 3b6662 1199->1205 1206 3367a9-3367c6 call 226540 1199->1206 1205->1206 1215 336758-3367a6 call 227070 call 3b651a call 3b6618 1205->1215 1213 3367d1-3367d3 1206->1213 1214 3367c8-3367cf 1206->1214 1255 336612-336615 1207->1255 1256 33661a-33662f 1207->1256 1217 3367d6-3367e4 1213->1217 1214->1217 1215->1206 1220 3367e6-3367eb 1217->1220 1221 336865-3368af call 3b6199 1217->1221 1225 3367f0-33680e 1220->1225 1234 3368b3-3368bc 1221->1234 1229 336810-336816 1225->1229 1230 336854-33685d 1225->1230 1235 33683a-33683c 1229->1235 1236 336818-33681e 1229->1236 1230->1225 1233 33685f 1230->1233 1233->1221 1234->1234 1239 3368be-336908 call 227070 1234->1239 1242 33684f 1235->1242 1243 33683e-336845 1235->1243 1240 336832 1236->1240 1241 336820-336823 1236->1241 1254 336910-336919 1239->1254 1248 336834 1240->1248 1247 336825-336830 1241->1247 1241->1248 1242->1230 1243->1242 1249 336847-33684c 1243->1249 1247->1240 1247->1241 1248->1235 1249->1242 1254->1254 1257 33691b-3369ea call 227070 call 226540 * 4 call 2277d0 * 2 1254->1257 1255->1256 1258 336631-336634 1256->1258 1259 336639-33664c 1256->1259 1274 336a48-336a57 1257->1274 1275 3369ec-336a00 1257->1275 1258->1259 1276 336a99-336ad6 call 2277d0 * 3 1274->1276 1277 336a59-336a96 call 2277d0 * 4 call 3b6168 1274->1277 1278 336a42 1275->1278 1279 336a02-336a3f call 2277d0 * 4 call 3b6168 1275->1279 1299 336ad8-336ada 1276->1299 1300 336adf-336b1e GetCurrentProcess OpenProcessToken 1276->1300 1277->1276 1278->1274 1279->1278 1303 336b93-336bb1 1299->1303 1313 336b20-336b4a GetTokenInformation 1300->1313 1314 336b5f 1300->1314 1307 336bb3-336bb6 1303->1307 1308 336bbb-336bd6 call 3b615a 1303->1308 1307->1308 1313->1314 1317 336b4c-336b5d 1313->1317 1315 336b64-336b80 1314->1315 1315->1303 1318 336b82-336b89 CloseHandle 1315->1318 1317->1315 1318->1303
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • GetTickCount.KERNEL32 ref: 00336554
                                        • __Xtime_get_ticks.LIBCPMT ref: 0033655C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003365A6
                                        • __Init_thread_footer.LIBCMT ref: 003367A1
                                        • GetCurrentProcess.KERNEL32 ref: 00336B06
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00336B16
                                        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00336B42
                                        • CloseHandle.KERNEL32(00000000), ref: 00336B83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                        • String ID: \/:*?"<>|$tiL$tiL
                                        • API String ID: 3363527671-3440277428
                                        • Opcode ID: e112e24bcfa948a4e34e962a0142ebd7337fb99aa21a3c8ae7d454039fc8816d
                                        • Instruction ID: f51873b9c90492231db4bed48c6c66b94fb0d051477400dcef442e68e9cf75b1
                                        • Opcode Fuzzy Hash: e112e24bcfa948a4e34e962a0142ebd7337fb99aa21a3c8ae7d454039fc8816d
                                        • Instruction Fuzzy Hash: E5229170900258DFDB11DFA8CC95BEEBBB4BF44304F1581A9E409AB292DB749E45CFA1
                                        Function 0035F7B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1319 35f7b0-35f7b7 1320 35f7be-35f7d5 LoadLibraryW 1319->1320 1321 35f7b9-35f7bb 1319->1321 1322 35f7d7-35f7e7 1320->1322 1323 35f7ed-35f7ef 1320->1323 1322->1323 1324 35f7f7-35f849 GetProcAddress * 4 1323->1324 1325 35f7f1-35f7f4 1323->1325
                                        APIs
                                        • LoadLibraryW.KERNEL32(?,?,0034181B,?,?,?,?,?), ref: 0035F7C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: ,(E$EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                        • API String ID: 1029625771-3295565804
                                        • Opcode ID: 0c56ac286b8dcdf1b8d3a90da037029dd67a417d0297db86c06e4ea2c267af2a
                                        • Instruction ID: d817ab351d705d48a91ee41e8e4fd360ee67e6754dff1e93590f6d099e0db917
                                        • Opcode Fuzzy Hash: 0c56ac286b8dcdf1b8d3a90da037029dd67a417d0297db86c06e4ea2c267af2a
                                        • Instruction Fuzzy Hash: 7B015E7A9007119FCB549F28AC48D4B7FA1B728356301823BE91783372CB38589DCF98
                                        Function 0030DDA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 96registrylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1579 30dda0-30ddd7 1580 30de42-30de59 RegCreateKeyExW 1579->1580 1581 30ddd9-30dddc 1579->1581 1584 30de5f-30de61 1580->1584 1582 30de35-30de39 1581->1582 1583 30ddde-30ddeb GetModuleHandleW 1581->1583 1582->1580 1587 30de3b-30de40 1582->1587 1585 30de06-30de14 GetProcAddress 1583->1585 1586 30dded-30de03 1583->1586 1588 30de63-30de69 1584->1588 1589 30de84-30de95 1584->1589 1585->1587 1590 30de16-30de33 1585->1590 1587->1584 1591 30de74-30de81 1588->1591 1592 30de6b-30de72 RegCloseKey 1588->1592 1590->1584 1591->1589 1592->1591
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,79276D7D,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 0030DDE3
                                        • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0030DE0C
                                        • RegCreateKeyExW.KERNEL32(?,)r#,00000000,00000000,00000000,?,00000000,00000000,?,79276D7D,?,?,?,00000000,?,Function_001BDD00), ref: 0030DE59
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 0030DE6C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressCloseCreateHandleModuleProc
                                        • String ID: )r#$)r#$Advapi32.dll$RegCreateKeyTransactedW
                                        • API String ID: 1765684683-3663824583
                                        • Opcode ID: 811413da54eb5139953b867d21aa384bcd11ff7712066c405567ad3436e6a883
                                        • Instruction ID: ad248a03c4454feba542effee72ae9fc37141fd0c8a4d9856c8ac6eb53ce6d05
                                        • Opcode Fuzzy Hash: 811413da54eb5139953b867d21aa384bcd11ff7712066c405567ad3436e6a883
                                        • Instruction Fuzzy Hash: CB319372640209FFEB258F85DC55FA7BBA8FB54B50F10412AF905DB6C0E775A810CB98
                                        Function 003B5A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1594 3b5a9f-3b5aaa 1595 3b5ab9-3b5ad0 LoadLibraryExA 1594->1595 1596 3b5aac-3b5ab8 DecodePointer 1594->1596 1597 3b5b4a 1595->1597 1598 3b5ad2-3b5ae7 call 3b5b4f 1595->1598 1599 3b5b4c-3b5b4e 1597->1599 1598->1597 1602 3b5ae9-3b5afe call 3b5b4f 1598->1602 1602->1597 1605 3b5b00-3b5b15 call 3b5b4f 1602->1605 1605->1597 1608 3b5b17-3b5b2c call 3b5b4f 1605->1608 1608->1597 1611 3b5b2e-3b5b48 DecodePointer 1608->1611 1611->1599
                                        APIs
                                        • DecodePointer.KERNEL32(?,?,?,003B5DE5,004C4C90,?,?,?,002800E6,?,79276D7D,?,?,?,002C81B7), ref: 003B5AB1
                                        • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,003B5DE5,004C4C90,?,?,?,002800E6,?,79276D7D,?,?), ref: 003B5AC6
                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,002C81B7), ref: 003B5B42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DecodePointer$LibraryLoad
                                        • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                        • API String ID: 1423960858-1745123996
                                        • Opcode ID: 40b68a3d7920127d743b8a7c33a7df8ee215486f4d5fdb351de241c3a99ef001
                                        • Instruction ID: 9212e5122b2051c4180c666dd3b9e620d9630afd6fbde9ea7faa8e68d5f04ae0
                                        • Opcode Fuzzy Hash: 40b68a3d7920127d743b8a7c33a7df8ee215486f4d5fdb351de241c3a99ef001
                                        • Instruction Fuzzy Hash: C40104316027007ACB63DB609D13FCA77555B91B0FF160065B9067B6E2EAA98908819D
                                        Function 00342810 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 224fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1612 342810-34284d 1613 34284f-342859 call 2297c0 1612->1613 1614 34285b-342867 call 34c990 1612->1614 1613->1614 1619 342952-342954 1614->1619 1620 34286d-342878 1614->1620 1623 342956 1619->1623 1624 342973-342977 1619->1624 1621 3428a8-3428af 1620->1621 1622 34287a-342892 call 3244f0 1620->1622 1628 3428b5-3428bc call 229e50 1621->1628 1629 342939-34294f 1621->1629 1637 342894 1622->1637 1638 342897-3428a2 1622->1638 1630 34295c-342969 call 324920 1623->1630 1631 342958-34295a 1623->1631 1626 34297d-34297f 1624->1626 1627 342a8f-342aa2 1624->1627 1634 342982-342989 call 229e50 1626->1634 1642 342aa5-342aaf call 229b10 1628->1642 1643 3428c2-3428e9 call 23a950 1628->1643 1636 34296e-342971 1630->1636 1631->1624 1631->1630 1634->1642 1644 34298f-3429fc call 228e30 CreateFileW call 31f300 1634->1644 1636->1626 1637->1638 1638->1619 1638->1621 1653 342909-34292f call 3574c0 1643->1653 1654 3428eb-3428ed 1643->1654 1664 3429fe 1644->1664 1665 342a1a-342a25 1644->1665 1653->1629 1663 342931-342934 1653->1663 1656 3428f0-3428f9 1654->1656 1656->1656 1659 3428fb-342904 call 23a950 1656->1659 1659->1653 1663->1629 1666 342a00-342a06 1664->1666 1667 342a08-342a18 1664->1667 1668 342a28-342a4f SetFilePointer SetEndOfFile 1665->1668 1666->1665 1666->1667 1667->1668 1669 342a51-342a58 CloseHandle 1668->1669 1670 342a5f-342a74 1668->1670 1669->1670 1671 342a76-342a79 1670->1671 1672 342a7e-342a89 1670->1672 1671->1672 1672->1627 1672->1634
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 003429D1
                                        • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00342A30
                                        • SetEndOfFile.KERNEL32(?), ref: 00342A39
                                        • CloseHandle.KERNEL32(?), ref: 00342A52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointer
                                        • String ID: %sholder%d.aiph$Not enough disk space to extract file:$T`L
                                        • API String ID: 22866420-1364400410
                                        • Opcode ID: 05bf9a0075b7be8a51e588b29912b2b9302795346b63ca98095cddbda4c90e80
                                        • Instruction ID: 5e48915be846d3aa1f9e81618bd6c5d39062fc162c9744f32267e70e91d996bb
                                        • Opcode Fuzzy Hash: 05bf9a0075b7be8a51e588b29912b2b9302795346b63ca98095cddbda4c90e80
                                        • Instruction Fuzzy Hash: C3819D71A002099FDB11DF68CC45BAFB7E5EF48320F158629F925EB291DB31AD11CB94
                                        Function 00360BE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1673 360be0-360c1f call 3229d0 1676 360c25-360c41 SHGetFolderPathW 1673->1676 1677 360d93-360d9b call 360e20 1673->1677 1678 360c43-360c4b 1676->1678 1679 360c4d-360c5c 1676->1679 1686 360d9f 1677->1686 1678->1678 1678->1679 1681 360c72-360c83 call 307f40 1679->1681 1682 360c5e 1679->1682 1691 360ca7-360d5e call 3b8750 GetTempPathW call 3b8750 GetTempFileNameW call 360e20 Wow64DisableWow64FsRedirection CopyFileW 1681->1691 1692 360c85 1681->1692 1684 360c60-360c68 1682->1684 1684->1684 1687 360c6a-360c6c 1684->1687 1689 360da1-360dbb call 3b615a 1686->1689 1687->1677 1687->1681 1702 360d60-360d63 call 360e20 1691->1702 1703 360d68-360d76 1691->1703 1695 360c90-360c9c 1692->1695 1695->1677 1697 360ca2-360ca5 1695->1697 1697->1691 1697->1695 1702->1703 1703->1686 1705 360d78-360d88 Wow64RevertWow64FsRedirection 1703->1705 1705->1689 1706 360d8a-360d91 1705->1706 1706->1689
                                        APIs
                                          • Part of subcall function 003229D0: __Init_thread_footer.LIBCMT ref: 00322AA2
                                        • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,79276D7D,00000000,00000000), ref: 00360C34
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00360CC9
                                        • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00360CFA
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00360D2D
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00360D4F
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00360D7E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
                                        • String ID: shim_clone
                                        • API String ID: 4264308349-3944563459
                                        • Opcode ID: 8051803dddb9515ca00e04cb799e426bbd6c897af194803918cf6acb1c907f4d
                                        • Instruction ID: ba082029737f0c26ff2dd165f69a54aceca4f0ebb8d6fb5626a90d81d554f89f
                                        • Opcode Fuzzy Hash: 8051803dddb9515ca00e04cb799e426bbd6c897af194803918cf6acb1c907f4d
                                        • Instruction Fuzzy Hash: 2E513730A402189EDB29DF64CC56BEEB7B9EF84700F1081A9F505AB1C1DB75AF44CB94
                                        Function 0035F2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1719 35f2f0-35f33b call 342c10 1722 35f347-35f355 1719->1722 1723 35f33d-35f342 1719->1723 1725 35f360-35f381 1722->1725 1724 35f4f1-35f51b call 3b6a15 1723->1724 1727 35f383-35f389 1725->1727 1728 35f38b-35f3a2 SetFilePointer 1725->1728 1727->1728 1730 35f3a4-35f3ac GetLastError 1728->1730 1731 35f3b2-35f3c7 ReadFile 1728->1731 1730->1731 1732 35f4ec 1730->1732 1731->1732 1733 35f3cd-35f3d4 1731->1733 1732->1724 1733->1732 1734 35f3da-35f3eb 1733->1734 1734->1725 1735 35f3f1-35f3fd 1734->1735 1736 35f400-35f404 1735->1736 1737 35f406-35f40f 1736->1737 1738 35f411-35f415 1736->1738 1737->1736 1737->1738 1739 35f417-35f41d 1738->1739 1740 35f438-35f43a 1738->1740 1739->1740 1742 35f41f-35f422 1739->1742 1741 35f43d-35f43f 1740->1741 1743 35f454-35f456 1741->1743 1744 35f441-35f444 1741->1744 1745 35f434-35f436 1742->1745 1746 35f424-35f42a 1742->1746 1748 35f466-35f48c SetFilePointer 1743->1748 1749 35f458-35f461 1743->1749 1744->1735 1747 35f446-35f44f 1744->1747 1745->1741 1746->1740 1750 35f42c-35f432 1746->1750 1747->1725 1748->1732 1751 35f48e-35f4a3 ReadFile 1748->1751 1749->1725 1750->1740 1750->1745 1751->1732 1752 35f4a5-35f4a9 1751->1752 1752->1732 1753 35f4ab-35f4b5 1752->1753 1754 35f4b7-35f4bd 1753->1754 1755 35f4cf-35f4d4 1753->1755 1754->1755 1756 35f4bf-35f4c7 1754->1756 1755->1724 1756->1755 1757 35f4c9-35f4cd 1756->1757 1757->1755 1758 35f4d6-35f4ea 1757->1758 1758->1724
                                        APIs
                                        • SetFilePointer.KERNEL32(?,-00000400,?,00000002,00000400,79276D7D,?,?,?,?,?), ref: 0035F396
                                        • GetLastError.KERNEL32(?,?,?,?), ref: 0035F3A4
                                        • ReadFile.KERNEL32(?,00000000,00000400,000000FF,00000000,?,?,?,?), ref: 0035F3BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$ErrorLastPointerRead
                                        • String ID: ADVINSTSFX
                                        • API String ID: 64821003-4038163286
                                        • Opcode ID: b331fd2de4ddc0569138bd1d3331d23c9aab0c5295512b4777967db9b50245b1
                                        • Instruction ID: 61aba9ee3d42f7aed1c3baec051eed9ae006f076e582f8396e2d742bbf26b1b7
                                        • Opcode Fuzzy Hash: b331fd2de4ddc0569138bd1d3331d23c9aab0c5295512b4777967db9b50245b1
                                        • Instruction Fuzzy Hash: 4461C1B1A002088FDB12CF69C880FBFBBB9FB44315F654265E915AB2A1D7349D49CB64
                                        Function 002327B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00232850
                                        • GetWindowLongW.USER32(?,000000FC), ref: 00232865
                                        • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 0023287B
                                        • GetWindowLongW.USER32(?,000000FC), ref: 00232895
                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 002328A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$CallProc
                                        • String ID: $
                                        • API String ID: 513923721-3993045852
                                        • Opcode ID: 8f9c7c55f79d0393c45fcf6bac12e1fa06908f74ffed39ed5a8ecd2b9deab70f
                                        • Instruction ID: f29fa4eb56776bd5c8c52d0a6f9760392f3b57c8977405c8da5a8f26c8ea6684
                                        • Opcode Fuzzy Hash: 8f9c7c55f79d0393c45fcf6bac12e1fa06908f74ffed39ed5a8ecd2b9deab70f
                                        • Instruction Fuzzy Hash: EB4112B1508700AFC360DF19D984A1BBBF5FF88720F504A2EF596836A0D772E8588F61
                                        Function 002ED900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,79276D7D,?,?,?,?,?,Function_001BDD00,000000FF,?,0031EE1C,?,?,000000FF), ref: 002ED943
                                        • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 002ED96C
                                        • RegOpenKeyExW.KERNEL32(?,79276D7D,00000000,?,00000000,79276D7D,?,?,?,?,?,Function_001BDD00,000000FF,?,0031EE1C,?), ref: 002ED9A5
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BDD00,000000FF,?,0031EE1C,?,?,000000FF), ref: 002ED9B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressCloseHandleModuleOpenProc
                                        • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                        • API String ID: 823179699-3913318428
                                        • Opcode ID: aca892a681e4c6f802fa3bba7d8a63b40cb1a162a2bd3b7dc912ab5f174f7dd1
                                        • Instruction ID: ea65882a65ebbb9ac83651cfc204a957597e672bb4a5412df8b0f1110f326bbe
                                        • Opcode Fuzzy Hash: aca892a681e4c6f802fa3bba7d8a63b40cb1a162a2bd3b7dc912ab5f174f7dd1
                                        • Instruction Fuzzy Hash: 8B21E232644246EFDB148F4ADC44FAAFBB8FB44750F00813AF819D7280D775A820CB54
                                        Function 0033D210 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000002), ref: 0033D230
                                        • GetWindowRect.USER32(00000000,?), ref: 0033D246
                                        • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0033CFF7,?,00000000), ref: 0033D25F
                                        • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0033CFF7,?), ref: 0033D26A
                                        • GetDlgItem.USER32(?,000003E9), ref: 0033D27C
                                        • GetWindowRect.USER32(00000000,?), ref: 0033D292
                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 0033D2D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Item$InvalidateShow
                                        • String ID:
                                        • API String ID: 2147159307-0
                                        • Opcode ID: fd8083072efde5e1fdaa34313e885bca9c36efa51866501bc481a7f0a92ac35f
                                        • Instruction ID: e6e9964266cfa6549b3afd99f4e581a754e751dd8f961c1795d129ba89dd8f78
                                        • Opcode Fuzzy Hash: fd8083072efde5e1fdaa34313e885bca9c36efa51866501bc481a7f0a92ac35f
                                        • Instruction Fuzzy Hash: A2217A70614300AFD344DF24DD89F6BBBE8EF89304F108629F859DA291D770E945CB5A
                                        Function 00340FF0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNEL32(?,?,?,00000000,79276D7D,?,?,00000002,?,?,?,?,?,?,00000000,00420932), ref: 00341047
                                        • GetLastError.KERNEL32(?,00000002), ref: 003412D9
                                        • GetLastError.KERNEL32(?,00000002), ref: 00341383
                                        • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00420932,000000FF,?,0033FF4A,00000010), ref: 00341056
                                          • Part of subcall function 00322230: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,79276D7D,00000008,00000000), ref: 0032227B
                                          • Part of subcall function 00322230: GetLastError.KERNEL32 ref: 00322285
                                        • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00341118
                                        • ReadFile.KERNEL32(?,79276D7D,00000000,00000000,00000000,00000001,?,00000002), ref: 00341195
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$File$Read$FormatMessagePointer
                                        • String ID:
                                        • API String ID: 3903527278-0
                                        • Opcode ID: 359543162ee803dc7fb54518e2694176548261a986d32a63dff1fab831eb3e13
                                        • Instruction ID: e6265faec1ef4f7842e1336fd8cec385dd9d86ba3e30320c7720cc8c87576993
                                        • Opcode Fuzzy Hash: 359543162ee803dc7fb54518e2694176548261a986d32a63dff1fab831eb3e13
                                        • Instruction Fuzzy Hash: 32D1CF71D00609DFDB01DFA8D885BAEF7B5FF44314F148269E825EB292EB70A945CB90
                                        Function 0033DCC0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 326COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,79276D7D,?,00000010,?), ref: 0033DF8A
                                          • Part of subcall function 0034EAB0: GetCurrentProcess.KERNEL32 ref: 0034EAF8
                                          • Part of subcall function 0034EAB0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0034EB05
                                          • Part of subcall function 0034EAB0: GetLastError.KERNEL32 ref: 0034EB0F
                                          • Part of subcall function 0034EAB0: CloseHandle.KERNEL32(00000000), ref: 0034EBF0
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                        • String ID: Extraction path set to:$T`L$[WindowsVolume]$\\?\
                                        • API String ID: 699919280-3428966347
                                        • Opcode ID: f13f2d713c27feb48237e9ff2bd8a73cdd2d59f0dba1878d956709b3068e66d0
                                        • Instruction ID: f4a84661bc2539a3271e81fdb52b50c8f4ff7a37714e5b462dc6b8d69c4258ea
                                        • Opcode Fuzzy Hash: f13f2d713c27feb48237e9ff2bd8a73cdd2d59f0dba1878d956709b3068e66d0
                                        • Instruction Fuzzy Hash: 1CC1D070A0060A9FDB15DFA9C884BAEFBB4FF44314F158268E415AB2A2DB70DD45CF91
                                        Function 0035C240 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ConnectNamedPipe.KERNEL32(?,00000000,79276D7D,?,000000FF,?,00000000,004262A6,000000FF,?,0035C45A,000000FF,?,00000001), ref: 0035C27A
                                        • GetLastError.KERNEL32(?,0035C45A,000000FF,?,00000001), ref: 0035C284
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,79276D7D,?,000000FF,?,00000000,004262A6,000000FF,?,0035C45A,000000FF,?), ref: 0035C2C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
                                        • String ID: \\.\pipe\ToServer$}m'y
                                        • API String ID: 2973225359-328139405
                                        • Opcode ID: ced02200ef0c8923f53233b65837a63063f1720996badb9ca6bd4d0a09aa6fcf
                                        • Instruction ID: 3a3d3c87d0d9aa0a1a81f5456c5e3d3093703ad9692b0b64672693fe48dbcf9f
                                        • Opcode Fuzzy Hash: ced02200ef0c8923f53233b65837a63063f1720996badb9ca6bd4d0a09aa6fcf
                                        • Instruction Fuzzy Hash: 1571C071610208EFDB15CF58D804BAEB7B8FF44728F10862EF8259B390DBB5A904CB90
                                        Function 00361080 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,79276D7D,79276D7D,?,004C4C50,?,?,00343989,?,79276D7D,?,?,?,00000000,004210D5), ref: 003610E5
                                        • GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,004C4C50,?,?,00343989,?,79276D7D,?,?,?,00000000), ref: 00361133
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FileInfoVersion$Size
                                        • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                        • API String ID: 2104008232-2149928195
                                        • Opcode ID: a0075042b6464ec0f44314a5b2fb36f7fff844c0c3f5765884a658c7b24bff50
                                        • Instruction ID: 05a284ea178d8c76db25cdf461b3c5672e5a81e95d58b51ccf276e73ecfc50b6
                                        • Opcode Fuzzy Hash: a0075042b6464ec0f44314a5b2fb36f7fff844c0c3f5765884a658c7b24bff50
                                        • Instruction Fuzzy Hash: E971DC71A00119AFDB11DFA8DC59AEFB7F8EF05310F19852AE911E7291EB349D04CBA0
                                        Function 00360F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00360BE0: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,79276D7D,00000000,00000000), ref: 00360C34
                                          • Part of subcall function 00360BE0: GetTempPathW.KERNEL32(00000104,?), ref: 00360CC9
                                          • Part of subcall function 00360BE0: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00360CFA
                                          • Part of subcall function 00360BE0: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00360D2D
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,79276D7D,00000000,?,?,00000000,004270A5,000000FF,Shlwapi.dll,00360F26,?,?,00000010), ref: 00360FBD
                                        • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 00360FE9
                                        • GetLastError.KERNEL32(?,00000010), ref: 0036102E
                                        • DeleteFileW.KERNEL32(?), ref: 00361041
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
                                        • String ID: Shlwapi.dll
                                        • API String ID: 1841109139-1687636465
                                        • Opcode ID: 0f45131d72274255242882955636f849fe35ee4c905e04f8e9c1ce9729e46dde
                                        • Instruction ID: 67890628119e0921c388cead7cb4172b2fc454d5f10aa0da159c2cc339769bc7
                                        • Opcode Fuzzy Hash: 0f45131d72274255242882955636f849fe35ee4c905e04f8e9c1ce9729e46dde
                                        • Instruction Fuzzy Hash: F73174B1A00249ABDF15CFA5D945BEFFBB8FF05350F14812AE801A7240D7359A44CBA5
                                        Function 00360810 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,79276D7D,?,?,00000000,?,?,?,?,00426FED,000000FF,?,00341C3D), ref: 00360850
                                        • CreateThread.KERNEL32(00000000,00000000,00360BD0,?,00000000,?), ref: 00360886
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0036098F
                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 0036099A
                                        • CloseHandle.KERNEL32(00000000), ref: 003609BA
                                          • Part of subcall function 00232970: RaiseException.KERNEL32(?,?,00000000,00000000,003B5A3C,C000008C,00000001,?,003B5A6D,00000000,?,002291C7,00000000,79276D7D,00000001,?), ref: 0023297C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
                                        • String ID:
                                        • API String ID: 3595790897-0
                                        • Opcode ID: cb800ce9b69a426a3780e22019f69c9d87144384248e0d96620594300bdef3b2
                                        • Instruction ID: 3d884c8072fcad9299558bb64031f6ae2e06f65b8f800146e1be40e7af73d705
                                        • Opcode Fuzzy Hash: cb800ce9b69a426a3780e22019f69c9d87144384248e0d96620594300bdef3b2
                                        • Instruction Fuzzy Hash: 6F516971A007099FDB18CF68C885BAEB7F5FF48714F258669E916AB7A1D730A840CF50
                                        Function 003245A0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • PathIsUNCW.SHLWAPI(?,?), ref: 00324736
                                        • _wcschr.LIBVCRUNTIME ref: 00324752
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapPathProcess_wcschr
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 660126660-3019864461
                                        • Opcode ID: da9d5c01a73cdb71ff69ced7a1a87dbc9e0ae908e467d6e61e157904e76f9de2
                                        • Instruction ID: a359c4f276ad0019e1bb41bc0984f2d39cc1092d2b40bc2fc238f95970bbd248
                                        • Opcode Fuzzy Hash: da9d5c01a73cdb71ff69ced7a1a87dbc9e0ae908e467d6e61e157904e76f9de2
                                        • Instruction Fuzzy Hash: C3C1CF71A006199FDB01DBA8CC85BAEF7F8FF45310F158269E425EB2D1EB749904CBA0
                                        Function 00336660 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 312COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003364D0: GetTickCount.KERNEL32 ref: 00336554
                                          • Part of subcall function 003364D0: __Xtime_get_ticks.LIBCPMT ref: 0033655C
                                          • Part of subcall function 003364D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003365A6
                                          • Part of subcall function 0035A240: GetUserNameW.ADVAPI32(00000000,?), ref: 0035A2CE
                                          • Part of subcall function 0035A240: GetLastError.KERNEL32 ref: 0035A2D4
                                          • Part of subcall function 0035A240: GetUserNameW.ADVAPI32(00000000,?), ref: 0035A31C
                                          • Part of subcall function 0035A240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0035A352
                                          • Part of subcall function 0035A240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 0035A39C
                                        • __Init_thread_footer.LIBCMT ref: 003367A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                        • String ID: \/:*?"<>|$tiL$tiL
                                        • API String ID: 2099558200-3440277428
                                        • Opcode ID: 4f711e78595527e0a0ba82d256171b9d07dacc93ae79da035a69efde7ae7b629
                                        • Instruction ID: 7120b29210235620dc1b61328665e1e49b245c061581633e29ad508d0cdd986a
                                        • Opcode Fuzzy Hash: 4f711e78595527e0a0ba82d256171b9d07dacc93ae79da035a69efde7ae7b629
                                        • Instruction Fuzzy Hash: 7FD1BF70904258DFDB25DFA4C895BEDBBB0BF14308F1581ADD409AB282DB755E48CFA1
                                        Function 003CEF42 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __freea.LIBCMT ref: 003CF0F1
                                          • Part of subcall function 003CDC17: RtlAllocateHeap.NTDLL(00000000,00000000,003CD0E1,?,003CEE85,?,00000000,?,003BF625,00000000,003CD0E1,?,?,?,?,003CCEDB), ref: 003CDC49
                                        • __freea.LIBCMT ref: 003CF106
                                        • __freea.LIBCMT ref: 003CF116
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: __freea$AllocateHeap
                                        • String ID: `&#
                                        • API String ID: 2243444508-3593461860
                                        • Opcode ID: 420da26ef3bc4adff54cab171c34077eb40c7daffb19ccb093ccedad588df0d9
                                        • Instruction ID: 57f8706770ea741f2e6bcd023f949b37542366b656655cdd7bd03ce8b6314046
                                        • Opcode Fuzzy Hash: 420da26ef3bc4adff54cab171c34077eb40c7daffb19ccb093ccedad588df0d9
                                        • Instruction Fuzzy Hash: 19519272600216AFEB265F64DC41FBB7AAAEB04754F1A013DFD04DB251EB75CD109760
                                        Function 00336200 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,79276D7D,?,00000010,?,00339550,?), ref: 00336266
                                        • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 003362AF
                                        • ReadFile.KERNEL32(00000000,79276D7D,?,?,00000000,00000078,?), ref: 003362ED
                                        • CloseHandle.KERNEL32(00000000), ref: 00336339
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerRead
                                        • String ID:
                                        • API String ID: 4133201480-0
                                        • Opcode ID: e1b562ba69018b985f67906f579c2ac16d588f1a20cd3df027515c3794f5f961
                                        • Instruction ID: 431e42e7ee72942105108cd67215a5751ed4e498598073474604111840419d1b
                                        • Opcode Fuzzy Hash: e1b562ba69018b985f67906f579c2ac16d588f1a20cd3df027515c3794f5f961
                                        • Instruction Fuzzy Hash: E1416B70900609AFDB12CF98CC89BEEFBB8EF45724F148269E421AB2D1D7749D44CB64
                                        Function 003D327C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003D2DAC: GetOEMCP.KERNEL32(00000000,?,?,?,00000104), ref: 003D2DD7
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,`&#,?,?,?,?,?,`&#,003D30C3,?,00000000,?,?,00000104), ref: 003D32DD
                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,`&#,003D30C3,?,00000000,?,?,00000104), ref: 003D331F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID: `&#
                                        • API String ID: 546120528-3593461860
                                        • Opcode ID: f54d4ac9d8cf9aef6be7e78db860e4ac58b49119bdbd9744eca68a2724629719
                                        • Instruction ID: 3b679c791fcdbfab821ed3fcd08945390afdbb3f43612615d68473ee5071cfbc
                                        • Opcode Fuzzy Hash: f54d4ac9d8cf9aef6be7e78db860e4ac58b49119bdbd9744eca68a2724629719
                                        • Instruction Fuzzy Hash: 82513476A006448EDB23DF36D9806AAFBF5EF80300F15446FD0928B352DA789E06CB51
                                        Function 0033CFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(0033C783,00000000), ref: 0033CFA0
                                        • DestroyWindow.USER32(?), ref: 0033D057
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DestroyErrorLastWindow
                                        • String ID: (0;
                                        • API String ID: 1182162058-2807173533
                                        • Opcode ID: 0b90125ed86f6eb9de5fb9877a8321bac4cc3e366ce77e9f634fa00d047dac89
                                        • Instruction ID: 721244a41ba15f6625299e8b924d9dc030f7723d437986107d823c2832b6abcc
                                        • Opcode Fuzzy Hash: 0b90125ed86f6eb9de5fb9877a8321bac4cc3e366ce77e9f634fa00d047dac89
                                        • Instruction Fuzzy Hash: F92106B16101199BD725AF18FC41BAA77A4EB94320F004266FD04CB791D776EC61CBF5
                                        Function 003D0308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LCMapStringEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,E8458D00,00000100,?,E8458D00,00000000), ref: 003D033C
                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,`&#,003CF030,?,?,00000000,?,00000000), ref: 003D035A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: String
                                        • String ID: `&#
                                        • API String ID: 2568140703-3593461860
                                        • Opcode ID: c1e20b955dcb26bcec5615a5add710e819f66307126da30d3866eca1e30cbde5
                                        • Instruction ID: 08233b75d30578802180403a234cc4ba2b8c84bc71f9b813f7542641a5901b16
                                        • Opcode Fuzzy Hash: c1e20b955dcb26bcec5615a5add710e819f66307126da30d3866eca1e30cbde5
                                        • Instruction Fuzzy Hash: 58F07A3610061ABBCF135F91EC05EDE7F26FF48760F054125FA1869120CB32D971AB94
                                        Function 00340B10 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNEL32(?,?,?,00000000,79276D7D,?,?), ref: 00340B77
                                        • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00340C84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$PointerRead
                                        • String ID:
                                        • API String ID: 3154509469-0
                                        • Opcode ID: e84f5e63a6d5183a0b2c2c0c33a389479c90ccff2b8875a350a49d69bf047f44
                                        • Instruction ID: 13ee1de54da511aa270a435a3181aa62c598f96f1cb9794003c10bf71d018a4b
                                        • Opcode Fuzzy Hash: e84f5e63a6d5183a0b2c2c0c33a389479c90ccff2b8875a350a49d69bf047f44
                                        • Instruction Fuzzy Hash: 9C618071E00609EFDB15DFA8D845B9DFBB4FF05320F10826AE924AB391DB75A914CB90
                                        Function 0033E0A0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,79276D7D,?,?,?,80004005,?,00000000), ref: 0033E13E
                                        • GetLastError.KERNEL32(?,?,?,80004005,?,00000000), ref: 0033E176
                                        • GetLastError.KERNEL32(?,?,?,?,80004005,?,00000000), ref: 0033E20F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateFile
                                        • String ID:
                                        • API String ID: 1722934493-0
                                        • Opcode ID: 8ba2685b6f7cce3da5f358c80ecb5dce7febdcdca86e3b943b99252443e9c6b0
                                        • Instruction ID: 34db1b676966508acbf1516f8fdf3400ea02e234a59649980602d67a7f636110
                                        • Opcode Fuzzy Hash: 8ba2685b6f7cce3da5f358c80ecb5dce7febdcdca86e3b943b99252443e9c6b0
                                        • Instruction Fuzzy Hash: 1E51E171A006059FDB21DF68DC81BAAF7B5FF44320F108629E915D73E1EB31A905CB90
                                        Function 00324920 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,79276D7D,?,?,771AE010,00000000,0041AAC5,000000FF,?,003632A7,00000000,.part,00000005), ref: 0032496B
                                        • CreateDirectoryW.KERNEL32(000000FF,00000000,?,?,00452A4C,00000001,?), ref: 00324A2A
                                        • GetLastError.KERNEL32 ref: 00324A38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLastPath
                                        • String ID:
                                        • API String ID: 953296794-0
                                        • Opcode ID: e79a02bd84b3a9818e1c4bca0512938faa7751f8e2c4a88c9528237ab7294e21
                                        • Instruction ID: 1634f8f98adb7a8ece5a8417316e80668ad04b89ec7329cfcbb9007a2bc971e2
                                        • Opcode Fuzzy Hash: e79a02bd84b3a9818e1c4bca0512938faa7751f8e2c4a88c9528237ab7294e21
                                        • Instruction Fuzzy Hash: BC61EE31A00219DFDB11DFA8D885BADFBF4EF19320F258269E814A72D1EB749904CF90
                                        Function 003CC63C Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,003CC636,?,003BAD12,?,?,79276D7D,003BAD12,?), ref: 003CC64D
                                        • TerminateProcess.KERNEL32(00000000,?,003CC636,?,003BAD12,?,?,79276D7D,003BAD12,?), ref: 003CC654
                                        • ExitProcess.KERNEL32 ref: 003CC666
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 634e006eb2c8736b8d2ece96bd71ee6accd348706960c3bf66cc91f337e2edda
                                        • Instruction ID: ea221013ba5c67f768ee378b9dcdc16824bd9ad3020d4ebad930afa4de21dc04
                                        • Opcode Fuzzy Hash: 634e006eb2c8736b8d2ece96bd71ee6accd348706960c3bf66cc91f337e2edda
                                        • Instruction Fuzzy Hash: FAD06731010604ABCF022F60DD09D597F25AB443417157068F90A8A032CF719DA29B98
                                        Function 00324C60 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,79276D7D), ref: 00324E00
                                          • Part of subcall function 00324EC0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00324ECD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                        • String ID: USERPROFILE
                                        • API String ID: 1777821646-2419442777
                                        • Opcode ID: cf68b1c223af0217718a79f8c0adc896af1f3ae1c5318021a252a4fc1544f1cb
                                        • Instruction ID: 9d7b9dd9d69e70843569f2ff737a652de344c378c979648f9bc5dfa7472b8122
                                        • Opcode Fuzzy Hash: cf68b1c223af0217718a79f8c0adc896af1f3ae1c5318021a252a4fc1544f1cb
                                        • Instruction Fuzzy Hash: 4C61BF71A00629DFDB14DFA8D859BAEB7B8FF44710F11866DE819DB392DB309900CB91
                                        Function 00343E40 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00344020,?), ref: 00343E8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EnumLanguagesResource
                                        • String ID: }m'y
                                        • API String ID: 4141015960-184714451
                                        • Opcode ID: ce33c77c717e637e550956d7ce160b4e801a3f986fcaa032da1367200997f632
                                        • Instruction ID: a1476b5af371d6d6157390864b55131075e1abd944296e3968b53789c7f75a80
                                        • Opcode Fuzzy Hash: ce33c77c717e637e550956d7ce160b4e801a3f986fcaa032da1367200997f632
                                        • Instruction Fuzzy Hash: 15617E71A0161A9FDB15DF68C885B9AF7F4FF08304F110269E914AF681E771EA588BA0
                                        Function 003D2E80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(E8458D00,?,003D30CF,003D30C3,00000000), ref: 003D2EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID: `&#
                                        • API String ID: 1807457897-3593461860
                                        • Opcode ID: 152e5559819ec85831974c86becaf83349f9e6ad2dea5d507f418cf18e6b6cce
                                        • Instruction ID: 0ba348581a21a92e55109711e593fc9217d1857ccd2ddafd82b8984801447e53
                                        • Opcode Fuzzy Hash: 152e5559819ec85831974c86becaf83349f9e6ad2dea5d507f418cf18e6b6cce
                                        • Instruction Fuzzy Hash: 60513B725041589EDB238B28DD84BE77BBCEB65704F2409EEE49AC7242D2359E46DF20
                                        Function 00284BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00284CC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID: $
                                        • API String ID: 1378638983-3993045852
                                        • Opcode ID: 2c6ae0ed7bfc5ffd0a3df1d111d2f5b927d17f8b9e8d5da4fbe1029b9e6c6706
                                        • Instruction ID: 5286dbd59b317bf3db5178d328ba13d0bd67187e814bef68120c408889d96774
                                        • Opcode Fuzzy Hash: 2c6ae0ed7bfc5ffd0a3df1d111d2f5b927d17f8b9e8d5da4fbe1029b9e6c6706
                                        • Instruction Fuzzy Hash: C831DC75106341DFCB54AF08C884B1AFBF4BF88310F04855EF9458B295D3B5E964CB91
                                        Function 00307FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • __Init_thread_footer.LIBCMT ref: 00308052
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                        • String ID: XaL
                                        • API String ID: 2296764815-2657284423
                                        • Opcode ID: a88a8cfa886a50adbb1285dceec270dfbf1570802016d4b82ad28b82d00ba78b
                                        • Instruction ID: 1794a3f4b59e6a0db3bb3fdcbbff809dd5642608bf206ea1d2bd4d0cff1eb3d0
                                        • Opcode Fuzzy Hash: a88a8cfa886a50adbb1285dceec270dfbf1570802016d4b82ad28b82d00ba78b
                                        • Instruction Fuzzy Hash: FA0147B1A04644EFCB65CF18D842F85B3A0EB04721F21837EF415877C2DF39A8049619
                                        Function 003618E0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 00361931
                                        • EndDialog.USER32(00000000,00000001), ref: 00361940
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DialogWindow
                                        • String ID:
                                        • API String ID: 2634769047-0
                                        • Opcode ID: 24c01b0fe9170d38da7ee2480c2abea5f17fad4e128cbfdc501bd1d315569342
                                        • Instruction ID: 4f4d7dd78be2b03f3735d8b669ec15f45eff28470898293966d48600a201760f
                                        • Opcode Fuzzy Hash: 24c01b0fe9170d38da7ee2480c2abea5f17fad4e128cbfdc501bd1d315569342
                                        • Instruction Fuzzy Hash: E6517930A01A45DFD711CF69C948B8AFBF4EF49310F18C2ADE4599B2A5D774AA04CB91
                                        Function 0035F6D0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000), ref: 0035F735
                                        • CloseHandle.KERNEL32(?), ref: 0035F789
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CloseFreeHandleLibrary
                                        • String ID:
                                        • API String ID: 10933145-0
                                        • Opcode ID: 75441038ef30604f3c28842fc43962cba980de48bcb3777e1c8a35664a26d037
                                        • Instruction ID: 5240658b585e327dbe71d689de0ab19104220328c6e668405099cda5cf5b654b
                                        • Opcode Fuzzy Hash: 75441038ef30604f3c28842fc43962cba980de48bcb3777e1c8a35664a26d037
                                        • Instruction Fuzzy Hash: 57211A71604B019FD744DF19EC88F9ABBF8FB04755F018229E426C72A0DB79A948CB98
                                        Function 00320F40 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00322350: LoadLibraryW.KERNEL32(ComCtl32.dll,79276D7D,00000000,?,00000000), ref: 0032238E
                                          • Part of subcall function 00322350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003223B1
                                          • Part of subcall function 00322350: FreeLibrary.KERNEL32(00000000), ref: 0032242F
                                        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00320F84
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00320F8F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: LibraryMessageSend$AddressFreeLoadProc
                                        • String ID:
                                        • API String ID: 3032493519-0
                                        • Opcode ID: 977e8648611b9fa0bd21b311870245fede1de8cb5046dd4c05fca518b7f9f1e4
                                        • Instruction ID: 55cd7573abdd75851aa93e4a454f92af6e6d398ff1327142cf3d7e187bf7c7cb
                                        • Opcode Fuzzy Hash: 977e8648611b9fa0bd21b311870245fede1de8cb5046dd4c05fca518b7f9f1e4
                                        • Instruction Fuzzy Hash: B2F030327812283BF66021596C57F67B64DD785B64F144276FB98AF2C2ECD77C1102D8
                                        Function 003CDBDD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,003D221D,?,00000000,?,?,003D24BE,?,00000007,?,?,003D2B18,?,?), ref: 003CDBF3
                                        • GetLastError.KERNEL32(?,?,003D221D,?,00000000,?,?,003D24BE,?,00000007,?,?,003D2B18,?,?), ref: 003CDBFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 485612231-0
                                        • Opcode ID: 4db3482101b3025b8b1415f78486c9e4e1759c212baa3f5db47ec1ab86a9f895
                                        • Instruction ID: d6581b4f420deecc0061db3a9f54e5e9433ed2cee61b5a76b46ee7db18bc985a
                                        • Opcode Fuzzy Hash: 4db3482101b3025b8b1415f78486c9e4e1759c212baa3f5db47ec1ab86a9f895
                                        • Instruction Fuzzy Hash: E1E08631104714ABCB123FA4ED0DBA97B78AB00355F059038F608CA061DB719C94CBA4
                                        Function 00342AB0 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,79276D7D), ref: 00342ADB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 31c4425fd229533cff97333e625d74775a80d11666d84119a01d741204d73d08
                                        • Instruction ID: ff79a79a0d9d09e3ef3103169df55f5c3b088f31eb9bc5176c91839ade927b72
                                        • Opcode Fuzzy Hash: 31c4425fd229533cff97333e625d74775a80d11666d84119a01d741204d73d08
                                        • Instruction Fuzzy Hash: 4241DD71A00614DFDB12DF58C885B9ABBF4FB04710F1686A9FD14AF282DB71A904CBA0
                                        Function 00322890 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00322B00: __Init_thread_footer.LIBCMT ref: 00322B76
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • __Init_thread_footer.LIBCMT ref: 00322970
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                        • String ID:
                                        • API String ID: 984842325-0
                                        • Opcode ID: 4aef82c7bb73dbe84dead5ff8ddb72660d26733131c14c77550008392bff87e3
                                        • Instruction ID: 2d3531844258719b0465d33f77635440cd163b1baa7515c872b0bcbaeadd2cd1
                                        • Opcode Fuzzy Hash: 4aef82c7bb73dbe84dead5ff8ddb72660d26733131c14c77550008392bff87e3
                                        • Instruction Fuzzy Hash: 9A31D1B1A00A50EFD752DF04FC86F9AB3A4F700718F228629E8514B7D0D7BAA954CB4D
                                        Function 0035F850 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00341B50,?,00000000,00000000,?,?), ref: 0035F86D
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                          • Part of subcall function 0035F940: WaitForSingleObject.KERNEL32(?,000000FF,79276D7D,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 0035F974
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AllocCreateFileHeapObjectSingleWait
                                        • String ID:
                                        • API String ID: 2723504993-0
                                        • Opcode ID: 7d984b7292bf14a2c5be01d6b4b02084454d111a98c2555898ff9db3a1135783
                                        • Instruction ID: 9dd05d261a2bfe7d0d6d0815ac48ec05a0fe5539de3333f9833b090fe5f0e710
                                        • Opcode Fuzzy Hash: 7d984b7292bf14a2c5be01d6b4b02084454d111a98c2555898ff9db3a1135783
                                        • Instruction Fuzzy Hash: FC310434604B009FD325DF28D888F1ABBE0FF88304F20896DE99ADB360D731A994CB55
                                        Function 003CEE70 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CDC17: RtlAllocateHeap.NTDLL(00000000,00000000,003CD0E1,?,003CEE85,?,00000000,?,003BF625,00000000,003CD0E1,?,?,?,?,003CCEDB), ref: 003CDC49
                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,?,003CD0E1,00000000,?,003BF625,00000000,003CD0E1,?,?,?,?,003CCEDB,?,?), ref: 003CEECD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: c33278481566e88dfa7829e2f8fca4646385f2fbd37859072032a5d4df200201
                                        • Instruction ID: 5fb4ad22cab4dbf1a069113a81aa0089338a6f67172007cf1d4a23260c824812
                                        • Opcode Fuzzy Hash: c33278481566e88dfa7829e2f8fca4646385f2fbd37859072032a5d4df200201
                                        • Instruction Fuzzy Hash: 7EF062325002156A9B233A35AC01FAB7BA99F817F0B16012DF868DE191DF219C4097A1
                                        Function 00322B00 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                          • Part of subcall function 00322BA0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00322C0E
                                          • Part of subcall function 00322BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00322C55
                                          • Part of subcall function 00322BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00322C74
                                          • Part of subcall function 00322BA0: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00322CA3
                                          • Part of subcall function 00322BA0: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00322D18
                                        • __Init_thread_footer.LIBCMT ref: 00322B76
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                        • String ID:
                                        • API String ID: 3563064969-0
                                        • Opcode ID: 30e39c970cd81947d43c6a8897918723c70b46f354b19c5b8badc9c9edcfb2fb
                                        • Instruction ID: fbe3e4283066bba1f7f56256ae69fa3890d2995e87e7f608dbd22c7e5330ca81
                                        • Opcode Fuzzy Hash: 30e39c970cd81947d43c6a8897918723c70b46f354b19c5b8badc9c9edcfb2fb
                                        • Instruction Fuzzy Hash: 2B01F2B5A00604FBC711DF58EC42F5A73A4E704720F31833EE9259B7C5D738A9008649
                                        Function 003CDC17 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00000000,003CD0E1,?,003CEE85,?,00000000,?,003BF625,00000000,003CD0E1,?,?,?,?,003CCEDB), ref: 003CDC49
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 9ae41b0d40ae948dae08dd2f88349da2cb7f34ee3398419b3ed5330db909aab1
                                        • Instruction ID: e4e4300849da2e3052d67e94c3f9ce6de11045d2ec66edb3c4994b10ea4c01a7
                                        • Opcode Fuzzy Hash: 9ae41b0d40ae948dae08dd2f88349da2cb7f34ee3398419b3ed5330db909aab1
                                        • Instruction Fuzzy Hash: 8FE0ED315002205ADB233AA59D05FAB768C9B413A0F0A8038FC46DA090EBE0EC40D3A0
                                        Function 003CD049 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 0564ba2cac5a3ef8b5ee78c355d0c53d9637b8e5312d9c4ddb9492affe39cbde
                                        • Instruction ID: d0ec5d53c13f4d4767ed315ff6117ac670fb959ef9845284f69b7dde325b0e51
                                        • Opcode Fuzzy Hash: 0564ba2cac5a3ef8b5ee78c355d0c53d9637b8e5312d9c4ddb9492affe39cbde
                                        • Instruction Fuzzy Hash: DDE09AB2C0020EAADB01DFD4C456BEFBBB8EB08314F509427E245EB141EB7857448BA1
                                        Function 00228750 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: d76278e01b045bf7c5ab22e1ce2ca2a81a42c6464236dc2e2c957549e6a02276
                                        • Instruction ID: fbac263f640c3b43717560f1809f6ac5059ca991adfc62d5993a6a930e504ff3
                                        • Opcode Fuzzy Hash: d76278e01b045bf7c5ab22e1ce2ca2a81a42c6464236dc2e2c957549e6a02276
                                        • Instruction Fuzzy Hash: 2BC08C702017204BC7305F18BA08742B2EC5B04704F01441DB409C3200CA70DC008A58

                                        Non-executed Functions

                                        Function 00222F40 Relevance: 210.0, Strings: 166, Instructions: 2486COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #L$ $L$(L$( L$(!L$("L$0L$100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8L$8#L$8$L$800$8000$@L$@ L$@!L$@"L$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$HL$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$PL$P$L$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X!L$X"L$X#L$`L$` L$hL$hL$h$L$p!L$p"L$p#L$xL$x L$~$L$L
                                        • API String ID: 0-224244478
                                        • Opcode ID: 8d1f98fdc8fa6335621077fc5b660ce343dfad0da86a5f04e95f324a737cb3ed
                                        • Instruction ID: 7e0ebf24912d67b15e91d974eadf607580d9e3e2d70f0206f90b7facc4c37377
                                        • Opcode Fuzzy Hash: 8d1f98fdc8fa6335621077fc5b660ce343dfad0da86a5f04e95f324a737cb3ed
                                        • Instruction Fuzzy Hash: 2233EA20A563C8FAD740EFF4AD15B5D29509B52705F6083AEE1452B2E2CFBC4B18876F
                                        Function 002441B0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 961memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 0024420A
                                        • VariantClear.OLEAUT32(?), ref: 0024423C
                                        • VariantClear.OLEAUT32(?), ref: 0024435F
                                        • VariantClear.OLEAUT32(?), ref: 0024438E
                                        • SysFreeString.OLEAUT32(00000000), ref: 00244395
                                        • SysAllocString.OLEAUT32(00000000), ref: 002443E8
                                        • VariantClear.OLEAUT32(?), ref: 00244476
                                        • VariantClear.OLEAUT32(?), ref: 002444A8
                                        • VariantClear.OLEAUT32(?), ref: 00244609
                                        • VariantClear.OLEAUT32(?), ref: 0024463C
                                        • SysFreeString.OLEAUT32(00000000), ref: 00244647
                                        • SysAllocString.OLEAUT32(00000000), ref: 0024468A
                                        • SysFreeString.OLEAUT32(00000000), ref: 00244845
                                          • Part of subcall function 00245120: VariantClear.OLEAUT32(?), ref: 00245129
                                        • VariantClear.OLEAUT32(?), ref: 002447FB
                                        • VariantClear.OLEAUT32(?), ref: 00244837
                                        • SysAllocString.OLEAUT32(00000000), ref: 00244869
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                        • API String ID: 1305860026-3153392536
                                        • Opcode ID: 5a6f649ba8635d8a6615370a0c16db0dbb7684dfb497c72cfcb3894d573b499f
                                        • Instruction ID: 44d1fb10673c184563ee8499e4aab8abd8c4a275bbfba942cede99755a98f64f
                                        • Opcode Fuzzy Hash: 5a6f649ba8635d8a6615370a0c16db0dbb7684dfb497c72cfcb3894d573b499f
                                        • Instruction Fuzzy Hash: 54925970D10258DFDB24DFA4CC84BDEBBB4BF49314F104299E449A7281EB74AA95CF94
                                        Function 003577C0 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(004C6078,C0000000,00000003,00000000,00000004,00000080,00000000,79276D7D,004C6054,004C606C,?), ref: 00357837
                                        • GetLastError.KERNEL32 ref: 00357854
                                        • OutputDebugStringW.KERNEL32(00000000,00000020), ref: 003578CF
                                        • OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 003579CB
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00357A3C
                                        • WriteFile.KERNEL32(00000000,004C5920,00000000,00000000,00000000,?,0000001C), ref: 00357A6C
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,004458A8,00000002), ref: 00357B17
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00357B20
                                        • FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00357A71
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        • OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 00357C12
                                        • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 00357C98
                                        • FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00357CA3
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,004458A8,00000002,?,?,CPU: ,00000005), ref: 00357D17
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00357D20
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,004458A8,00000002), ref: 00357DA5
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00357DAE
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
                                        • String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
                                        • API String ID: 4051163352-1312762833
                                        • Opcode ID: a5ec3b0cc2cf38f611f915c61d99e3adcf519bf4487edee2f8cccb98a7463144
                                        • Instruction ID: 0149543c07f1ca7b5fca387c915d7aa7f8004d3ff2624a54c0ee6b825816a3eb
                                        • Opcode Fuzzy Hash: a5ec3b0cc2cf38f611f915c61d99e3adcf519bf4487edee2f8cccb98a7463144
                                        • Instruction Fuzzy Hash: FA129E70A012099FEB01DF68DC49BAEBBB5FF44311F1582A9E815AB2A2DB34DD45CB50
                                        Function 002435A0 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 002435FA
                                        • VariantClear.OLEAUT32(?), ref: 0024362C
                                        • VariantClear.OLEAUT32(?), ref: 00243726
                                        • VariantClear.OLEAUT32(?), ref: 00243755
                                        • SysFreeString.OLEAUT32(00000000), ref: 0024375C
                                        • SysAllocString.OLEAUT32(00000000), ref: 002437A3
                                        • VariantClear.OLEAUT32(?), ref: 00243827
                                        • VariantClear.OLEAUT32(?), ref: 00243859
                                        • VariantClear.OLEAUT32(?), ref: 00243959
                                        • VariantClear.OLEAUT32(?), ref: 0024398C
                                        • SysFreeString.OLEAUT32(00000000), ref: 00243997
                                        • SysAllocString.OLEAUT32(00000000), ref: 002439DD
                                        • VariantClear.OLEAUT32(?), ref: 00243A5A
                                        • VariantClear.OLEAUT32(?), ref: 00243A8C
                                        • VariantClear.OLEAUT32(?), ref: 00243BAC
                                        • VariantClear.OLEAUT32(?), ref: 00243BDB
                                        • SysFreeString.OLEAUT32(00000000), ref: 00243BE2
                                        • SysAllocString.OLEAUT32(00000000), ref: 00243C35
                                        • VariantClear.OLEAUT32(?), ref: 00243CBA
                                        • VariantClear.OLEAUT32(?), ref: 00243CEC
                                        • VariantClear.OLEAUT32(?), ref: 00243DDD
                                        • VariantClear.OLEAUT32(?), ref: 00243E0A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID:
                                        • API String ID: 1305860026-0
                                        • Opcode ID: 86af3882dbb9762dd86f5fe1bbaa247caf5b80ddb1daffd82f1ea0d2c4dc0297
                                        • Instruction ID: ebad41bd11e573b39f769afa4d424adbdf073e4fb6136dbda8b46b49ecbb099e
                                        • Opcode Fuzzy Hash: 86af3882dbb9762dd86f5fe1bbaa247caf5b80ddb1daffd82f1ea0d2c4dc0297
                                        • Instruction Fuzzy Hash: DE42B071910259EFCB04DFA8C844BDEFBB4FF48314F148269E805EB291E7789A15CBA5
                                        Function 0022F190 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 374memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0022F5F0: EnterCriticalSection.KERNEL32(004C6250,79276D7D,00000000,?,?,?,?,?,?,0022EE50,003DF68D,000000FF), ref: 0022F62D
                                          • Part of subcall function 0022F5F0: LoadCursorW.USER32(00000000,00007F00), ref: 0022F6A8
                                          • Part of subcall function 0022F5F0: LoadCursorW.USER32(00000000,00007F00), ref: 0022F74E
                                        • SysFreeString.OLEAUT32(00000000), ref: 0022F233
                                        • SysAllocString.OLEAUT32(00000000), ref: 0022F264
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0022F33B
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0022F34B
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0022F356
                                        • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 0022F364
                                        • GetWindowLongW.USER32(?,000000EB), ref: 0022F372
                                        • SetWindowTextW.USER32(?,0044337C), ref: 0022F411
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 0022F448
                                        • GlobalLock.KERNEL32(00000000), ref: 0022F456
                                        • GlobalUnlock.KERNEL32(?), ref: 0022F47A
                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0022F501
                                        • SysFreeString.OLEAUT32(00000000), ref: 0022F516
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 0022F55D
                                        • SysFreeString.OLEAUT32(00000000), ref: 0022F585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                        • String ID: L4;$~4;
                                        • API String ID: 4180125975-751004607
                                        • Opcode ID: dddf7320f5003aa568ae5c56d4bf8d6a42dc718d8da4cc761a36d33cc5669bf3
                                        • Instruction ID: c7a9c9c69f35e482a763beb345b26b9ad66213f0ceede4ab76f297ea243415f0
                                        • Opcode Fuzzy Hash: dddf7320f5003aa568ae5c56d4bf8d6a42dc718d8da4cc761a36d33cc5669bf3
                                        • Instruction Fuzzy Hash: EED1C07190021AEFDB11DFE4DE48BAEBBB8EF45314F244178F911A7290D7789A10CBA5
                                        Function 00238CD0 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 520windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00238D83
                                        • ShowWindow.USER32(00000000,?), ref: 00238DA2
                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00238DB0
                                        • GetWindowRect.USER32(00000000,?), ref: 00238DC7
                                        • ShowWindow.USER32(00000000,?), ref: 00238DE8
                                        • SetWindowLongW.USER32(?,000000EB,?), ref: 00238DFF
                                          • Part of subcall function 00232970: RaiseException.KERNEL32(?,?,00000000,00000000,003B5A3C,C000008C,00000001,?,003B5A6D,00000000,?,002291C7,00000000,79276D7D,00000001,?), ref: 0023297C
                                        • ShowWindow.USER32(?,?), ref: 00238F43
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00238F79
                                        • ShowWindow.USER32(?,?), ref: 00238F96
                                        • GetWindowRect.USER32(?,?), ref: 00238FBB
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 002390F8
                                        • GetWindowRect.USER32(?,?), ref: 002391B5
                                        • GetWindowRect.USER32(?,?), ref: 00239207
                                        • SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 00239243
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$LongRectShow$MessageSend$ExceptionRaise
                                        • String ID: L/;
                                        • API String ID: 1022490566-634813695
                                        • Opcode ID: c9beb9bf4b2f27f0962ed8edcd415cfa8d7502ebd5349c13f2a7c1d5ab413ef6
                                        • Instruction ID: eb79849bc36a88dceed4b094baa8beeb95ea47184add1cb9dc2c49b7f0febbc9
                                        • Opcode Fuzzy Hash: c9beb9bf4b2f27f0962ed8edcd415cfa8d7502ebd5349c13f2a7c1d5ab413ef6
                                        • Instruction Fuzzy Hash: C212BBB1614705AFDB25CF68C844BAABBF5FF89304F10491DF886AB260DB70E895CB51
                                        Function 0022EBE0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 293nativememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0022ECCB
                                        • GetWindowLongW.USER32(00000004,000000EC), ref: 0022ECDB
                                        • SetWindowLongW.USER32(00000004,000000EC,00000000), ref: 0022ECE6
                                        • NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 0022ECF4
                                        • GetWindowLongW.USER32(00000004,000000EB), ref: 0022ED02
                                        • SetWindowTextW.USER32(00000004,0044337C), ref: 0022EDA1
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 0022EDD8
                                        • GlobalLock.KERNEL32(00000000), ref: 0022EDE6
                                        • GlobalUnlock.KERNEL32(?), ref: 0022EE0A
                                        • SetWindowLongW.USER32(00000004,000000EB,00000000), ref: 0022EE6F
                                        • NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 0022EEBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                        • String ID: L4;$~4;
                                        • API String ID: 3555041256-751004607
                                        • Opcode ID: d40fb2a69c60c87a40557eb0b52e4b2e61b09f1bf9741c0b425eb76d966447ac
                                        • Instruction ID: ece4afebe51261755e75e3aae98d58940a6d563a18b151aefd08bd88c4f5eb9c
                                        • Opcode Fuzzy Hash: d40fb2a69c60c87a40557eb0b52e4b2e61b09f1bf9741c0b425eb76d966447ac
                                        • Instruction Fuzzy Hash: CAA10871910226EBDF10DFA4DD48FAFBBB9EF45310F260129F811A7291DB349910DBA5
                                        Function 0032C0B0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 0032C452
                                        • FindClose.KERNEL32(00000000), ref: 0032C480
                                        • FindClose.KERNEL32(00000000), ref: 0032C509
                                        Strings
                                        • No acceptable version found. It must be downloaded., xrefs: 0032C8DD
                                        • No acceptable version found. It is already downloaded and it will be installed., xrefs: 0032C8F2
                                        • Not selected for install., xrefs: 0032C900
                                        • No acceptable version found. It must be installed from package., xrefs: 0032C8D6
                                        • An acceptable version was found., xrefs: 0032C8CF
                                        • No acceptable version found., xrefs: 0032C8F9
                                        • No acceptable version found. It must be downloaded manually from a site., xrefs: 0032C8E4
                                        • No acceptable version found. Operating System not supported., xrefs: 0032C8EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                        • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                        • API String ID: 544434140-749633484
                                        • Opcode ID: 630acd7a6aa1c1a5f05aae15d4dafa1d24a8349e81a2a912654d356b443a99ec
                                        • Instruction ID: f4f59a5bb5b1444a1f665048012aa0ddf1936a6e690f3c0167a56269143ebd79
                                        • Opcode Fuzzy Hash: 630acd7a6aa1c1a5f05aae15d4dafa1d24a8349e81a2a912654d356b443a99ec
                                        • Instruction Fuzzy Hash: C6F1BE30900619CFDB11DF69C8487AEFBB1EF45310F258699D8199B392EB34EA44CF90
                                        Function 0027FA40 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 253windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0027FC1B
                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 0027FC2B
                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 0027FC40
                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 0027FC51
                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 0027FC64
                                        • GetWindowRect.USER32(?,?), ref: 0027FC92
                                          • Part of subcall function 002812B0: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0028130F
                                          • Part of subcall function 002812B0: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,0027FDEC,00000000,79276D7D,?,?), ref: 00281328
                                          • Part of subcall function 00230DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00230DE6
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 0027FCF4
                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 0027FD04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateLongRect
                                        • String ID: ,
                                        • API String ID: 1954517558-3772416878
                                        • Opcode ID: 439b09c89c51030816b8e0e2017cca8cebaa504a7671682fb9d60346dbcf52b8
                                        • Instruction ID: 3698abccdb74a17c5b8b46879c7b403cf0a197c7444e3ae622ef331af3250d75
                                        • Opcode Fuzzy Hash: 439b09c89c51030816b8e0e2017cca8cebaa504a7671682fb9d60346dbcf52b8
                                        • Instruction Fuzzy Hash: A1A11871A002099FDB14CFA9CD95BAEBBF9FF48300F50462AE516EB291D774A914CF50
                                        Function 00246070 Relevance: 12.8, APIs: 6, Strings: 1, Instructions: 512windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00246143
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • __Init_thread_footer.LIBCMT ref: 0024610F
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 0024643F
                                        • SendMessageW.USER32(?,0000102B,?,?), ref: 002464CF
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 00246555
                                        • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00246695
                                          • Part of subcall function 0022C3F0: __floor_pentium4.LIBCMT ref: 0022C40D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__floor_pentium4
                                        • String ID: AiFeatIco
                                        • API String ID: 4294328693-859831556
                                        • Opcode ID: 5c28561622231441a7331a0ad8f7fcdb724f50005960ff9f8d0abd87c0e5426c
                                        • Instruction ID: 32eb4ce3c95cd625d18d9c8b8f3afde6f548d7e6cd2f4251595c05061303b24d
                                        • Opcode Fuzzy Hash: 5c28561622231441a7331a0ad8f7fcdb724f50005960ff9f8d0abd87c0e5426c
                                        • Instruction Fuzzy Hash: 8A22D271910249DFDF14DFA8C989BEDBBB5FF49300F144169E805AF292DB70AA44CBA1
                                        Function 00302A50 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 313windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00302C80
                                        • SendMessageW.USER32(?,00000443,00000000), ref: 00302CEA
                                        • MulDiv.KERNEL32(?,00000000), ref: 00302D21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow
                                        • String ID: ;3;$NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                        • API String ID: 701072176-1972730380
                                        • Opcode ID: 8dff1bcbac30af60d68c237ec149ec4add73134f2a7e37be86d88cde3f55b358
                                        • Instruction ID: 8886af76d4233d738af55356c810ef0f8414c1cfc335e32d6e7aeaeb069a1d88
                                        • Opcode Fuzzy Hash: 8dff1bcbac30af60d68c237ec149ec4add73134f2a7e37be86d88cde3f55b358
                                        • Instruction Fuzzy Hash: 8CC1CD71A00708AFEB14CF64CC55BEAB7B1FF89300F108299E556AB2D1DB746A49CF90
                                        Function 003D8B95 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1436COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$`&#
                                        • API String ID: 4168288129-3538739984
                                        • Opcode ID: f0fa4c7e1e21d81a0ba19b59874998aea6034c6c6c9353e8f82601b571147da4
                                        • Instruction ID: dc2c2e2b36d53abe31944f5f7b03929b8199600068e20fa8db0385c24f8aa583
                                        • Opcode Fuzzy Hash: f0fa4c7e1e21d81a0ba19b59874998aea6034c6c6c9353e8f82601b571147da4
                                        • Instruction Fuzzy Hash: DCD20772E182288BDB66CF28ED407EAB7B9EB44305F1545EBD40DE7240DB35AE858F41
                                        Function 0034A620 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 388COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • _wcschr.LIBVCRUNTIME ref: 0034A6D9
                                        • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 0034A82E
                                        • GetDriveTypeW.KERNEL32(?), ref: 0034A84A
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 0034AA37
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 0034AAC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Wow64$DriveInit_thread_footerRedirection$DisableHeapLogicalProcessRevertStringsType_wcschr
                                        • String ID: ]%!
                                        • API String ID: 2638324580-1069524040
                                        • Opcode ID: 45381a48149843bc65d3733d5185c6a87e81f82f9d2c8a407e0dda0ac97f952b
                                        • Instruction ID: e41aeffbf4297f4d01e75e9990ffe30e3e37dc82edc8af087c213bd032854a18
                                        • Opcode Fuzzy Hash: 45381a48149843bc65d3733d5185c6a87e81f82f9d2c8a407e0dda0ac97f952b
                                        • Instruction Fuzzy Hash: 40F1B170940569DFDB26CB68C844BADF7F4EF04310F1582E9E459AB291DB70AE84CF91
                                        Function 003D3B80 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • GetACP.KERNEL32(?,?,?,?,?,?,003C93AE,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 003D3C41
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,003C93AE,?,?,?,00000055,?,-00000050,?,?), ref: 003D3C6C
                                        • _wcschr.LIBVCRUNTIME ref: 003D3D00
                                        • _wcschr.LIBVCRUNTIME ref: 003D3D0E
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 003D3DCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                        • String ID: utf8
                                        • API String ID: 4147378913-905460609
                                        • Opcode ID: fc53d8aa6b60334b34c9fe3fccd076d6a5702392af19a6ab27dad9250ec6a798
                                        • Instruction ID: 042b2caff007576d1943484f0fa982de31cfec9358a64c6080a8c6c33c78b2ca
                                        • Opcode Fuzzy Hash: fc53d8aa6b60334b34c9fe3fccd076d6a5702392af19a6ab27dad9250ec6a798
                                        • Instruction Fuzzy Hash: B771E873A40305AADB26AB39EC42BA773A9EF44700F15442BF505DB781EB74EF408762
                                        Function 0035FB20 Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,79276D7D,?,00000000,00000000), ref: 0035FBF1
                                        • FindNextFileW.KERNEL32(?,00000000), ref: 0035FC0C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FileFind$FirstNext
                                        • String ID:
                                        • API String ID: 1690352074-0
                                        • Opcode ID: 6ae6dc66b3c8edb16f3cbb01c1f58722c45b2435d8dac97d13743b06028f8598
                                        • Instruction ID: 531d90ece0546a05ec5a21743cc8e895a44dcf0f3c71b4e430fb4bc230cf3b90
                                        • Opcode Fuzzy Hash: 6ae6dc66b3c8edb16f3cbb01c1f58722c45b2435d8dac97d13743b06028f8598
                                        • Instruction Fuzzy Hash: 1D719B71901249DFDB15DFA8CD49BEEBBB8FF08314F158169E815AB291DB349E08CB50
                                        Function 003CDD6A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 337COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: _strrchr
                                        • String ID: `&#
                                        • API String ID: 3213747228-3593461860
                                        • Opcode ID: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
                                        • Instruction ID: 419ed915f52db10454951955f93381e8806cf72617c0f122bf6033ebecaea1e5
                                        • Opcode Fuzzy Hash: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
                                        • Instruction Fuzzy Hash: 21B10472A042569FDB268F68C881FEEBBA5EF59350F15817EF805EF241D2749D01CBA0
                                        Function 00323A50 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 321fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00323BA8
                                        • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00323C45
                                        • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00323C6B
                                        • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00323CB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess
                                        • String ID: P3D
                                        • API String ID: 3625725927-371660571
                                        • Opcode ID: 843081275cf9e99a7f76c57895b6c10a19824b2d69d2196fab9a3a8527efb0a8
                                        • Instruction ID: 4c5bcf748fd6932a444259b08453a37b02e750581a0c5cfd7dd03207ac947efd
                                        • Opcode Fuzzy Hash: 843081275cf9e99a7f76c57895b6c10a19824b2d69d2196fab9a3a8527efb0a8
                                        • Instruction Fuzzy Hash: 95A1E571A002299FDB15DF68DC45BAEB7F4FF44324F14862EE815D7381E7B99A048B90
                                        Function 00280BAA Relevance: 9.1, APIs: 6, Instructions: 70nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(?,00000000), ref: 00280B67
                                        • ShowWindow.USER32(?,00000005), ref: 00280B93
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00280BC5
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00280BE3
                                        • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?), ref: 00280BF6
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00280C0D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$Show$NtdllProc_
                                        • String ID:
                                        • API String ID: 3227303085-0
                                        • Opcode ID: 51268bf6f4c0c75ecd1e59301879ea59c32a90a7fb17501943cd91a20645d528
                                        • Instruction ID: 9caf14e1735cbb6588eadb3bcaa52ff0ddc10d919e6c44e691ff04e7650f7301
                                        • Opcode Fuzzy Hash: 51268bf6f4c0c75ecd1e59301879ea59c32a90a7fb17501943cd91a20645d528
                                        • Instruction Fuzzy Hash: E4215C75605204DFDB55AF58DC94B6DBBB1FF89321F20026AE416973E1CB325814DF44
                                        Function 003B5CA1 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000C,003B5BBD,00000000,?,003B5D55,00000000,?,?,00230B74,?), ref: 003B5CA3
                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,00230B74,?), ref: 003B5CCA
                                        • HeapAlloc.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5CD1
                                        • InitializeSListHead.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5CDE
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00230B74,?), ref: 003B5CF3
                                        • HeapFree.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5CFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                        • String ID:
                                        • API String ID: 1475849761-0
                                        • Opcode ID: bbe07d6cea1fa08771b652d8715cacd7733a5d5fb51ec0e806b03dd31d3d370a
                                        • Instruction ID: 2510d7400c72af1025ed7b0f3995514ce77a752f3ebd0f80630fdaa368d71581
                                        • Opcode Fuzzy Hash: bbe07d6cea1fa08771b652d8715cacd7733a5d5fb51ec0e806b03dd31d3d370a
                                        • Instruction Fuzzy Hash: B6F0C232601B019BD7529F29AC18B0AB7F8BB88726F06453CFA42C3260DF70C8008B64
                                        Function 003D430F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,003D462D,00000002,00000000,?,?,?,003D462D,?,00000000), ref: 003D43A8
                                        • GetLocaleInfoW.KERNEL32(?,20001004,003D462D,00000002,00000000,?,?,?,003D462D,?,00000000), ref: 003D43D1
                                        • GetACP.KERNEL32(?,?,003D462D,?,00000000), ref: 003D43E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: f0a32ba0887fc52c9326d12065f279a61b53de7eb4d1b323033abcb606be9b94
                                        • Instruction ID: 95f38082a28bb2b88c49d5a1a8e9293236e5de70696ba137ecba06058f2706a5
                                        • Opcode Fuzzy Hash: f0a32ba0887fc52c9326d12065f279a61b53de7eb4d1b323033abcb606be9b94
                                        • Instruction Fuzzy Hash: 0921B33BA00100A7DB379F5CE941A9BB3AAEB54B54B5B8536F90AD7304E732DD60C790
                                        Function 003D44E4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 003D45F0
                                        • IsValidCodePage.KERNEL32(00000000), ref: 003D4639
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 003D4648
                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 003D4690
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 003D46AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                        • String ID:
                                        • API String ID: 415426439-0
                                        • Opcode ID: b7e9b39a141476d9acba6141548539e74a93ea965a55b9036d8d1ba64d386d7e
                                        • Instruction ID: 52863b2c129a23543f7c849b344cc92d1aa4450e9fb7feb8740d74b0f9b969e1
                                        • Opcode Fuzzy Hash: b7e9b39a141476d9acba6141548539e74a93ea965a55b9036d8d1ba64d386d7e
                                        • Instruction Fuzzy Hash: 88518173900205ABDF12DFA9EC41ABAB7B9FF05700F15446AF515EB290EB70DE148B61
                                        Function 0023C4F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(00000003,000000FC), ref: 0023C546
                                        • SetWindowLongW.USER32(00000003,000000FC,?), ref: 0023C558
                                        • DeleteCriticalSection.KERNEL32(?,79276D7D,?,?,?,?,003E19C4,000000FF), ref: 0023C583
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: LongWindow$CriticalDeleteSection
                                        • String ID: PVD
                                        • API String ID: 1978754570-246253817
                                        • Opcode ID: 8754b1876523392528203276924fbf4610af82082a105f382063c0e741524876
                                        • Instruction ID: e34bed09d9a3b64e21984f8f3a610b9737aab38fe364efe69e5754790e3dc0d1
                                        • Opcode Fuzzy Hash: 8754b1876523392528203276924fbf4610af82082a105f382063c0e741524876
                                        • Instruction Fuzzy Hash: 4E31D2B0A00646EBCF11DF24CD44B9AFBF8BF05310F204229E814A76D2D775EA20CB90
                                        Function 0034B3D0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9af53a3b10d2ff13d2b91a9777b691cc440267b92a885064deeed78792015c0b
                                        • Instruction ID: 1feac662d5897f4bc995f3da330a503da6649fdf97fdb4e8642b98709fb58a64
                                        • Opcode Fuzzy Hash: 9af53a3b10d2ff13d2b91a9777b691cc440267b92a885064deeed78792015c0b
                                        • Instruction Fuzzy Hash: 3B817C719012189FDB50DF68CC49B99FBF8EF45314F1482D9E818AB292DB74AE84CF91
                                        Function 002BAB40 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceW.KERNEL32(00000000,?,00000017,79276D7D,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 002BAB88
                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 002BAB9B
                                        • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 002BABAA
                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 002BABBA
                                          • Part of subcall function 00321480: MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,79276D7D,00000000,00000000), ref: 003214D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Resource$ByteCharFindLoadLockMultiSizeofWide
                                        • String ID:
                                        • API String ID: 203124936-0
                                        • Opcode ID: 598b0cc2d7e76ad7628e72c76bf66392de80f17f11aaf86c5bb181e8fe2646ff
                                        • Instruction ID: cd1b6c4c5b4acc997cb854d3a79647d741ddc68b82b03666dcb3657588d74c05
                                        • Opcode Fuzzy Hash: 598b0cc2d7e76ad7628e72c76bf66392de80f17f11aaf86c5bb181e8fe2646ff
                                        • Instruction Fuzzy Hash: 0E31E371D14705ABD7209F64ED45BAAFBB4EB44B50F00462AE855972C0EB70A914C7A1
                                        Function 00280CE3 Relevance: 6.1, APIs: 4, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00280D3E
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00280D5C
                                        • NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00280D6E
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00280D80
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$NtdllProc_
                                        • String ID:
                                        • API String ID: 3674618424-0
                                        • Opcode ID: e81f7a1695ea0c8764226f78968e3b6ff7d4444aa36781dc4dfaa93ecd5215b1
                                        • Instruction ID: a2509cb419fc1d64c0a5f757b82217b30145a10f437d590f9596b4178684505d
                                        • Opcode Fuzzy Hash: e81f7a1695ea0c8764226f78968e3b6ff7d4444aa36781dc4dfaa93ecd5215b1
                                        • Instruction Fuzzy Hash: 1931AC70A04215AFDB11CF68DD95B5DBBF1EF86320F2042AAE811AB3E1CB756D14DB50
                                        Function 00280C22 Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00280C3C
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00280C5A
                                        • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?), ref: 00280C70
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00280C87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$NtdllProc_
                                        • String ID:
                                        • API String ID: 3674618424-0
                                        • Opcode ID: 033dc6497ed82bc85f23160243432fdbb306ac24c6be78974e121be993a5f3a3
                                        • Instruction ID: cfd86b8c88ea88273a528596d642e00cc074a4247a1445dcbbdfa5af4e8050cf
                                        • Opcode Fuzzy Hash: 033dc6497ed82bc85f23160243432fdbb306ac24c6be78974e121be993a5f3a3
                                        • Instruction Fuzzy Hash: 8F112772A04218AFDB659F98DD54B9DBBB1FB48320F21032AF965A33E0CB7219149B44
                                        Function 0039D550 Relevance: 5.5, Strings: 4, Instructions: 529COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yxxx$yxxx$yxxx$yxxx
                                        • API String ID: 0-3504637693
                                        • Opcode ID: c198a6b8ac3e86705d8dc48583845a6d86b486eca4f2e5d9db160bb58a474a4f
                                        • Instruction ID: 8040a563abf81c35d522b1a35011aadeecd87bceec98302b577dcc55fc266fd5
                                        • Opcode Fuzzy Hash: c198a6b8ac3e86705d8dc48583845a6d86b486eca4f2e5d9db160bb58a474a4f
                                        • Instruction Fuzzy Hash: 3F02A6B2A005059FCF19DF5DC982AAEB7F5EF88300F148629E916EB395D774E901CB90
                                        Function 0034B7D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 0034B88C
                                        • FindClose.KERNEL32(00000000), ref: 0034B9D7
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Find$AllocCloseFileFirstHeap
                                        • String ID: %d.%d.%d.%d
                                        • API String ID: 2507753907-3491811756
                                        • Opcode ID: f28a486a064d2392efac255ec05caec64376b5e62b9703e26204e7f340a769c4
                                        • Instruction ID: 9262508d2d9df5c6ddd725d316abe64f9ec0dc82456ee82e62228ebc47792061
                                        • Opcode Fuzzy Hash: f28a486a064d2392efac255ec05caec64376b5e62b9703e26204e7f340a769c4
                                        • Instruction Fuzzy Hash: 68616D71905219DFDF21DF68C849B9DFBB4EF44314F108299E819AB291DB35AA84CF90
                                        Function 0023E290 Relevance: 5.3, Strings: 4, Instructions: 346COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                        • API String ID: 0-932585912
                                        • Opcode ID: 8a885373e1a72f5cb5caeb3a8d4bdf7e416321d1f1350985638f3917de65396f
                                        • Instruction ID: c2d1ee9932efe55730a5e0834ed2aae060d5070d8188c5d3c7c5ff55c533304f
                                        • Opcode Fuzzy Hash: 8a885373e1a72f5cb5caeb3a8d4bdf7e416321d1f1350985638f3917de65396f
                                        • Instruction Fuzzy Hash: 29D1C3B0D10268DFEF04CFA9C845BADBBB5FF44304F108159E455AB286D778AA19CFA1
                                        Function 00238890 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000004), ref: 002388DE
                                        • GetWindowLongW.USER32(00000004,000000FC), ref: 002388F7
                                        • SetWindowLongW.USER32(00000004,000000FC,?), ref: 00238909
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: 110b65bf6143fd27d211bbb2fe51fb35a2f5eeee0d67872fa042abab5e11330c
                                        • Instruction ID: ffe97a27aa89decf4cc18f0885a014b78da9e6b9fde86460afee062bfea9eb1f
                                        • Opcode Fuzzy Hash: 110b65bf6143fd27d211bbb2fe51fb35a2f5eeee0d67872fa042abab5e11330c
                                        • Instruction Fuzzy Hash: 1C418CB0600B46EFDB14CF65D908B5AFBB4FF05314F104269E4149BB90DBB6E924CB91
                                        Function 003BAD13 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 003BAE0B
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003BAE15
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 003BAE22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: e87079af81a149d9bcd0f4e419dc4ca101f5a70c3c054da00cb770bc30f72c77
                                        • Instruction ID: 2d74db654d7d0c274e5092a1b4e1fdc1aac2070fc6342fb0dead7212b8273eca
                                        • Opcode Fuzzy Hash: e87079af81a149d9bcd0f4e419dc4ca101f5a70c3c054da00cb770bc30f72c77
                                        • Instruction Fuzzy Hash: F431D4749012289BCB22DF64DC897CDBBB8BF08314F5045EAE50CAB250EB709B858F45
                                        Function 00231670 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000FC), ref: 00231689
                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 00231697
                                        • DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,0044383C), ref: 002316C3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$Destroy
                                        • String ID:
                                        • API String ID: 3055081903-0
                                        • Opcode ID: d768684199f9891130d3e9ccfd7476766cd0c27cc0a64883ffe4bb27744e0ab0
                                        • Instruction ID: c8b6e1609204bff9e1b687d8c6ee1dd4aa39623f66a7c3b6baf614acdfa5fea6
                                        • Opcode Fuzzy Hash: d768684199f9891130d3e9ccfd7476766cd0c27cc0a64883ffe4bb27744e0ab0
                                        • Instruction Fuzzy Hash: 74F03070004F119BD7A15F68EE09F827BE4BF44721F144B2CE4AA825F0C730E850DB08
                                        Function 00247630 Relevance: 3.3, APIs: 2, Instructions: 252windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000102B,00000000,?), ref: 0024774D
                                        • SendMessageW.USER32(?,0000102B,0000009B,?), ref: 00247932
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: ada4dfdedc0b455610f3137ba63c8f79440d8c706f4bc4e6a79dbdd6297dee1b
                                        • Instruction ID: 4cc7838ca1449fd3ba4d27c704c878e0e345c34953d8f0d5e14d97d6e7446f01
                                        • Opcode Fuzzy Hash: ada4dfdedc0b455610f3137ba63c8f79440d8c706f4bc4e6a79dbdd6297dee1b
                                        • Instruction Fuzzy Hash: A1A1F371A14606AFDB1CCF24C995BEAFBF5FB04304F14826AE469DB281D734EA11CB90
                                        Function 0033E3A0 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,79276D7D,00000000,?,00000000), ref: 0033E48E
                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 0033E4D9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 4392ab18197ac125cdbc6545466d219417d287f37b8aa6136f5db1be6921e139
                                        • Instruction ID: fcc01dc2e856652493007dd0879442ad804206f8e2a371373bc0493846503f60
                                        • Opcode Fuzzy Hash: 4392ab18197ac125cdbc6545466d219417d287f37b8aa6136f5db1be6921e139
                                        • Instruction Fuzzy Hash: 79519F71900609DFEB21DFA8C888BAEB7F4FF48318F104559E915AB381D774AA05CF91
                                        Function 00322230 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,79276D7D,00000008,00000000), ref: 0032227B
                                        • GetLastError.KERNEL32 ref: 00322285
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: a57ddae29aff76f452a963dbf44b0f6052170dea9b61aa8db1f6b2b36bbd667f
                                        • Instruction ID: 0bc0a4bfccb4955b810ab0d10bf0f5397af1017e77022a443e900ccc57b03e5a
                                        • Opcode Fuzzy Hash: a57ddae29aff76f452a963dbf44b0f6052170dea9b61aa8db1f6b2b36bbd667f
                                        • Instruction Fuzzy Hash: CD318171A00329EBDB10DF99DC05BAEB7F8EB44714F21052EF918E7380DBB699048B95
                                        Function 00280010 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(00000000,000000FC), ref: 0028007F
                                        • SetWindowLongW.USER32(00000000,000000FC,?), ref: 0028008D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID:
                                        • API String ID: 1378638983-0
                                        • Opcode ID: 00f054ab12e201d5f7cfa3665995d477cdc816fbd559664a26a767ab975b416d
                                        • Instruction ID: dd0e235347f04e8eff0d785cd30802ea63bd9e0a80121d0d4d83125ad05f5094
                                        • Opcode Fuzzy Hash: 00f054ab12e201d5f7cfa3665995d477cdc816fbd559664a26a767ab975b416d
                                        • Instruction Fuzzy Hash: D8318F71901606EFCB50DF69C984B9AFBF4FB04320F208369E424A77D1D735A924CB90
                                        Function 0034E610 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,79276D7D,?,00000000,00000000,00000000,0042351D,000000FF), ref: 0034E678
                                        • FindClose.KERNEL32(00000000,?,79276D7D,?,00000000,00000000,00000000,0042351D,000000FF), ref: 0034E6C2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 30ac2c05c16a174b0f96f0fc9a3d81a524e8ffc6f06c981e9b77e092dec53b46
                                        • Instruction ID: cc3a9197bda2cff07996817cb3986f6833c91c3baf3572bd68bed4e3fca5e5e6
                                        • Opcode Fuzzy Hash: 30ac2c05c16a174b0f96f0fc9a3d81a524e8ffc6f06c981e9b77e092dec53b46
                                        • Instruction Fuzzy Hash: AD21B2719005589FD710DF68DC49BEEF7B8FF84324F10422AE9259B2D1DB345A08CB94
                                        Function 0024D320 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: }m'y$}m'y
                                        • API String ID: 0-2486897750
                                        • Opcode ID: 3e898025e61e46448137762ebf24600c41ca2701638ba517f3fdb731d90de2dd
                                        • Instruction ID: 8e8a1f1167a358bebba4f0ea97be5902a02c6e1938fc39175052905bf5401c85
                                        • Opcode Fuzzy Hash: 3e898025e61e46448137762ebf24600c41ca2701638ba517f3fdb731d90de2dd
                                        • Instruction Fuzzy Hash: 941100B1904648DFDB44CF59C544789BBF4FB09728F2082AEE8189B381D37A9A06CF84
                                        Function 002552F0 Relevance: 1.9, Strings: 1, Instructions: 617COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2
                                        • API String ID: 0-450215437
                                        • Opcode ID: c14bcd43fa9ddfa4a3b15dc059687c2e16b6e912b40007daab1de7762bc8dab9
                                        • Instruction ID: a52c8a34fbe98a90f88836a23e62ca2f4fec971876349d1c79a99404470a02f0
                                        • Opcode Fuzzy Hash: c14bcd43fa9ddfa4a3b15dc059687c2e16b6e912b40007daab1de7762bc8dab9
                                        • Instruction Fuzzy Hash: 3832C2B1A047128BCB14CF25D95056BB7E5AF88305F048E3EF9C6CB285EA34E958C797
                                        Function 003BE64C Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `&#
                                        • API String ID: 0-3593461860
                                        • Opcode ID: 22250e1d73a1b518c95db2a9a6cef9bb979d30c338af83592f4fafbf8e19f867
                                        • Instruction ID: 6cd7e7cb80e650ea40897fcca76d5c8f7d3087df7eb063f3244879b39dc27ea5
                                        • Opcode Fuzzy Hash: 22250e1d73a1b518c95db2a9a6cef9bb979d30c338af83592f4fafbf8e19f867
                                        • Instruction Fuzzy Hash: E0E1DB34A006058FCB26CF6CC481AEEB7F1FF49718B218A19D656DBA91DB30ED46CB51
                                        Function 003D41E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003D423A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 4f1e85a0eda4bc3aaf98089ea88eeaeee1efde767035dc951684d19d0a729d8b
                                        • Instruction ID: f8c1e3f3a72aaf291df77d8a7dae514b4d8f3b40b999bbda5218c90145f9b100
                                        • Opcode Fuzzy Hash: 4f1e85a0eda4bc3aaf98089ea88eeaeee1efde767035dc951684d19d0a729d8b
                                        • Instruction Fuzzy Hash: 1B218E73610206ABDB2A9F29EC42ABA77ACEF45310B10447AFD05CA741EB74ED418B60
                                        Function 003D3E6D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • EnumSystemLocalesW.KERNEL32(003D3F93,00000001,00000000,?,-00000050,?,003D45C4,00000000,?,?,?,00000055,?), ref: 003D3EDF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: 896f09c2e08a6f715896078c653c4278529dcc61abc6718f506d70a34e3d535b
                                        • Instruction ID: d91ae35734fdb881aa605d22a19dd116a6e7f6ecb36c12deab2a1f8d10642ffe
                                        • Opcode Fuzzy Hash: 896f09c2e08a6f715896078c653c4278529dcc61abc6718f506d70a34e3d535b
                                        • Instruction Fuzzy Hash: 7F11E9376047059FDB189F39D8956BABBA1FF80368B15443EE98787B40E7716E42C740
                                        Function 003D4415 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,003D41AF,00000000,00000000,?), ref: 003D4441
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 0c0dba7b6fdc02e3cc87f3f4c65fad1143ecb4ecd8fa844f52859222c6758fa3
                                        • Instruction ID: 30317d53f7a173dd0606a0f1a28b22ff21297d600b5ae79e874c32f49380c395
                                        • Opcode Fuzzy Hash: 0c0dba7b6fdc02e3cc87f3f4c65fad1143ecb4ecd8fa844f52859222c6758fa3
                                        • Instruction Fuzzy Hash: A8F02D339102117BDF255726ED05BBA7778EB40754F06442AED95A3240EB34FE82C6E0
                                        Function 003D3D7B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 003D3DCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID: utf8
                                        • API String ID: 3736152602-905460609
                                        • Opcode ID: c7f904c9a5594f027330b2bb2ab05029d51c5f12049e0046608fb30da9d95920
                                        • Instruction ID: 6bcc1b0991936d6858ad4a8b3ee1c8abad277a12a8dc38e95693356faa1df4ea
                                        • Opcode Fuzzy Hash: c7f904c9a5594f027330b2bb2ab05029d51c5f12049e0046608fb30da9d95920
                                        • Instruction Fuzzy Hash: DFF0C833A11205ABC725AF39EC46EFA73ECDB45324F11017EBA06DB381EA78AD058750
                                        Function 003D3F08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • EnumSystemLocalesW.KERNEL32(003D41E6,00000001,?,?,-00000050,?,003D4588,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 003D3F52
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: 09734f7e868fa8e0b9f01da8f4d2a8db11a99be1fae51d15ef568decd4091381
                                        • Instruction ID: 7bac23281b93cee86f0a00d108161177a85f55c0b733b07d19624d0c139ca4ca
                                        • Opcode Fuzzy Hash: 09734f7e868fa8e0b9f01da8f4d2a8db11a99be1fae51d15ef568decd4091381
                                        • Instruction Fuzzy Hash: CCF0F6376043086FDB255F39AC81A7A7BA9FF80768F09447EF9458B780D6B19E42C710
                                        Function 003CFC09 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CA89A: EnterCriticalSection.KERNEL32(-004C5108,?,003CCE16,00229F56,004B9668,0000000C,003CD0E1,?), ref: 003CA8A9
                                        • EnumSystemLocalesW.KERNEL32(003CFBFC,00000001,004B97A8,0000000C,003D002B,00000000), ref: 003CFC41
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 2c9086548669de8eb0be77e4296cf443981f613ac75c77f1478989d3a75bf904
                                        • Instruction ID: eafd9c7fba16b6820dba7968e7d71135f93edf55eda818678b178c3905724c73
                                        • Opcode Fuzzy Hash: 2c9086548669de8eb0be77e4296cf443981f613ac75c77f1478989d3a75bf904
                                        • Instruction Fuzzy Hash: 73F04976A10318DFD705EFA8E842F9DBBF0FB44720F10816AF404DB2A1CB7A99418B54
                                        Function 003D3E22 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CD836: GetLastError.KERNEL32(?,00000008,003CF453), ref: 003CD83A
                                          • Part of subcall function 003CD836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 003CD8DC
                                        • EnumSystemLocalesW.KERNEL32(003D3D7B,00000001,?,?,?,003D45E6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 003D3E59
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: a345da12a47e6c2f6f8a083cb0f9a71d9bc60327694d5971d251a05803271b7b
                                        • Instruction ID: 8f4ad8c02dccf577c4b54c1063186ac6aafd5303a3214a85baef00f70948276c
                                        • Opcode Fuzzy Hash: a345da12a47e6c2f6f8a083cb0f9a71d9bc60327694d5971d251a05803271b7b
                                        • Instruction Fuzzy Hash: E9F0553770020557CB059F39E845A6ABF90EFC1720B0B006EFA0A8B290C6719E43C750
                                        Function 002415F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,0023FD16,?,?,?,?,?,?,?,?,0023FB78,?,?), ref: 00241640
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: NtdllProc_Window
                                        • String ID:
                                        • API String ID: 4255912815-0
                                        • Opcode ID: 68407077eb6fc3b8876e71d6ad7478da54a5a598d88da46d487b6bf853b38022
                                        • Instruction ID: 12890a414a571eea7bb468c0188a1062f39f13162936b33b184e646fcef60bfd
                                        • Opcode Fuzzy Hash: 68407077eb6fc3b8876e71d6ad7478da54a5a598d88da46d487b6bf853b38022
                                        • Instruction Fuzzy Hash: D6F05834014186DEE3098F14E8A8A69FBAAFB45346F4945F5E158C5461C339CEB4DA10
                                        Function 003D0186 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,003C9F14,?,20001004,00000000,00000002,?,?,003C9516), ref: 003D01BA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 596d79e37cf1a2a96b9d5890af2874496e99f716a7fff3e7362ebe02c154fe67
                                        • Instruction ID: 44bf110ddd441b2b15d9857c9b9cb31cf9316163ab471aed02e59dd3298454d9
                                        • Opcode Fuzzy Hash: 596d79e37cf1a2a96b9d5890af2874496e99f716a7fff3e7362ebe02c154fe67
                                        • Instruction Fuzzy Hash: 2DE04F36500618BBCF172F61EC09FAEBE2AFF44B60F004025FD0565225CB328D21AAD8
                                        Function 00276EE0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1
                                        • API String ID: 0-2212294583
                                        • Opcode ID: 21d85792d2fd01848d659fe8936d92cfe80d22e65b348c8d3280df7b7b3c4a6e
                                        • Instruction ID: b71d3c4739b312a23e12af736bc5a037862b97aaf96a8551f3693b637dd00fdb
                                        • Opcode Fuzzy Hash: 21d85792d2fd01848d659fe8936d92cfe80d22e65b348c8d3280df7b7b3c4a6e
                                        • Instruction Fuzzy Hash: C0D112B0905B8AEFE749CF64C55878AFBF4BF05308F14825DD4685B281D3BAA618CBD1
                                        Function 002C7F20 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {D
                                        • API String ID: 0-1498132776
                                        • Opcode ID: 31029d75fca1d393882dc38c95a5933147dbdd720a19dcc0de5e5e8820888d3d
                                        • Instruction ID: 1324961fb8e51453aaaafaec5820b23fe69415617f6fc2cc1bf758f793251128
                                        • Opcode Fuzzy Hash: 31029d75fca1d393882dc38c95a5933147dbdd720a19dcc0de5e5e8820888d3d
                                        • Instruction Fuzzy Hash: 8641F5B0905B45EEE704CF69C51878AFBF0BB09318F20825EC4589B781D3BAA619CFD5
                                        Function 00238720 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `VD
                                        • API String ID: 0-717647209
                                        • Opcode ID: 3235631094c44e75faf79087d882e0a2ca3c0a2e42f7e931d2d16ee7241bd6fc
                                        • Instruction ID: 73c69736750e42f401c235ee63548a7ef4eb0798363054cd94f0ed95b2d28924
                                        • Opcode Fuzzy Hash: 3235631094c44e75faf79087d882e0a2ca3c0a2e42f7e931d2d16ee7241bd6fc
                                        • Instruction Fuzzy Hash: 3831D0B0405B84CFE721CF29C658787BFF0BB15718F108A5DD4A64BB91D3BAA508CB91
                                        Function 002FB7A0 Relevance: .5, Instructions: 513COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b65c3304a3a26542b534971aeb7251065fdd1c0549c76c39a2a7bf003cf404ff
                                        • Instruction ID: a03db6b485c53a24d299b9edca1781acb4d595dcbbd146b782320e20a6a4ee2d
                                        • Opcode Fuzzy Hash: b65c3304a3a26542b534971aeb7251065fdd1c0549c76c39a2a7bf003cf404ff
                                        • Instruction Fuzzy Hash: E102F772E102199FDB19DF6CC881AAEF7B5EB48350F15823EE91597391EB30AD14CB90
                                        Function 003BE2BE Relevance: .3, Instructions: 344COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55280e19b77ebbe551c1a25c0a7998fd69e3b579fffd7f2d4987d2a4cadfd53a
                                        • Instruction ID: 39898e8f7f15103bb41cb9508aaf73588ffc1db8d1080f55d612fd05b372acd2
                                        • Opcode Fuzzy Hash: 55280e19b77ebbe551c1a25c0a7998fd69e3b579fffd7f2d4987d2a4cadfd53a
                                        • Instruction Fuzzy Hash: C4C1EE38A00606CFCB26CF6DC4906EEBBE5AF0530CF15461AD69A9BE92D730ED45CB51
                                        Function 003D3631 Relevance: .3, Instructions: 327COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                        • String ID:
                                        • API String ID: 3471368781-0
                                        • Opcode ID: 824019bd926e7eb66fba7a639239fb80584ebb45f1e9dae74bfa45165e47a434
                                        • Instruction ID: cdb16a5142fdca7e1231af54111a9503da6ed81e40de2d2fc0e3f3abbd59eee2
                                        • Opcode Fuzzy Hash: 824019bd926e7eb66fba7a639239fb80584ebb45f1e9dae74bfa45165e47a434
                                        • Instruction Fuzzy Hash: E9B117775007419BCB399B28DC92BB7B3A8EF44308F54452EE943CA780EA75EE85D711
                                        Function 0022F7C0 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57d5f2ec01f4b7e44245c7f25d5bb9fa0b0f49db207aede57124e6d0645b9e59
                                        • Instruction ID: e46a49ef6b6b5b4c033a439961d130b5edab96751ac4c889a44e89a9c5683106
                                        • Opcode Fuzzy Hash: 57d5f2ec01f4b7e44245c7f25d5bb9fa0b0f49db207aede57124e6d0645b9e59
                                        • Instruction Fuzzy Hash: 0871F8B0805B48DFE761CF68C95478ABFF0BB05314F108A5EC4A99B391D3B96648DF91
                                        Function 00232250 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0977c94b5fd7894b852e285ea8236cde98acdb08ca10c3a225f5e766a10b8a85
                                        • Instruction ID: 79727ecf89da7fca445f279b39955c41f79c90a6d733e0b6849b2789c46e34b5
                                        • Opcode Fuzzy Hash: 0977c94b5fd7894b852e285ea8236cde98acdb08ca10c3a225f5e766a10b8a85
                                        • Instruction Fuzzy Hash: 09215BB1804748CFD710CF58C944B8ABBF4FB09714F1186AED4559B791D3B9AA44CF94
                                        Function 00231C90 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d48cc1f76cdb65e987a5a9f512b026bfdc393fb7ad1533864809439c848677de
                                        • Instruction ID: 6ec588918b4180e7e9a6e07f91007c65954ad3e0808906ace7bb32a5f073c8bd
                                        • Opcode Fuzzy Hash: d48cc1f76cdb65e987a5a9f512b026bfdc393fb7ad1533864809439c848677de
                                        • Instruction Fuzzy Hash: BA216DB1804748DFD710CF58C944B8ABBF4FB09314F1186AED455AB791D3B9AA44CF94
                                        Function 003D783E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                        • Instruction ID: e524a43005c7b7ae9c8399a517fbfdcc0cf8764132df4e8733f4a8e1fb7ce4f7
                                        • Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                        • Instruction Fuzzy Hash: 9BE0EC7391522CEBCB26DB99D949D8AF3ECEB45B50B1544AAF501D7311D270DE00D7D0
                                        Function 003CC66D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
                                        • Instruction ID: f0ad5095f6b49df33ffb4511ea62cf4c2d96594543650462c3aa29dd55c5c7a8
                                        • Opcode Fuzzy Hash: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
                                        • Instruction Fuzzy Hash: C2C08C76811A0057CE2B89248372BA43354B3A1786F9A348CC40A8BB42C51E9C82E780
                                        Function 0030A2B0 Relevance: 56.2, APIs: 7, Strings: 25, Instructions: 238libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • GetModuleHandleW.KERNEL32(kernel32,79276D7D,?,?,00000000), ref: 0030A3B3
                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0030A3FB
                                        • __Init_thread_footer.LIBCMT ref: 0030A40E
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 0030A456
                                        • __Init_thread_footer.LIBCMT ref: 0030A469
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0030A4B1
                                        • __Init_thread_footer.LIBCMT ref: 0030A4C4
                                          • Part of subcall function 002E1FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002E1FF1
                                          • Part of subcall function 002E1FB0: _wcschr.LIBVCRUNTIME ref: 002E20AF
                                        Strings
                                        • SetDefaultDllDirectories, xrefs: 0030A4AB
                                        • 0|E, xrefs: 0030A5F8
                                        • |E, xrefs: 0030A55A
                                        • 0}E, xrefs: 0030A550
                                        • x}E, xrefs: 0030A56E
                                        • @|E, xrefs: 0030A50A
                                        • P*E, xrefs: 0030A582
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 0030A347
                                        • 0|E, xrefs: 0030A500
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 0030A327, 0030A32F
                                        • $~E, xrefs: 0030A61B
                                        • H}E, xrefs: 0030A596
                                        • l~E, xrefs: 0030A630
                                        • kernel32.dll, xrefs: 0030A60D
                                        • <~E, xrefs: 0030A5DC
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 0030A322
                                        • T|E, xrefs: 0030A4EC
                                        • d}E, xrefs: 0030A5A0
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 0030A340, 0030A34F
                                        • T~E, xrefs: 0030A5E3
                                        • x|E, xrefs: 0030A4F6
                                        • kernel32, xrefs: 0030A3AE
                                        • SetSearchPathMode, xrefs: 0030A3F5
                                        • ~E, xrefs: 0030A653
                                        • SetDllDirectory, xrefs: 0030A450
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
                                        • String ID: $~E$0|E$0|E$0}E$<~E$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@|E$H}E$P*E$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$T|E$T~E$d}E$kernel32$kernel32.dll$l~E$x|E$x}E$|E$~E
                                        • API String ID: 1258094593-1965052767
                                        • Opcode ID: 8affb3ccd86e6b82deb9760525644f81eb270d5b8e077ce83d347379ddfa22b2
                                        • Instruction ID: c9372d43b0bb015b796f23400fa49f57fbed1712d76674675533faa72b7347c8
                                        • Opcode Fuzzy Hash: 8affb3ccd86e6b82deb9760525644f81eb270d5b8e077ce83d347379ddfa22b2
                                        • Instruction Fuzzy Hash: 99A180B09043189BDB11CF55E849B9EBBB4FF01316F11C1AAE8186B382DBB8594CCF59
                                        Function 00362F90 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 487timefilememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00362FA9
                                        • LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00362FB9
                                        • GetLastError.KERNEL32(?,00000000), ref: 00362FF7
                                        • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 00363036
                                        • GetLastError.KERNEL32(?,00000000), ref: 00363050
                                        • LocalFree.KERNEL32(?,?,00000000), ref: 00363061
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,79276D7D,771AF530,?,?), ref: 00363100
                                        • GetLastError.KERNEL32 ref: 0036311E
                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0036314B
                                        • GetLastError.KERNEL32 ref: 00363155
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 003631DA
                                        • GetLastError.KERNEL32 ref: 003631E4
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0036321C
                                        • SystemTimeToFileTime.KERNEL32(00000000,0044341C), ref: 0036323D
                                        • CompareFileTime.KERNEL32(0044341C,?), ref: 0036324F
                                        • PathFileExistsW.SHLWAPI(?,00000005), ref: 003632EC
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,00000001,S-1-1-0,10000000,00000001), ref: 00363387
                                        • GetLastError.KERNEL32 ref: 00363397
                                        • CloseHandle.KERNEL32(00000000), ref: 0036339F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FileTime$ErrorLast$Local$FreeSystem$Create$AllocCloseCompareExistsHandlePath
                                        • String ID: .part$S-1-1-0$S-1-5-18
                                        • API String ID: 1123205858-2727065896
                                        • Opcode ID: a32e0d8e5177eb76fa6897119123f9386a2d11e5636014404f191fec3f86b503
                                        • Instruction ID: 07ad97708d18cb2ea3b29212e8d287dc4eb0db1e518e75d53465a190fb0ccaa7
                                        • Opcode Fuzzy Hash: a32e0d8e5177eb76fa6897119123f9386a2d11e5636014404f191fec3f86b503
                                        • Instruction Fuzzy Hash: 02128A70A007049FDB22CFA9C948BAABBF4FF44304F15852DE546976A0DBB0EA48CB55
                                        Function 0032DB40 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                        • OutputDebugStringW.KERNEL32(?,79276D7D,?,?,?,0041C4C5,000000FF,?,003604CF,?,?,?,00000000), ref: 0032DCD8
                                        • GetActiveWindow.USER32 ref: 0032DC3A
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
                                        • String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$T`L$majorupgrade-content.mst$|3D$|3D$bL
                                        • API String ID: 758407959-3149313761
                                        • Opcode ID: 9ccbcc5bc0957cb10a52a48057c152e750fc5e1d82850f79804db2e6b300e579
                                        • Instruction ID: 390c3773938e36dfd9d343bc8cc1ae10ad07280e9e68aa0a1f7067d3150ee120
                                        • Opcode Fuzzy Hash: 9ccbcc5bc0957cb10a52a48057c152e750fc5e1d82850f79804db2e6b300e579
                                        • Instruction Fuzzy Hash: A751DC71A002159FDB15DF6CD858BAEBBB4EF45320F1582ADE819AB2A1DB309D00CF91
                                        Function 00354B10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON
                                        Download Yara Rule
                                        Strings
                                        • Unable to find file , xrefs: 00354B43
                                        • Unable to retrieve exit code from process., xrefs: 00354E92
                                        • Unable to get a temp file for script output, temp path: , xrefs: 00354C1F
                                        • Unable to retrieve PowerShell output from file: , xrefs: 00354E6F
                                        • powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00354C6F
                                        • ps1, xrefs: 00354BB6, 00354BC8, 00354BD2
                                        • Unable to create process: , xrefs: 00354D15
                                        • txt, xrefs: 00354BE3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
                                        • API String ID: 0-4129021124
                                        • Opcode ID: f6b1966c3e7933d083c7bd360b33fb40ce56f2562fd9e7f839552f2d0243fbcb
                                        • Instruction ID: f4a9e0c4bec22e4e960548f4ee20150799c3235e3ee7e4d77acc2f534b71591d
                                        • Opcode Fuzzy Hash: f6b1966c3e7933d083c7bd360b33fb40ce56f2562fd9e7f839552f2d0243fbcb
                                        • Instruction Fuzzy Hash: D5C1A070900649EFDB15DFA8CD45FAEBBB4BF04315F108259F814AB2A1DB74AA98CF50
                                        Function 002316D0 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 359stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$LongParentlstrcmp
                                        • String ID: #32770$L4;
                                        • API String ID: 4031819654-517946083
                                        • Opcode ID: 37629c6dded8872dda9d06f2106997ad09fd3c8f48968ac4a3420310f7d79100
                                        • Instruction ID: d931437955410812053ef5a14cdf3f9ec50c048509b4578a23d02f1afac19032
                                        • Opcode Fuzzy Hash: 37629c6dded8872dda9d06f2106997ad09fd3c8f48968ac4a3420310f7d79100
                                        • Instruction Fuzzy Hash: E8E1CFB0A1021AEFDB14CFA4C958FADBBB5FF49711F148129F801AB290D774AD64CB64
                                        Function 0025D6E0 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 246libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,79276D7D,?,?,00000000,?,?,?,?,?,?,}m'y,003E8E95,000000FF), ref: 0025D74D
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0025D753
                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,}m'y,003E8E95,000000FF,?,002745FA,0044B84C,}m'y,79276D7D), ref: 0025D783
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0025D789
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$|3D$}m'y$}m'y
                                        • API String ID: 2574300362-2766852522
                                        • Opcode ID: 56d33267b049981eae163263c8db6f349bc4cc68e2d4b76496fdbefddf3155aa
                                        • Instruction ID: 8045bcfd46ed7a4b5a2b35d0b8b729a351c226d39da7420a0f1ef17c7f7022f2
                                        • Opcode Fuzzy Hash: 56d33267b049981eae163263c8db6f349bc4cc68e2d4b76496fdbefddf3155aa
                                        • Instruction Fuzzy Hash: 0DA1BE7192020AEFDF25DFA8C885BEEBBB4EF08311F144129E811A7290DB749A59CB54
                                        Function 00329E90 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 212COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000001F6), ref: 00329EDE
                                        • GetDlgItem.USER32(?,000001F8), ref: 00329EEB
                                        • GetDlgItem.USER32(?,000001F7), ref: 00329F38
                                        • SetWindowTextW.USER32(00000000,00000000), ref: 00329F47
                                        • ShowWindow.USER32(?,00000005), ref: 00329F67
                                          • Part of subcall function 003293B0: GetWindowLongW.USER32(?,000000F0), ref: 003293EF
                                          • Part of subcall function 003293B0: GetWindowLongW.USER32(?,000000F0), ref: 00329400
                                          • Part of subcall function 003293B0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00329412
                                          • Part of subcall function 003293B0: GetWindowLongW.USER32(?,000000EC), ref: 00329425
                                          • Part of subcall function 003293B0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00329434
                                          • Part of subcall function 003293B0: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00329448
                                          • Part of subcall function 003293B0: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00329457
                                        • GetDlgItem.USER32(?,000001F7), ref: 00329F86
                                        • SetWindowTextW.USER32(00000000,00000000), ref: 00329F95
                                        • ShowWindow.USER32(?,00000000), ref: 00329FB5
                                        • ShowWindow.USER32(?,00000000), ref: 00329FBC
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 0032A005
                                        • GetDlgItem.USER32(00000000,00000000), ref: 0032A039
                                        • IsWindow.USER32(00000000), ref: 0032A043
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000616), ref: 0032A090
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$ItemLong$Show$MessageSendText
                                        • String ID: Details <<$Details >>
                                        • API String ID: 1573988680-3763984547
                                        • Opcode ID: 37911a3aa3ae6c51f9dd27334d325cdc6b7090bfc39d1ef3c8149f7b57bc28dc
                                        • Instruction ID: f7e32be79d1039b2f11c5e4fa1258352d8b191f96dbe4aabfc76ced410b38849
                                        • Opcode Fuzzy Hash: 37911a3aa3ae6c51f9dd27334d325cdc6b7090bfc39d1ef3c8149f7b57bc28dc
                                        • Instruction Fuzzy Hash: 5E71DE71900608ABDB25DFA9ED56FAEFBF4EF98704F20822DF501A7291D731A841CB54
                                        Function 00252860 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 404memorysynchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • CreateThread.KERNEL32(00000000,00000000,002529B0,00447458,00000000,?), ref: 0025292A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00252943
                                        • CloseHandle.KERNEL32(00000000), ref: 00252959
                                        • CoInitializeEx.COMBASE(00000000,00000000), ref: 00252A09
                                        • GetProcessHeap.KERNEL32(?,00000000), ref: 00252B0B
                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 00252B11
                                        • GetProcessHeap.KERNEL32(?,00000000), ref: 00252B90
                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 00252B96
                                        • CoUninitialize.COMBASE ref: 00252CEA
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00252D6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
                                        • String ID: $tD$XtD$|3D$|3D
                                        • API String ID: 1779960141-1879253227
                                        • Opcode ID: cc9c06f44031cd4b7269fd95cdea85e1e33208612f6389bf36ef067af332bb80
                                        • Instruction ID: db24f425f6fcc12a3dd0c8e906f5789072c66f39c41de0e7ef5ee255149d9302
                                        • Opcode Fuzzy Hash: cc9c06f44031cd4b7269fd95cdea85e1e33208612f6389bf36ef067af332bb80
                                        • Instruction Fuzzy Hash: 00F18C70D01209DFDB10CFA8C945BEEBBB8BF45305F248199E805AB2D1DB749A48CBA4
                                        Function 00362A10 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 390libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(Advapi32.dll,79276D7D,00000000,00000000), ref: 00362AA1
                                        • GetLastError.KERNEL32 ref: 00362ACF
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                        • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00362AE5
                                        • FreeLibrary.KERNEL32(00000000), ref: 00362AFE
                                        • GetLastError.KERNEL32 ref: 00362B0B
                                        • GetLastError.KERNEL32 ref: 00362CF9
                                        • GetLastError.KERNEL32 ref: 00362D5E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Library$AddressAllocFreeHeapLoadProc
                                        • String ID: ,(E$Advapi32.dll$ConvertStringSidToSidW
                                        • API String ID: 1560807876-3461186169
                                        • Opcode ID: 9455110f4f83ea188dfd3d774de1c306c2cdd39f5f2bf6b4d7a7537f1a7c2518
                                        • Instruction ID: 37786a8eec694f2df3e5ef1cb23fbcb04d79ff0f385db9d6dc20cccddf401279
                                        • Opcode Fuzzy Hash: 9455110f4f83ea188dfd3d774de1c306c2cdd39f5f2bf6b4d7a7537f1a7c2518
                                        • Instruction Fuzzy Hash: 86F18CB1C01609AFDF01CF94C945BEEBBB4FF05314F228229E915BB280D775AA55CBA1
                                        Function 0022F5F0 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(004C6250,79276D7D,00000000,?,?,?,?,?,?,0022EE50,003DF68D,000000FF), ref: 0022F62D
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0022F6A8
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0022F74E
                                        • LeaveCriticalSection.KERNEL32(004C6250), ref: 0022F7A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalCursorLoadSection$EnterLeave
                                        • String ID: rw$AtlAxWin140$AtlAxWinLic140$PbL$WM_ATLGETCONTROL$WM_ATLGETHOST$f.;$lbL$lbL$p.;
                                        • API String ID: 3727441302-1631689028
                                        • Opcode ID: 1c3c7005473ee4fa0fbfd63e23db2bfd4a7a66ba2270025fd3bcc23dffb7bc46
                                        • Instruction ID: 5203137a517b4a0091589e62d8bff8823e6d2afc286dce72acf2b82ed79cf29a
                                        • Opcode Fuzzy Hash: 1c3c7005473ee4fa0fbfd63e23db2bfd4a7a66ba2270025fd3bcc23dffb7bc46
                                        • Instruction Fuzzy Hash: 4B5137B5C11219AFDB91DFD4D954BDEBFF8EB08714F11412AE804B7290DBB856048FA8
                                        Function 00328440 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 223threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(004C611C,79276D7D,?,?,00000000,?,?,?,?,?,00000000,0041B407,000000FF), ref: 003284B3
                                        • EnterCriticalSection.KERNEL32(?,79276D7D,?,?,00000000,?,?,?,?,?,00000000,0041B407,000000FF), ref: 003284C5
                                        • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,0041B407,000000FF), ref: 003284D2
                                        • GetCurrentThread.KERNEL32 ref: 003284DD
                                        • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,00000000,?,0044337C,00000000,?,?,?,?,?,00000000,0041B407,000000FF), ref: 003286BE
                                        • LeaveCriticalSection.KERNEL32(?,0044337C,00000000,?,?,?,?,?,00000000,0041B407,000000FF), ref: 0032879A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                        • String ID: *** Stack Trace (x86) ***$ rw$4aL$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix] ${t;
                                        • API String ID: 3051236879-650202802
                                        • Opcode ID: 86c780ebc6c40f935e0d26c1c1eece3b709e53b3f39fde9cb5d6b55cd5109dee
                                        • Instruction ID: bd5896703ad2e2bbae578277e6521a9309578db9068bbf4586b8c38d7ebc9fd6
                                        • Opcode Fuzzy Hash: 86c780ebc6c40f935e0d26c1c1eece3b709e53b3f39fde9cb5d6b55cd5109dee
                                        • Instruction Fuzzy Hash: 8CA1AA71601388AFDF22DFA4DC55BEE7BB8BF05308F104128E909AB291DB795B08CB51
                                        Function 00253400 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 222libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,79276D7D,?,?,?,?,?,?,?,79276D7D,003E64A5,000000FF,?,0025371A,004474D0), ref: 00253467
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0025346D
                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,79276D7D,003E64A5,000000FF,?,0025371A,004474D0,79276D7D,79276D7D), ref: 0025349E
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002534A4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$|3D
                                        • API String ID: 2574300362-1671736940
                                        • Opcode ID: 82b0cc639a6f4ddc541d4e599a6d05c68561e247ddbcd849bcf36e258dd7c893
                                        • Instruction ID: 380c866825aa3174e2126d5e6784f61a5403e73ae8c7f6ee4cb5e77d2bb66c61
                                        • Opcode Fuzzy Hash: 82b0cc639a6f4ddc541d4e599a6d05c68561e247ddbcd849bcf36e258dd7c893
                                        • Instruction Fuzzy Hash: B281D070920209EFDB15DFA8C881BEEFBB4EF08350F14516DE811B7290DB749A58CB68
                                        Function 003574C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(004C6054,79276D7D,?,00000010), ref: 003574FC
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        • EnterCriticalSection.KERNEL32(00000010,79276D7D,?,00000010), ref: 00357509
                                        • WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0035753B
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00357544
                                        • WriteFile.KERNEL32(00000000,00343C07,6054B9EC,0042500D,00000000,0044334C,00000001,?,?,000000FF,00000000), ref: 003575C6
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 003575CF
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00357605
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0035760E
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,004458A8,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 0035766F
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00357678
                                        • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 003576A8
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushWrite$CriticalSection$AllocEnterFindHeapInitializeLeaveResource
                                        • String ID: rw$L3D
                                        • API String ID: 3436934177-3644781462
                                        • Opcode ID: 4c3099b3b58678df480000a03ebb726336ba0e4d3f53d80d7d784f15f36124e8
                                        • Instruction ID: e288f2b68b785e106ccea3cef6bb401b8061c148944c289c37eeab561851dedf
                                        • Opcode Fuzzy Hash: 4c3099b3b58678df480000a03ebb726336ba0e4d3f53d80d7d784f15f36124e8
                                        • Instruction Fuzzy Hash: 84618A70904644AFEB01DFA8DD49FAABBB4FF05315F148169F805A72A1DB319D18CFA4
                                        Function 0027A430 Relevance: 21.2, APIs: 14, Instructions: 243COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0027A49E
                                        • SetWindowLongW.USER32(?,000000F0,00C80000), ref: 0027A4CC
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0027A4E1
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0027A518
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0027A545
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0027A559
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0027A57B
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0027A592
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0027A5A6
                                        • GetWindowRect.USER32(?,?), ref: 0027A5F6
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0027A61C
                                        • GetWindowRect.USER32(?,?), ref: 0027A66A
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,?), ref: 0027A6A0
                                        • SetWindowTextW.USER32(?,?), ref: 0027A6E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$Rect$Text
                                        • String ID:
                                        • API String ID: 445026432-0
                                        • Opcode ID: 46c278c9f80ace7370691e21c021807e864bcb1f1e57cdbfa4aed8a3dc3707ac
                                        • Instruction ID: cc2c8fcdef5576a82a8d1e202b5fe232d23ff1927f7a9c597b323c6b1a495758
                                        • Opcode Fuzzy Hash: 46c278c9f80ace7370691e21c021807e864bcb1f1e57cdbfa4aed8a3dc3707ac
                                        • Instruction Fuzzy Hash: D8916F71A00609AFDB04DFA8DD55FEDBBB5FF88310F204229F426A72A4DB35A910CB54
                                        Function 002859B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 002859F7
                                        • GetParent.USER32 ref: 00285A0D
                                        • GetWindowRect.USER32(?,?), ref: 00285A18
                                        • GetParent.USER32(?), ref: 00285A20
                                        • GetWindow.USER32(?,00000004), ref: 00285A52
                                        • GetWindowRect.USER32(?,?), ref: 00285A60
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00285A6D
                                        • MonitorFromWindow.USER32(?,00000002), ref: 00285A85
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00285A9F
                                        • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00285B4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$LongMonitorParentRect$FromInfo
                                        • String ID: $/;
                                        • API String ID: 1820395375-1662183015
                                        • Opcode ID: bb7edfe987488228abde35fb78f334b15ce794aed523a4981ed3c7efceec8f37
                                        • Instruction ID: f57ba487e60e5eb2961838c5de0c5515b90c04ec3429eec7acfddd5096394076
                                        • Opcode Fuzzy Hash: bb7edfe987488228abde35fb78f334b15ce794aed523a4981ed3c7efceec8f37
                                        • Instruction Fuzzy Hash: 0A518D36D10529AFDB14DFA8CD84E9EBBB9FB48310F254229E815E3294DB30AD14CB94
                                        Function 003293B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 003293EF
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00329400
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00329412
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00329425
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00329434
                                        • SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00329448
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00329457
                                        • GetWindowRect.USER32(?,?), ref: 00329496
                                        • GetDlgItem.USER32(?,?), ref: 003294D2
                                        • IsWindow.USER32(00000000), ref: 003294DD
                                        • GetWindowRect.USER32(?,?), ref: 003294F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$MessageRectSend$Item
                                        • String ID: $/;
                                        • API String ID: 661679956-1662183015
                                        • Opcode ID: ca65779db92926677d0f638a21915151ac7800d5c25d569d969bbb0332072729
                                        • Instruction ID: f2a5ca57f51c10bb37ae8ae378131ef8e2867d909c9047fd0b5ecbc919fa3260
                                        • Opcode Fuzzy Hash: ca65779db92926677d0f638a21915151ac7800d5c25d569d969bbb0332072729
                                        • Instruction Fuzzy Hash: 1F41B1315047019FD761DF69ED80F2BB7E8BF98314F218A2EF59992291DB30E8848B65
                                        Function 00329D00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00322350: LoadLibraryW.KERNEL32(ComCtl32.dll,79276D7D,00000000,?,00000000), ref: 0032238E
                                          • Part of subcall function 00322350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003223B1
                                          • Part of subcall function 00322350: FreeLibrary.KERNEL32(00000000), ref: 0032242F
                                        • GetDlgItem.USER32(?,000001F4), ref: 00329D41
                                        • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00329D52
                                        • MulDiv.KERNEL32(00000009,00000000), ref: 00329D6A
                                        • GetDlgItem.USER32(?,000001F6), ref: 00329DA4
                                        • IsWindow.USER32(00000000), ref: 00329DAD
                                        • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00329DC4
                                        • GetDlgItem.USER32(?,000001F8), ref: 00329DCE
                                        • GetWindowRect.USER32(?,?), ref: 00329DDF
                                        • GetWindowRect.USER32(?,?), ref: 00329DF2
                                        • GetWindowRect.USER32(00000000,?), ref: 00329E02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
                                        • String ID: ;3;$Courier New
                                        • API String ID: 1717253393-460306225
                                        • Opcode ID: 57a38d0aa33b77dc1e828b9e8011620669c690f11618bd22a284477c40bc2423
                                        • Instruction ID: dedfbb264c6c0b51eac1bb3b8d4228b89210e4f834d88d3c01cb5d6e1000f6ac
                                        • Opcode Fuzzy Hash: 57a38d0aa33b77dc1e828b9e8011620669c690f11618bd22a284477c40bc2423
                                        • Instruction Fuzzy Hash: AC41D7717C4308BBEB159F21DD53FAE77A8AF88B04F010629FB057E1C1DAB0A8408B58
                                        Function 0034EC20 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,79276D7D,?,?), ref: 0034EC83
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 0034EE19
                                        • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 0034EE75
                                        • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 0034EEC5
                                        • RegCloseKey.ADVAPI32(?), ref: 0034EF05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue$Close
                                        • String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                        • API String ID: 2529929805-1079072530
                                        • Opcode ID: b334883d06ffad9b5f8801c17dda70f733feed8e364dbdd6b1c4072a2eea3115
                                        • Instruction ID: f5633dbb269f192d77bac12338fd61e64661ec6c871d232e57a41b6852564df8
                                        • Opcode Fuzzy Hash: b334883d06ffad9b5f8801c17dda70f733feed8e364dbdd6b1c4072a2eea3115
                                        • Instruction Fuzzy Hash: FA027E709012699FDB21DF68CD88B9EB7B4AF44304F1542E9E808AB291DB75AE84CF50
                                        Function 003581B0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 302libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,79276D7D,?,?,004C6054), ref: 003581F8
                                        • LoadLibraryW.KERNEL32(Shell32.dll,?,004C6054), ref: 00358207
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0035821B
                                        • SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0035829A
                                        • SHGetMalloc.SHELL32(?), ref: 003582D7
                                        • PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,?,00000000), ref: 0035832A
                                        • CreateDirectoryW.KERNEL32(?,?,Everyone,10000000,00000000,?,00000000), ref: 003583B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Path$AddressCreateDirectoryExistsFileFolderFromLibraryListLoadLocationMallocProcSpecial
                                        • String ID: ADVINST_LOGS$Everyone$SHGetSpecialFolderPathW$Shell32.dll
                                        • API String ID: 1254244429-1733115844
                                        • Opcode ID: b5e1f0360c2f7e5d4165f7ff9eeec70a10f943d59f9e494c9ebb356187d400ba
                                        • Instruction ID: ca4b3703ed4c224d40c8c3f4222a60b73feccb05a294cf3092b66ecc2b768aa2
                                        • Opcode Fuzzy Hash: b5e1f0360c2f7e5d4165f7ff9eeec70a10f943d59f9e494c9ebb356187d400ba
                                        • Instruction Fuzzy Hash: ABB1BCB0D00609DFDB11DFA9C849BAEFBF4AF44315F258129E815BB2A1EB745A08CB51
                                        Function 0024C7D0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,79276D7D), ref: 0024C85C
                                          • Part of subcall function 00230DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00230DE6
                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0024C95F
                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 0024C973
                                        • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 0024C988
                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 0024C99D
                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 0024C9B4
                                        • GetWindowRect.USER32(?,?), ref: 0024C9E6
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 0024CA48
                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 0024CA58
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateLongRect
                                        • String ID: ,$tooltips_class32
                                        • API String ID: 1954517558-3856767331
                                        • Opcode ID: 82012f1729e2e082ba28ddce0d677b65ace897f4893cb4d0c2995d1a6889f005
                                        • Instruction ID: fd97ac86b0512a8f3889b6aa572b39ea821bddc6a509827b1ea22fb34a35f82e
                                        • Opcode Fuzzy Hash: 82012f1729e2e082ba28ddce0d677b65ace897f4893cb4d0c2995d1a6889f005
                                        • Instruction Fuzzy Hash: F6914D71A00208AFEB14CFA5DD95FEEBBF8FB48300F10452AF616EA290D774A914CB54
                                        Function 00329A60 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00329A94
                                        • EndDialog.USER32(?,00000000), ref: 00329B52
                                          • Part of subcall function 00329550: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00329582
                                          • Part of subcall function 00329550: GetWindowLongW.USER32(?,000000F0), ref: 00329588
                                          • Part of subcall function 00329550: GetDlgItem.USER32(?,?), ref: 003295FA
                                          • Part of subcall function 00329550: GetWindowRect.USER32(00000000,?), ref: 00329612
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Long$DialogItemMessageRectSend
                                        • String ID: L/;$U2;
                                        • API String ID: 188208873-663787360
                                        • Opcode ID: 7d427ae206ad6ce85a2a9e0674acefd5b169bf1ae44837285b5cf4b0795d1bcd
                                        • Instruction ID: 27b3b71d8a9b6bdda90b25a7dc78bc5c1b21b2734210c78012016a7b532d2958
                                        • Opcode Fuzzy Hash: 7d427ae206ad6ce85a2a9e0674acefd5b169bf1ae44837285b5cf4b0795d1bcd
                                        • Instruction Fuzzy Hash: 4971A431A002259BDB15CF68ED58BAEBBF8FF49720F11062AE416E7AD0D774D940CB64
                                        Function 00325310 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 003254AE
                                        • __Init_thread_footer.LIBCMT ref: 00325607
                                        • GetStdHandle.KERNEL32(000000F5,?,79276D7D,?,?), ref: 0032568F
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00325696
                                        • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 003256AA
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 003256B1
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,004458A8,00000002,?,?), ref: 00325740
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00325747
                                        • IsWindow.USER32(00000000), ref: 00325960
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                        • String ID: Error
                                        • API String ID: 2811146417-2619118453
                                        • Opcode ID: 8167034fa5977afbff6e72f0dd1db25436d73e61040b9a5179c428578556bb55
                                        • Instruction ID: e48c73eec226d699116f5ee41fb483ebdbf018134d6fbd6f62123ff4bc6a9f2e
                                        • Opcode Fuzzy Hash: 8167034fa5977afbff6e72f0dd1db25436d73e61040b9a5179c428578556bb55
                                        • Instruction Fuzzy Hash: 44227BB0D10718DFDB10CFA8D845BDEBBB0BF05314F248299E459AB291DB75AA88CF51
                                        Function 0034F880 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 296libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002E1FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002E1FF1
                                          • Part of subcall function 002E1FB0: _wcschr.LIBVCRUNTIME ref: 002E20AF
                                        • GetLastError.KERNEL32(79276D7D,?,?,?,000000FF,?,00334196,?,?), ref: 0034F8ED
                                        • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 0034FA7A
                                        • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 0034FADE
                                        • FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,00334196,?,?), ref: 0034FBD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem_wcschr
                                        • String ID: ,(E$GetPackagePath$Kernel32.dll$neutral$x64$x86
                                        • API String ID: 3734293021-3595981372
                                        • Opcode ID: 60594b00df7c075a9d5d14f8566392eede875d1806a1ba9b21dae0a6d5b158c0
                                        • Instruction ID: 8a37376e099bc2617e3fcbeb7a856689b875e40df3110a9cc41844d4936f77ae
                                        • Opcode Fuzzy Hash: 60594b00df7c075a9d5d14f8566392eede875d1806a1ba9b21dae0a6d5b158c0
                                        • Instruction Fuzzy Hash: 0AC16B70A00205DFDB05DFA8C895BADBBF4EF09314F18826DE815AB391DB74A944CF90
                                        Function 00232500 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(004C6250,79276D7D,00000000,004C626C), ref: 00232573
                                        • LeaveCriticalSection.KERNEL32(004C6250), ref: 002325D7
                                        • LoadCursorW.USER32(00220000,?), ref: 00232630
                                        • LeaveCriticalSection.KERNEL32(004C6250), ref: 002326C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$CursorEnterLoad
                                        • String ID: rw$ATL:%p$PbL$f.;$lbL$p.;
                                        • API String ID: 2080323225-4077051526
                                        • Opcode ID: 6e1fdf3e182fafbedc97458e0ad91e8319a7ad64faf0f93232ed8506f6253280
                                        • Instruction ID: f0b773734f73d3199a77de17a56ab8db10aea9d7d72fb95d6481049f3a36b323
                                        • Opcode Fuzzy Hash: 6e1fdf3e182fafbedc97458e0ad91e8319a7ad64faf0f93232ed8506f6253280
                                        • Instruction Fuzzy Hash: 5E51BC70904B45CBD720CF69CA45BAAF7F4FF58710F10861EE896A3690E770B988CB54
                                        Function 00372A80 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
                                        • API String ID: 0-2691827946
                                        • Opcode ID: ca9d4e217e551cde24f8187886f6e0df848877446a617da5e356da6d24828e36
                                        • Instruction ID: df3cf24a12a4e32e8a874378cfeed94054787a3f49644bac90275048b259bf5c
                                        • Opcode Fuzzy Hash: ca9d4e217e551cde24f8187886f6e0df848877446a617da5e356da6d24828e36
                                        • Instruction Fuzzy Hash: B0B1C1B1A00344DFDB25CF48D944B9EB7B1FB55320F10826EE8299B7C1D7799A00CB95
                                        Function 0034D7C0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
                                        • API String ID: 2691759472-1956487666
                                        • Opcode ID: f026969a32bb65c2f71d33e5f5cd5563ece8c2447d14cf0a1712c950fd46729f
                                        • Instruction ID: d0e6319fc78d7717031868ed513ded40cf8b13226b35d67cc57393ca8b981293
                                        • Opcode Fuzzy Hash: f026969a32bb65c2f71d33e5f5cd5563ece8c2447d14cf0a1712c950fd46729f
                                        • Instruction Fuzzy Hash: 5A41F972E40615ABDF125B54CC02B6AB7E8EB00312F15463EBC14EA6D1EF75BC14CB62
                                        Function 00243190 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 002431EA
                                        • VariantClear.OLEAUT32(?), ref: 0024321C
                                        • VariantClear.OLEAUT32(?), ref: 00243316
                                        • VariantClear.OLEAUT32(?), ref: 00243345
                                        • SysFreeString.OLEAUT32(00000000), ref: 0024334C
                                        • SysAllocString.OLEAUT32(00000000), ref: 00243393
                                        • VariantClear.OLEAUT32(?), ref: 0024341A
                                        • VariantClear.OLEAUT32(?), ref: 0024344C
                                        • VariantClear.OLEAUT32(?), ref: 00243527
                                        • VariantClear.OLEAUT32(?), ref: 00243556
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID:
                                        • API String ID: 1305860026-0
                                        • Opcode ID: b808d433ee4c9ccead1113e629e6c2becb40a008ab910226702e0f31a3259f87
                                        • Instruction ID: 0fc874a5e20a1f71d708e3dd2c8d8ac8b60c4f76917a231f04f44a777f28fdbb
                                        • Opcode Fuzzy Hash: b808d433ee4c9ccead1113e629e6c2becb40a008ab910226702e0f31a3259f87
                                        • Instruction Fuzzy Hash: 6DC17F71910259DFCB14DFA8C844BDEBBB8FF48310F148269E804E7391E778AA55CBA5
                                        Function 00352BC0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 343synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • ResetEvent.KERNEL32(?,?,?), ref: 00352C4A
                                        • SetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00352C83
                                        • ResetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00352E19
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000,?,?,?), ref: 00352E4B
                                        • ResetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000), ref: 00352F26
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00352F43
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00352F4A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Event$Reset$Init_thread_footerObjectSingleWait$HeapProcess
                                        • String ID: FTP Server
                                        • API String ID: 3860647947-688436434
                                        • Opcode ID: fcef39462e0e733b063482e206e288131bf513c52e0ab8b980412715bde0057f
                                        • Instruction ID: 6e09b4db5296f812491170172426042113828fcec05cde58c196be00b008949c
                                        • Opcode Fuzzy Hash: fcef39462e0e733b063482e206e288131bf513c52e0ab8b980412715bde0057f
                                        • Instruction Fuzzy Hash: 9BD19230A00245DFDB01DF68C988B9EBBB5FF4A315F158269EC15AB3A2D774D948CB90
                                        Function 0024B720 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 218windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000C5,?,00000000), ref: 0024B771
                                        • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 0024B7D5
                                        • lstrcpynW.KERNEL32(?,?,00000020), ref: 0024B847
                                        • MulDiv.KERNEL32(?,00000048,00000000), ref: 0024B884
                                        • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 0024B8B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcpyn
                                        • String ID: ?$U2;$t
                                        • API String ID: 3928028829-2064999302
                                        • Opcode ID: 08c6b7588eb424e8e967f432a93f0b685b45e8f621fad6bfa0b0c20271db6616
                                        • Instruction ID: 7b762a1c24261621860c9914761a9d0a180c734a6e186ee2ce1cc95571db1969
                                        • Opcode Fuzzy Hash: 08c6b7588eb424e8e967f432a93f0b685b45e8f621fad6bfa0b0c20271db6616
                                        • Instruction Fuzzy Hash: 1F918E71614340AFE321DF64CC46F9ABBE8AF88304F004A2AF699D71A1EB74E554CB56
                                        Function 00354900 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,00334998), ref: 003549F3
                                        • WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 00354A37
                                        • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00354A54
                                        • CloseHandle.KERNEL32(00000000), ref: 00354A6E
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00354AAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
                                        • String ID: Unable to get temp file $Unable to save script file $ps1
                                        • API String ID: 2821137686-4253966538
                                        • Opcode ID: 61ca5e343661cff7ab154950c40b9d399eeac682ffe0c54190e18e083b88a43c
                                        • Instruction ID: 298e39ff91d5ec3b650102cfb180fa7247bd8e765039635fd395fa0562c2b642
                                        • Opcode Fuzzy Hash: 61ca5e343661cff7ab154950c40b9d399eeac682ffe0c54190e18e083b88a43c
                                        • Instruction Fuzzy Hash: 3C51D870900245AFDB15CFA8CD49FAEB7B8AF04719F148259F910A72D2D7749E48CBA8
                                        Function 00329550 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00329582
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00329588
                                        • GetDlgItem.USER32(?,?), ref: 003295FA
                                        • GetWindowRect.USER32(00000000,?), ref: 00329612
                                        • SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 0032969F
                                        • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 003296D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$ItemLongRect
                                        • String ID: $/;$L/;
                                        • API String ID: 3432912040-1934778625
                                        • Opcode ID: 79a2aff81ef5be1a5ae9297bc27034dd5ecf2debd1a6d59ec7dce3370239022f
                                        • Instruction ID: d9f9a40648f4f054ea7a41fe317a0e8ea912884985575c6a04639df5121e3d01
                                        • Opcode Fuzzy Hash: 79a2aff81ef5be1a5ae9297bc27034dd5ecf2debd1a6d59ec7dce3370239022f
                                        • Instruction Fuzzy Hash: 49517B302043019FD725CF28E985F2ABBE1FF84718F254A2EF5999B2A5D731E844CB59
                                        Function 00343C80 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDefaultLangID.KERNEL32 ref: 00343CBE
                                        • GetUserDefaultLangID.KERNEL32 ref: 00343CCB
                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00343CDD
                                        • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00343CF1
                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00343D06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                        • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                        • API String ID: 667524283-3528650308
                                        • Opcode ID: 54cf5ef665944283862287e4bcad5a423a3f9b9f901be3bcdde2712cfca4ad75
                                        • Instruction ID: c2c437b5bb5668457285aa841616ba7642a2eb8e11828447e23cba5813890d0e
                                        • Opcode Fuzzy Hash: 54cf5ef665944283862287e4bcad5a423a3f9b9f901be3bcdde2712cfca4ad75
                                        • Instruction Fuzzy Hash: 1841B071A083119FC745EF28D8506BAB7E1AFD9355F52192EF885CB280EB34AA44CB52
                                        Function 00236C00 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00236CEF
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00236D43
                                        • CloseHandle.KERNEL32(00000000), ref: 00236D92
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00236DF6
                                        • CloseHandle.KERNEL32(00000000,?), ref: 00236E1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                        • String ID: aix$html$|bL
                                        • API String ID: 2030708724-1889745995
                                        • Opcode ID: 8e5d84a7cf109e04c827cd3ad9bf11102eba547474e2c6fb275c84a42f316eb7
                                        • Instruction ID: 45c830ce90aad3dfd4212ce0c398b944e9e12ef457426c13371179a79e27ea2a
                                        • Opcode Fuzzy Hash: 8e5d84a7cf109e04c827cd3ad9bf11102eba547474e2c6fb275c84a42f316eb7
                                        • Instruction Fuzzy Hash: 3451BFB1900248EFDB50DF94DC49B9EBBB4FF04708F1181ADE405AB291D7B96A08CB95
                                        Function 003B9810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 003B9847
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 003B984F
                                        • _ValidateLocalCookies.LIBCMT ref: 003B98D8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 003B9903
                                        • _ValidateLocalCookies.LIBCMT ref: 003B9958
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 003B996E
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 003B9983
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                        • String ID: csm
                                        • API String ID: 1385549066-1018135373
                                        • Opcode ID: a10c816bdc3d556e376b0c735efa7adfbe9a5f7a7b662bf5c7d1398477502a15
                                        • Instruction ID: fc386b22391985b3ca00af39dbc3f79be551e08286971623476ff9ac7987986c
                                        • Opcode Fuzzy Hash: a10c816bdc3d556e376b0c735efa7adfbe9a5f7a7b662bf5c7d1398477502a15
                                        • Instruction Fuzzy Hash: B541C434A00608ABCF12DF68C881BDE7BB5EF46318F148096EB159FB52D735D915CBA1
                                        Function 0028C0F0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5B70,Windows.Foundation.PropertyValue,00000020,79276D7D,?,?), ref: 0028C1C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.Foundation.PropertyValue$h[L$l[L$l[L}m'y$l[L}m'y$}m'y$}m'y
                                        • API String ID: 4129690577-2663321768
                                        • Opcode ID: 2dfeb36242e1b73c76c54ce89e275051bdf24eeefdeae0aadb393c35ee46b836
                                        • Instruction ID: 9e4df650bce434e39d3a7dd55c4430345426c653ee349fcbb4fc3d07282f680b
                                        • Opcode Fuzzy Hash: 2dfeb36242e1b73c76c54ce89e275051bdf24eeefdeae0aadb393c35ee46b836
                                        • Instruction Fuzzy Hash: E5318B75D1121AEBDB04DFA4C945BAEBBB4FB04714F20402AE815772C1DBB46A48CBE5
                                        Function 00350260 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 454synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00352140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0035029A,?,79276D7D,?,?,?,000000FF,?), ref: 00352154
                                          • Part of subcall function 00352140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0035029A,?,79276D7D,?,?,?,000000FF,?,0034FC64), ref: 00352171
                                          • Part of subcall function 00352140: GetLastError.KERNEL32(?,79276D7D,?,?,?,000000FF,?,0034FC64,?,?,00000000,00000000,79276D7D,?,?), ref: 003521D0
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • ResetEvent.KERNEL32(?,00000000,004238DD), ref: 0035036A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00350389
                                        • WaitForSingleObject.KERNEL32(79276D7D,000000FF), ref: 00350390
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
                                        • String ID: GET$attachment$filename$h[D
                                        • API String ID: 818129584-4284821814
                                        • Opcode ID: eaa7ca9adeb7082a3facfda5c0d61e6d413aefa5f1c071cd0e90bb43e1db5026
                                        • Instruction ID: 95e556583ce6aa59c742844940aa171c34ae05f86ba6a35d2098b45ff744921e
                                        • Opcode Fuzzy Hash: eaa7ca9adeb7082a3facfda5c0d61e6d413aefa5f1c071cd0e90bb43e1db5026
                                        • Instruction Fuzzy Hash: 3C020E70901249DFDB05DFA8C844BAEBBF4FF15315F148169E815AB3A1EB75AA08CF90
                                        Function 00234E50 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(004C6008,79276D7D,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003E04E5), ref: 00234EBA
                                        • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003E04E5), ref: 00234F3A
                                        • EnterCriticalSection.KERNEL32(004C6024,?,?,?,?,?,?,?,?,?,?,?,00000000,003E04E5,000000FF), ref: 002350F3
                                        • LeaveCriticalSection.KERNEL32(004C6024,?,?,?,?,?,?,?,?,?,?,00000000,003E04E5,000000FF), ref: 00235114
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Enter$FileLeaveModuleName
                                        • String ID: rw$8YL
                                        • API String ID: 1807155316-453982213
                                        • Opcode ID: 6fd0f64c97af7ce3bbb269714ef7c5dfca0ca4ef583906317f0c5afe44527a35
                                        • Instruction ID: 34e451f0eeb24aafc8f539101a09ff88c9d5876b23ad0dbd40fc4151efdec211
                                        • Opcode Fuzzy Hash: 6fd0f64c97af7ce3bbb269714ef7c5dfca0ca4ef583906317f0c5afe44527a35
                                        • Instruction Fuzzy Hash: 2AB1A2B0A14659DFDB10CFA4C884BAEBBB4FF49314F144598E849EB391C775AE44CB60
                                        Function 00275EF0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 239COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.VisualStateManager$}m'y$}m'y$}m'y$}m'y$}m'y
                                        • API String ID: 0-55632402
                                        • Opcode ID: 70650e6746c703dd21b67d05bc37a6afacbed5d6e10a4d8938dc4ea3e8cbd713
                                        • Instruction ID: af9422918f8196baa729bc5319bde9cb4795b51fc9200a1f1a804c081bc8e806
                                        • Opcode Fuzzy Hash: 70650e6746c703dd21b67d05bc37a6afacbed5d6e10a4d8938dc4ea3e8cbd713
                                        • Instruction Fuzzy Hash: CE91BE75900649EFCB01CFA8C844BAEFBB8FF49314F10416AF914A7391D776AA55CBA0
                                        Function 00230E10 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(004437FC,00000000,00000001,00443E84,?), ref: 00230EE0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: :${$>D
                                        • API String ID: 542301482-1075776714
                                        • Opcode ID: 34abb3fb3b5556e4d33c8e0bd1dfc493f83f2eba345cc8bb581d066f479a0f4a
                                        • Instruction ID: 59d19965aba56a3467316fb00cf82e0e919f52fc0ba3bb4b9f77edd311b43195
                                        • Opcode Fuzzy Hash: 34abb3fb3b5556e4d33c8e0bd1dfc493f83f2eba345cc8bb581d066f479a0f4a
                                        • Instruction Fuzzy Hash: D261B4B4A202569BDF289F94C8A4BBE77F4EB09711F244429F801EB680D775DD90C774
                                        Function 0024DE90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 0024DEF7
                                        • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 0024DF1F
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0024DF37
                                        • SendMessageW.USER32(?,0000130A,00000000,?), ref: 0024DF68
                                        • GetParent.USER32(?), ref: 0024E044
                                        • SendMessageW.USER32(00000000,00000136,?,?), ref: 0024E055
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$Parent
                                        • String ID: U2;
                                        • API String ID: 1020955656-3377301532
                                        • Opcode ID: 43c12bff889cda9c9ec3ada8cd7a2a2844f75244fac70233f9ff9515ee8c212e
                                        • Instruction ID: 0f203c559a207b8367b3a4fb549a26d5283cdf7b959a68b5439df8bfba0450fe
                                        • Opcode Fuzzy Hash: 43c12bff889cda9c9ec3ada8cd7a2a2844f75244fac70233f9ff9515ee8c212e
                                        • Instruction Fuzzy Hash: 5C614A72910218AFDB219FE5DD19FEEBBB9FF88710F110129F619AB2A0C7706950CB54
                                        Function 00357150 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004213BF,000000FF), ref: 003572D3
                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004213BF,000000FF), ref: 00357361
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                        • String ID: << Advanced Installer (x86) Log >>$ YL$T`L$T`L$|`L
                                        • API String ID: 3699736680-335362602
                                        • Opcode ID: 8b01ffab9a2e4e212c151324c21e643f1ee06bd8e881b46ac6ed322a8612bf0e
                                        • Instruction ID: c7bf9516b22cfd475fe566a5387508783e6f67a245b7e3d2d8f5fa47751482b2
                                        • Opcode Fuzzy Hash: 8b01ffab9a2e4e212c151324c21e643f1ee06bd8e881b46ac6ed322a8612bf0e
                                        • Instruction Fuzzy Hash: 3E610170504684DFD701CFA9D948B4AFBF0EF45314F15C2AEE805AB3A1DB759A08CB94
                                        Function 00302240 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 003022AB
                                        • GetParent.USER32(00000000), ref: 003022FE
                                        • GetWindowRect.USER32(00000000), ref: 00302301
                                        • GetParent.USER32(00000000), ref: 00302310
                                          • Part of subcall function 002BFCF0: GetWindowRect.USER32(?,?), ref: 002BFD8B
                                          • Part of subcall function 002BFCF0: GetWindowRect.USER32(?,?), ref: 002BFDA3
                                        • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00302400
                                        • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00302413
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageRectSendWindow$Parent
                                        • String ID: $/;
                                        • API String ID: 425339167-1662183015
                                        • Opcode ID: ba7c9dc94e5823689dfa2c23158c732e4d6658d178a0b11f05b9a689b7d00e15
                                        • Instruction ID: 1beae058d6963875c0c6da6ef71781cbc0a504ac55565fb4039f5696eced016b
                                        • Opcode Fuzzy Hash: ba7c9dc94e5823689dfa2c23158c732e4d6658d178a0b11f05b9a689b7d00e15
                                        • Instruction Fuzzy Hash: F9514971D00708ABDB11DFA8CE55BDEBBF8EF99710F20436AE815A7291E7706980CB54
                                        Function 00290D60 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ComboBox$p\L$t\L$t\L}m'y$t\L}m'y$}m'y
                                        • API String ID: 0-3092671109
                                        • Opcode ID: 4c6d41f00d779346d3cd9ab09ecd3235f2329d6158e054353a8cbfbf1e4ff655
                                        • Instruction ID: 367d008cc94204e54c56ddd08b67f542944fe710f383fb6e72731a337ea0c887
                                        • Opcode Fuzzy Hash: 4c6d41f00d779346d3cd9ab09ecd3235f2329d6158e054353a8cbfbf1e4ff655
                                        • Instruction Fuzzy Hash: AF519FB1D10219DFDB00DFA4C981BEFBBB8EB04714F10452AE811A7280DBB96A44CBE5
                                        Function 00302470 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00302500
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        • GetProcAddress.KERNEL32(SetWindowTheme), ref: 0030253D
                                        • __Init_thread_footer.LIBCMT ref: 00302554
                                        • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 0030257F
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                          • Part of subcall function 002E1FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002E1FF1
                                          • Part of subcall function 002E1FB0: _wcschr.LIBVCRUNTIME ref: 002E20AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
                                        • String ID: SetWindowTheme$UxTheme.dll$explorer
                                        • API String ID: 3852524043-3123591815
                                        • Opcode ID: 3503ceb834113b6b66c48632681944597c6e181bb24b3fd53c20cff7c6f03aa2
                                        • Instruction ID: f23a2aeda34ffc1b28e18422f7715404d09de90b00eaf0ac78084661fca6ae62
                                        • Opcode Fuzzy Hash: 3503ceb834113b6b66c48632681944597c6e181bb24b3fd53c20cff7c6f03aa2
                                        • Instruction Fuzzy Hash: 3E21A2B1A41304BBC721DF14ED16F89B7A4EB01760F228226F920A73D5D779E901CB5D
                                        Function 002397E0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 0023980A
                                        • GetWindow.USER32(?,00000005), ref: 00239817
                                        • GetWindow.USER32(00000000,00000002), ref: 00239952
                                          • Part of subcall function 00239660: GetWindowRect.USER32(?,?), ref: 0023968C
                                          • Part of subcall function 00239660: GetWindowRect.USER32(?,?), ref: 0023969C
                                        • GetWindowRect.USER32(?,?), ref: 002398AB
                                        • GetWindowRect.USER32(00000000,?), ref: 002398BB
                                        • GetWindowRect.USER32(00000000,?), ref: 002398D5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID:
                                        • API String ID: 3200805268-0
                                        • Opcode ID: b8bdfcfacf7453406c32a6627257f44c3374f5c1036d36e7b0908efc6762ecfa
                                        • Instruction ID: 13be823a8d6a3b2299f3988cb499aa45bf596192a7d9665462881235f7af2950
                                        • Opcode Fuzzy Hash: b8bdfcfacf7453406c32a6627257f44c3374f5c1036d36e7b0908efc6762ecfa
                                        • Instruction Fuzzy Hash: 79419B705187029FC721DF29C980AABF7E9BF97704F504A1DF08597521EBB0E998CB52
                                        Function 003B5BAB Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,003B5D55,00000000,?,?,00230B74,?), ref: 003B5BCF
                                        • HeapAlloc.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5BD6
                                          • Part of subcall function 003B5CA1: IsProcessorFeaturePresent.KERNEL32(0000000C,003B5BBD,00000000,?,003B5D55,00000000,?,?,00230B74,?), ref: 003B5CA3
                                        • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,003B5D55,00000000,?,?,00230B74,?), ref: 003B5BE6
                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00230B74,?), ref: 003B5C0D
                                        • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,00230B74,?), ref: 003B5C21
                                        • InterlockedPopEntrySList.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5C34
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00230B74,?), ref: 003B5C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                        • String ID:
                                        • API String ID: 2460949444-0
                                        • Opcode ID: b9240840da4e08b3c5b15373e5e907f0d0251e19e221bc43b253227490f92978
                                        • Instruction ID: 3240f03941aa158dd1d8ab87dbd9a9579a497baeabbfa7c263dbaae6d60829a2
                                        • Opcode Fuzzy Hash: b9240840da4e08b3c5b15373e5e907f0d0251e19e221bc43b253227490f92978
                                        • Instruction Fuzzy Hash: 8911B671602F11ABE7221764AD58FABAA6EEB48799F170435FB01D7550DF61CC008668
                                        Function 0028E970 Relevance: 10.9, APIs: 4, Strings: 3, Instructions: 419memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 0028EB86
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 0028EB8C
                                          • Part of subcall function 00290530: GetProcessHeap.KERNEL32(?,?,79276D7D,00000000,?,00000000), ref: 002905EA
                                          • Part of subcall function 00290530: HeapFree.KERNEL32(00000000,?,?,79276D7D,00000000,?,00000000), ref: 002905F0
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0028ED97
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0028ED9D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3D$|3D$}m'y
                                        • API String ID: 3859560861-1273754131
                                        • Opcode ID: 61597cf026963bdc85258e604853fa2f8abc4dbdf0b4b8ab8ebbbb0538d428dc
                                        • Instruction ID: e895dd36051b0d8aa66ab45a0ead20f169bdea52c3a3439c679ce0b02d65fbdf
                                        • Opcode Fuzzy Hash: 61597cf026963bdc85258e604853fa2f8abc4dbdf0b4b8ab8ebbbb0538d428dc
                                        • Instruction Fuzzy Hash: A6F17B74901249DFDF14EFA8C945BEEBBB4FF05314F204299E811AB2D1DB74AA18CB91
                                        Function 00366EA0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 371COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • _wcschr.LIBVCRUNTIME ref: 00366F6B
                                        • _wcschr.LIBVCRUNTIME ref: 0036701D
                                        • _wcschr.LIBVCRUNTIME ref: 0036703C
                                          • Part of subcall function 00229390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,002369F0,-00000010,?,0023AA9D,*.*), ref: 002293B7
                                        • _wcschr.LIBVCRUNTIME ref: 003670E2
                                        • GetTickCount.KERNEL32 ref: 0036728A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
                                        • String ID: 0123456789AaBbCcDdEeFf
                                        • API String ID: 2181188311-3822820098
                                        • Opcode ID: 586e5c4a50091935e918abe6aac383a81e305c1ddd910873a3883c533a79c8ce
                                        • Instruction ID: 2ad652c5294389bc5cc738f429f76bfbd282a337fb5f16df73905f3526465a18
                                        • Opcode Fuzzy Hash: 586e5c4a50091935e918abe6aac383a81e305c1ddd910873a3883c533a79c8ce
                                        • Instruction Fuzzy Hash: 38D12070A046058FDB22CF68C848BAEB7F5EF45328F14C65DE4559B295DB34E845CBA0
                                        Function 0024F780 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 369windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0024F7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: ' AND `Control_`='$,nD$AiTabPage$ControlEvent$`Dialog_`='
                                        • API String ID: 3850602802-2534852014
                                        • Opcode ID: 533c728be4d2741302180af1190073268e8009467a0cbb67654e621d474b7cb0
                                        • Instruction ID: 6e4098805a05e6cad891f8989ebb9f35ff9f18fe92dc3f2f47b0412e4d935665
                                        • Opcode Fuzzy Hash: 533c728be4d2741302180af1190073268e8009467a0cbb67654e621d474b7cb0
                                        • Instruction Fuzzy Hash: C5F17871910258DFDF04DF68C999BEEBBB1FF48304F150169ED149B292DB74AA18CB90
                                        Function 003209E0 Relevance: 10.8, APIs: 7, Instructions: 300fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,79276D7D,?,00000000), ref: 00320A69
                                        • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000), ref: 00320AEC
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00320B39
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00320B42
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00320BA5
                                        • CloseHandle.KERNEL32(00000000), ref: 00320CF7
                                        • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00320D7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$Read$CloseCreateHandlePointerSize
                                        • String ID:
                                        • API String ID: 4181610692-0
                                        • Opcode ID: dfcac6a0748cee809285c72007308c4bd409b8c94e9657520f2582b7dc12c7fe
                                        • Instruction ID: d6f6fc89adf86bd6ffcfb267e62813ad0d13c5fac839fceb5e6cbb31356aa0a8
                                        • Opcode Fuzzy Hash: dfcac6a0748cee809285c72007308c4bd409b8c94e9657520f2582b7dc12c7fe
                                        • Instruction Fuzzy Hash: 3BC18E70D01318DFDB29CFA4D845BEEBBB5BF44704F21825DE415AB282DB70AA49CB94
                                        Function 00254CC3 Relevance: 10.7, APIs: 7, Instructions: 185memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(?), ref: 00254D55
                                        • SysFreeString.OLEAUT32(00000000), ref: 00254DCA
                                        • GetProcessHeap.KERNEL32(?,?), ref: 00254E30
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00254E36
                                        • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00254E66
                                        • HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00254E6C
                                        • SysFreeString.OLEAUT32(00000000), ref: 00254E84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Free$Heap$String$Process
                                        • String ID:
                                        • API String ID: 2680101141-0
                                        • Opcode ID: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
                                        • Instruction ID: f12afcefacd95c4bcd7db63aee8541b4fb752dad3bf4266cd02a7223a7d2a1b6
                                        • Opcode Fuzzy Hash: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
                                        • Instruction Fuzzy Hash: AB61D070D1025A8FDF11EFA8C845BEFFBB4BF01309F140158E811AB282C7789A59CBA5
                                        Function 0022B550 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0022B5D2
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        • __Init_thread_footer.LIBCMT ref: 0022B658
                                        • CreateDirectoryW.KERNEL32(004C61F4,00000000,?,00000000,79276D7D,?,00000000), ref: 0022B695
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionCreateDirectoryVariableWake
                                        • String ID: ,bL$,bL$,bL
                                        • API String ID: 2312781895-2433560460
                                        • Opcode ID: 71489c59958253e83c2ae1de85aecf9c2fbba3cf6c0d91c8d8c6882fa0a2ca14
                                        • Instruction ID: 73fbafa7771679adcb4acf528721240d7b86eac49f29a88f6a83646ffc9310e1
                                        • Opcode Fuzzy Hash: 71489c59958253e83c2ae1de85aecf9c2fbba3cf6c0d91c8d8c6882fa0a2ca14
                                        • Instruction Fuzzy Hash: 4251C671900219EBCB11EFE4E845F9EBBB4EF04314F11866EE411AB2D1DB78AA18CF55
                                        Function 002BFCF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 002BFD8B
                                        • GetWindowRect.USER32(?,?), ref: 002BFDA3
                                        • GetWindowRect.USER32(?,?), ref: 002BFE10
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002BFE34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Long
                                        • String ID: $/;$L/;
                                        • API String ID: 3486571012-1934778625
                                        • Opcode ID: ae15f5c1b3071947dfe2572156e2b5eb1eb4ee0507d74e5635e02a8f9680bdde
                                        • Instruction ID: 72f2a1d3de86e0dcd8af3295112446a4fc53d5035d829ee8ed0c5e32bfb02389
                                        • Opcode Fuzzy Hash: ae15f5c1b3071947dfe2572156e2b5eb1eb4ee0507d74e5635e02a8f9680bdde
                                        • Instruction Fuzzy Hash: C54189326083069FC744CF25CA80EABB7E8FF99744F158A2EF94597211EB30E9548B56
                                        Function 0034E2C0 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,79276D7D,?,?), ref: 0034E307
                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,79276D7D,0042344D), ref: 0034E37F
                                        • GetLastError.KERNEL32 ref: 0034E390
                                        • WaitForSingleObject.KERNEL32(0042344D,000000FF), ref: 0034E3AC
                                        • GetExitCodeProcess.KERNEL32(0042344D,00000000), ref: 0034E3BD
                                        • CloseHandle.KERNEL32(0042344D), ref: 0034E3C7
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0034E3E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
                                        • String ID:
                                        • API String ID: 1153077990-0
                                        • Opcode ID: eb20cfbcfe612684200ba8118b1cd0d6a03b2a057f2dccb6c803e51424c4334c
                                        • Instruction ID: 5f76a8ea6a44a70efb5fd4da2affee972c6b570e0bc7dca0ae757b3d1289d28a
                                        • Opcode Fuzzy Hash: eb20cfbcfe612684200ba8118b1cd0d6a03b2a057f2dccb6c803e51424c4334c
                                        • Instruction Fuzzy Hash: B0417B31E04389ABDB12CFA5CD047AEBBF8BF49314F145669F825A7190DB749A40CF60
                                        Function 00360E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,00346881,00000000,79276D7D,?,00000010,00000000), ref: 00360EAB
                                        • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00360EC1
                                        • FreeLibrary.KERNEL32(00000000), ref: 00360EFA
                                        • FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,00346881,00000000,79276D7D,?,00000010,00000000), ref: 00360F16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Library$Free$AddressLoadProc
                                        • String ID: DllGetVersion$Shlwapi.dll
                                        • API String ID: 1386263645-2240825258
                                        • Opcode ID: d50c4a7b699e726dba728fbf0901ec9c5c9dc89a98bf6e7d9523c52c21b67875
                                        • Instruction ID: f583c835b679bf75b2396de2d5d663ee3cd0a3cb8721bcaeb220437606bff201
                                        • Opcode Fuzzy Hash: d50c4a7b699e726dba728fbf0901ec9c5c9dc89a98bf6e7d9523c52c21b67875
                                        • Instruction Fuzzy Hash: 1821A7726043018BC315AF29EC4266BF7E4BFD9715F81056EF949D7302EB35D80987A2
                                        Function 003CFDD2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,003CFEDF,003CD0E1,0000000C,?,00000000,00000000,?,003D0109,00000021,FlsSetValue,0043CF80,0043CF88,?), ref: 003CFE93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 3664257935-537541572
                                        • Opcode ID: 4a2892933ce337061f7c33d2724a2dff1c9f7e024acb9b39402324159063a091
                                        • Instruction ID: 0e43c0d12272ca6849ec6e4964fb09f72897d65a9e173ddb9b630b885bd808a9
                                        • Opcode Fuzzy Hash: 4a2892933ce337061f7c33d2724a2dff1c9f7e024acb9b39402324159063a091
                                        • Instruction Fuzzy Hash: A7219372A02214AFC723AB749C45F5A776A9B45770F261138E916E72A1DB30ED00C7D4
                                        Function 00286CB0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 226memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00286ED0
                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00286ED6
                                        • GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00286F01
                                        • HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00286F07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: _TEMP$|3D
                                        • API String ID: 3859560861-4027163254
                                        • Opcode ID: f971f2ea2ef75ee2f492df42fcadb05acb1a9a29adb010ecfc15622986475fdc
                                        • Instruction ID: 83a92a9d0545844f707fd3707360d8e1e67de28d6f7e9d745727c1e5c683e24c
                                        • Opcode Fuzzy Hash: f971f2ea2ef75ee2f492df42fcadb05acb1a9a29adb010ecfc15622986475fdc
                                        • Instruction Fuzzy Hash: 4891B075E12249DFDB00DF98C988BEEFBB4EF44314F2442A9E505A72D1CB749A04CBA1
                                        Function 00316080 Relevance: 9.1, APIs: 6, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 003160CA
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 003160EC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00316114
                                        • __Getctype.LIBCPMT ref: 003161E5
                                        • std::_Facet_Register.LIBCPMT ref: 00316247
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00316271
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 0b7ece2807b42add0db7869b723f9f9f6b30ae8aff78a5f81bb5127a85e2fda8
                                        • Instruction ID: afcbc59ab3fbc3002d0d2dfb4d31294553fcd6bd77818f7b33d9823cdc8a1166
                                        • Opcode Fuzzy Hash: 0b7ece2807b42add0db7869b723f9f9f6b30ae8aff78a5f81bb5127a85e2fda8
                                        • Instruction Fuzzy Hash: B351D2B1D00214DFDB12CFA8C941BAEB7F0EF18314F15816DE8456B392E775AA85CB91
                                        Function 00239980 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 330COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 002399D7
                                        • GetWindowRect.USER32(?,?), ref: 00239AB3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: RectWindow
                                        • String ID: $/;$PVD$U2;
                                        • API String ID: 861336768-2145497844
                                        • Opcode ID: 2da1d0f69b3c979b1ac153eb58c76c9b3837e0ed6ef0d7216189f43c80864bf3
                                        • Instruction ID: 3c00ce804d4f09ba1820fdb973285b508ae775f5f80a766b17fb4d57b5fcc9f1
                                        • Opcode Fuzzy Hash: 2da1d0f69b3c979b1ac153eb58c76c9b3837e0ed6ef0d7216189f43c80864bf3
                                        • Instruction Fuzzy Hash: 1CE138B1D04618EFEB61CFA4D944B9EBBF8EF59700F1082A9E809A7251D7706A80CF50
                                        Function 003B7D52 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,003B7D49,003B7D15,?,?,002521FD,00320140,?,00000008), ref: 003B7D60
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003B7D6E
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003B7D87
                                        • SetLastError.KERNEL32(00000000,003B7D49,003B7D15,?,?,002521FD,00320140,?,00000008), ref: 003B7DD9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: db1aaac028f9963ede7396b17456c6c488365194bb944cbf69da629ee01a6c49
                                        • Instruction ID: ccf44c5ad0f1dc80f7badb378f488e006208b0da31a72edeb6ad1672a71c5cf7
                                        • Opcode Fuzzy Hash: db1aaac028f9963ede7396b17456c6c488365194bb944cbf69da629ee01a6c49
                                        • Instruction Fuzzy Hash: B701B53220CB216EA7272A796C856F62664EF913B9725033DF711599E2EF514C005249
                                        Function 00333CC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 288COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetShortPathNameW.KERNEL32(79276D7D,00000000,00000000), ref: 00333D1F
                                        • GetShortPathNameW.KERNEL32(?,?,?), ref: 00333D8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: NamePathShort
                                        • String ID: neutral$x64$x86
                                        • API String ID: 1295925010-1541741584
                                        • Opcode ID: 8825a9e26a1a004101f668322a1303f2eef5bb9a0e6e28ead187af0bb13b75af
                                        • Instruction ID: df633d116bb7646d559690ed22c3c78c802c206461eecd62ebce1613b3f3e4e9
                                        • Opcode Fuzzy Hash: 8825a9e26a1a004101f668322a1303f2eef5bb9a0e6e28ead187af0bb13b75af
                                        • Instruction Fuzzy Hash: 6AB1B171A04208EFDB01DFA8D899BDEFFB4EF04324F108159E415AB291DB75AA44CFA4
                                        Function 00248180 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 266windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00248258
                                        • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00248287
                                        • SendMessageW.USER32(00000000,0000110A,00000004,0A74C085), ref: 00248443
                                        • SendMessageW.USER32(0000110A,0000110A,00000001,00000000), ref: 00248466
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: _L
                                        • API String ID: 3850602802-2792937660
                                        • Opcode ID: b189d609b0cab103e32f2347cf9ac7623900128752c03abfa793eaad9cb8b24f
                                        • Instruction ID: 58d49cbabe0703c634cb759fedb8bfdd70eaeda2f7641a428a446721f6f65a88
                                        • Opcode Fuzzy Hash: b189d609b0cab103e32f2347cf9ac7623900128752c03abfa793eaad9cb8b24f
                                        • Instruction Fuzzy Hash: 1EA17072920215DFCF19DFA4D880AEEBBF5BF08710F1545A9E901AB291DB70EC51CB60
                                        Function 00329710 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 003299E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID: Close$Copy$Details >>$Send Error Report
                                        • API String ID: 4139908857-113472931
                                        • Opcode ID: 692d696392b20479b3ac47e367fb9d09ebc80db62be4eeeb1971ed3805f7be85
                                        • Instruction ID: 2a35ae872e492277e957875769ea9bdc8e45011d36cd8c4d06e4a4f233a7a0c9
                                        • Opcode Fuzzy Hash: 692d696392b20479b3ac47e367fb9d09ebc80db62be4eeeb1971ed3805f7be85
                                        • Instruction Fuzzy Hash: E091E270A40715ABEB19DF60EC56FAAB775FF44704F104229F612BB2D0EBB0A904CB55
                                        Function 00228890 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00228975
                                        • __Init_thread_footer.LIBCMT ref: 002289EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: </a>$<a href="$<a>
                                        • API String ID: 1385522511-4210067781
                                        • Opcode ID: 00982f5af39e933cce71842c83006ff9d939f95874c81b14a3a5d64d81693d55
                                        • Instruction ID: ce09bc104ca8a1b8dcd8a11a4d0d7d4b540286c86c04c91ac5893d00cddb597a
                                        • Opcode Fuzzy Hash: 00982f5af39e933cce71842c83006ff9d939f95874c81b14a3a5d64d81693d55
                                        • Instruction Fuzzy Hash: A9A1BDB0A11214EFCB04DFA8E859FADB7B5FF44314F148229E411AB2D2EF34A954CB54
                                        Function 00245E20 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                          • Part of subcall function 00302040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00240168,00000000,80004005), ref: 003020AB
                                          • Part of subcall function 00302040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003020DB
                                        • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00245FDC
                                        • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00245FF3
                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 0024604F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocHeapWindow
                                        • String ID: QuickSelectionList$|3D
                                        • API String ID: 2851540245-875564710
                                        • Opcode ID: 03bfe415714a2cd11f2f010a8984a0aa6a27657fc892d3b849a917672637ae13
                                        • Instruction ID: b89d6d756db36a7c18ac5a23e74f95ec14bba203c793b87a75c5546079787a99
                                        • Opcode Fuzzy Hash: 03bfe415714a2cd11f2f010a8984a0aa6a27657fc892d3b849a917672637ae13
                                        • Instruction Fuzzy Hash: 0281CB71A106099FCB18DF68C894BAEF7F4FF88324F10422DE955A7291CB71A904CF90
                                        Function 002799D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00320F40: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00320F84
                                          • Part of subcall function 00320F40: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00320F8F
                                        • GetCurrentThreadId.KERNEL32 ref: 00279B3C
                                        • SendMessageW.USER32(?,00000127,00030003,00000000), ref: 00279BC5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$CurrentThread
                                        • String ID: 0^L$AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                        • API String ID: 2377075789-62552522
                                        • Opcode ID: 7933ef75ffa6f535b4cedb8c2d3fe9316fc55f5d30e586d28af11a2537289e01
                                        • Instruction ID: 1377c2fbc4e19710220b3e986d6bf5c8aa4193cd18a1e2372411bd467e10397e
                                        • Opcode Fuzzy Hash: 7933ef75ffa6f535b4cedb8c2d3fe9316fc55f5d30e586d28af11a2537289e01
                                        • Instruction Fuzzy Hash: FA81B130A15208DFDF05EF64C995B9DBBB5EF48304F1481A9E809AB292DB74AE04CF91
                                        Function 00322450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 195COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?,?,79276D7D,00000000,?), ref: 0032266C
                                        • SHGetMalloc.SHELL32(?), ref: 00322695
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$FolderHeapLocationMallocProcessSpecial
                                        • String ID: %s, %.2u %s %.4u %.2u:%.2u:%.2u GMT$C:\$C:\FAKE_DIR\
                                        • API String ID: 3216538967-785558474
                                        • Opcode ID: 511d9c8c14c400c25fab18def0e40b106678696decbbedc8f14665267b22653b
                                        • Instruction ID: 9f593862ae1853f33660816445b4f589d2d75bd27b76e7d3282ecaca47a4ce59
                                        • Opcode Fuzzy Hash: 511d9c8c14c400c25fab18def0e40b106678696decbbedc8f14665267b22653b
                                        • Instruction Fuzzy Hash: EF718FB1900258EBDB10DF95DC45BEEBBF8FB48705F10851AF914AB282D7B89908CF58
                                        Function 0024DC60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 0024DD5D
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0024DD72
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0024DD7A
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                          • Part of subcall function 0024F780: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0024F7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocCreateHeapWindow
                                        • String ID: SysTabControl32$TabHost
                                        • API String ID: 4294867080-2872506973
                                        • Opcode ID: cbee6b9b9aa4295d718f430e1d99dac4cfacd71e3860b802ad5c4ae8c9fb272a
                                        • Instruction ID: 4487b3c80a6e2865387994963eee68584adab9800cc7513662377450dbf3f2b0
                                        • Opcode Fuzzy Hash: cbee6b9b9aa4295d718f430e1d99dac4cfacd71e3860b802ad5c4ae8c9fb272a
                                        • Instruction Fuzzy Hash: A1519D31A00605AFDB04DF69C884BAABBB4FF89710F104269E915A7391DB75AC00CFA4
                                        Function 00236E60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,79276D7D), ref: 00236EF3
                                        • GetLastError.KERNEL32 ref: 00236F1C
                                        • RegCloseKey.ADVAPI32(?,00000000,00000000,?,0044337C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00237065
                                        Strings
                                        • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00236EE8
                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00236F5C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CloseCreateErrorEventLast
                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                        • API String ID: 1713683948-2079760225
                                        • Opcode ID: c5c10d1e427caa8b6076764b40426dcd36f8fd32a0b68ae4d96518066ade8568
                                        • Instruction ID: 06082ce9d78b801a5910ff54e306b524a3d303126053daa270591ea636bdc49d
                                        • Opcode Fuzzy Hash: c5c10d1e427caa8b6076764b40426dcd36f8fd32a0b68ae4d96518066ade8568
                                        • Instruction Fuzzy Hash: 5A618FB0D14349EEDB10CFA8C945BDEFBF4BF14304F108259E459A7281DBB46A58CB91
                                        Function 00275BA0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.DispatcherTimer$}m'y$}m'y$}m'y
                                        • API String ID: 0-548761736
                                        • Opcode ID: f34f458cfe2c932575236283d4fedfe2205adaef0b379662780d06dcc4204a4b
                                        • Instruction ID: 1d8eb78c37591d39a9f1dc7adc1056522169e0bec945c088585b580de7625a8e
                                        • Opcode Fuzzy Hash: f34f458cfe2c932575236283d4fedfe2205adaef0b379662780d06dcc4204a4b
                                        • Instruction Fuzzy Hash: 8F51BEB1D1061ADBDB01DF98C841BEEFBB8FB04714F20456AE815A7280DBB56A48CBD5
                                        Function 00285E00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(010D9CE0,79276D7D,010D9CE0), ref: 00285E41
                                        • GetCurrentThreadId.KERNEL32 ref: 00285E51
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00285E77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: rw$}m'y
                                        • API String ID: 2351996187-2181794445
                                        • Opcode ID: 8fffd4004e6da890bc5bb89edb3b9928421797ef010f6968c39f068d37b39220
                                        • Instruction ID: d926b08eaa3a4b3dd02b5874bc02bd616dafc47f9d0293dc0ec42e0016ed53d6
                                        • Opcode Fuzzy Hash: 8fffd4004e6da890bc5bb89edb3b9928421797ef010f6968c39f068d37b39220
                                        • Instruction Fuzzy Hash: AA41CF75911926AFDB20DF58CC80BAAF7A8FB45314F108729E925D7680D731EE64CBD0
                                        Function 0025D090 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C59E8,Windows.UI.Xaml.Controls.TextBlock,00000022,79276D7D,00000001,00000000,?,YL,003E6017,000000FF), ref: 0025D168
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.UI.Xaml.Controls.TextBlock$YL$YL$YL
                                        • API String ID: 4129690577-108268177
                                        • Opcode ID: 5981e620507ab9f5e41880a1ebf9bf3957d32a8e279afbadc4726bd70819a75f
                                        • Instruction ID: 8d378092f2df6d26cee8ad77ee634ecae9640ed87165c8faead1840b3c6e238e
                                        • Opcode Fuzzy Hash: 5981e620507ab9f5e41880a1ebf9bf3957d32a8e279afbadc4726bd70819a75f
                                        • Instruction Fuzzy Hash: 28319CB191161AEBDB00DF94CC46BEFBBB4FB04315F10416AE814AB280DBB46B48CBD5
                                        Function 00232990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 002329C6
                                        • EnterCriticalSection.KERNEL32(004C6250), ref: 002329E6
                                        • LeaveCriticalSection.KERNEL32(004C6250), ref: 00232A0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: rw$PbL
                                        • API String ID: 2351996187-1635339685
                                        • Opcode ID: aba4285a7f70d91c73585193b18fc9e9a4ad106661613a9a8be42329fb235442
                                        • Instruction ID: f3a511b322f67dc2acb4be336004977258e1d716e1e300d05e1b73bc87a033c0
                                        • Opcode Fuzzy Hash: aba4285a7f70d91c73585193b18fc9e9a4ad106661613a9a8be42329fb235442
                                        • Instruction Fuzzy Hash: EA21BFB1904744EFDB21DF58DC40B8ABBF8FB05B10F10866EE82597780D7B9A508CB94
                                        Function 00346820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
                                        • API String ID: 0-3551742416
                                        • Opcode ID: f607005096f92f2a3703d4cd027f620dccb887949f7e0e32d342d5b74cbf2d43
                                        • Instruction ID: 05ba13902eec01b846f6e403b21c2e7cb55717f2a2254bed474367a2aac05281
                                        • Opcode Fuzzy Hash: f607005096f92f2a3703d4cd027f620dccb887949f7e0e32d342d5b74cbf2d43
                                        • Instruction Fuzzy Hash: E4212032A006059BCB25DF28C841BBAF3E4FF46720F5046AAE911DB391EB35ED44C784
                                        Function 00286040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(}m'y,79276D7D), ref: 00286080
                                        • GetCurrentThreadId.KERNEL32 ref: 00286093
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00286111
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: rw$}m'y
                                        • API String ID: 2351996187-2181794445
                                        • Opcode ID: 1fdbe6c771ea76f2e949fe58319e58dd1c7f0ef368cb794fbdec69b077d97689
                                        • Instruction ID: 658b469910367730703c8a11ba63ae5947536710869c3792c303f945793f9eb4
                                        • Opcode Fuzzy Hash: 1fdbe6c771ea76f2e949fe58319e58dd1c7f0ef368cb794fbdec69b077d97689
                                        • Instruction Fuzzy Hash: 7C31C975900245DFDB21CF69C849BAEBBF0EF08314F148169E895A33A1E775AA04CB90
                                        Function 00254B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00254B92
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00254B98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoOriginateLanguageException$combase.dll$}m'y
                                        • API String ID: 2574300362-426541238
                                        • Opcode ID: 61a6b08c263e110bb65d987a8a88d8584f095409f097bea68a6249893d774e0c
                                        • Instruction ID: 6f920370fde8fb203a023dab2f78bc0b5d76c2b03d917e4347685fd4f256fbea
                                        • Opcode Fuzzy Hash: 61a6b08c263e110bb65d987a8a88d8584f095409f097bea68a6249893d774e0c
                                        • Instruction Fuzzy Hash: C131D470910209EFDB14EFA8C801BEEB7F4EB04315F10466AEC25A72C0D7789B58CB94
                                        Function 003BA78C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,003BA84D,?,?,00000000,?,?,003BA8FF,00000002,FlsGetValue,0043A0D0,0043A0D8), ref: 003BA81C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 43e420ca650189dd60b618187728866e0c6f61dfb9092fd27f411c9f6e92b5fe
                                        • Instruction ID: 11c280029ea48d2cd202103a1817b1577eec83e610c082348847807a02237a5d
                                        • Opcode Fuzzy Hash: 43e420ca650189dd60b618187728866e0c6f61dfb9092fd27f411c9f6e92b5fe
                                        • Instruction Fuzzy Hash: 2A11A731A45F21ABDB334BA89C45B9D77B49F01774F260120FA11EB980DB70ED0586D6
                                        Function 00232700 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(004C6250), ref: 0023273C
                                        • GetCurrentThreadId.KERNEL32 ref: 00232750
                                        • LeaveCriticalSection.KERNEL32(004C6250), ref: 0023278E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: rw$PbL
                                        • API String ID: 2351996187-1635339685
                                        • Opcode ID: 539aa316126658adc7db84f60e135f0de7213182734b44a15c7007d50e2ac98e
                                        • Instruction ID: e3a8ec4b6e3df6f232b4b540cd4de63758aa5ad364c039cfb6acdc3cf9f50940
                                        • Opcode Fuzzy Hash: 539aa316126658adc7db84f60e135f0de7213182734b44a15c7007d50e2ac98e
                                        • Instruction Fuzzy Hash: 13112775904345DBCB20CF59CD04B6AFBF4FB55720F11866EE81293390D7749908CB90
                                        Function 003CC68F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,79276D7D,?,?,00000000,00436426,000000FF,?,003CC662,?,?,003CC636,?), ref: 003CC6C4
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003CC6D6
                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00436426,000000FF,?,003CC662,?,?,003CC636,?), ref: 003CC6F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: be19b5da3e750479c1ad05f1d2344ced8eb54ac792ae051883ee775edcc9c518
                                        • Instruction ID: d999a5edd86c8c8ed74a4a0d5ae7d142165838beef005dc64f2bc924541cac2f
                                        • Opcode Fuzzy Hash: be19b5da3e750479c1ad05f1d2344ced8eb54ac792ae051883ee775edcc9c518
                                        • Instruction Fuzzy Hash: B601A231914619EFDB129F54DC05FAEBBB8FB04B11F15612EF811E2290DBB89800CB98
                                        Function 003279C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00327A1E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00327A25
                                        • __Init_thread_footer.LIBCMT ref: 00327A3C
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                        • String ID: Dbghelp.dll$SymFromAddr
                                        • API String ID: 3268644551-642441706
                                        • Opcode ID: 8eb9e5b84eb4824fd84439d9542ab09a4795f6f6521de6a64328998a9bcd3d50
                                        • Instruction ID: d6a8ce46a3456269535ca66e9c38ef25a0ba5954add3dc8d52448b1fef3f736d
                                        • Opcode Fuzzy Hash: 8eb9e5b84eb4824fd84439d9542ab09a4795f6f6521de6a64328998a9bcd3d50
                                        • Instruction Fuzzy Hash: 1801BCB1A40700EFC710CF58ED46F68B7A4EB08B30F21827AFC15837D0C739A9008A19
                                        Function 003B66EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,003B6687,00000064), ref: 003B670D
                                        • LeaveCriticalSection.KERNEL32(004C4CD8,?,?,003B6687,00000064,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B6717
                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,003B6687,00000064,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B6728
                                        • EnterCriticalSection.KERNEL32(004C4CD8,?,003B6687,00000064,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B672F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID: rw
                                        • API String ID: 3269011525-1192573183
                                        • Opcode ID: 5e88e0753de79828c876cb70cd8a15a766cb5854d33c523a5bc306625542eae9
                                        • Instruction ID: 65fd9a182123001fe5a5c4ae6bc1080cfe04c11e32445461632e36543c7b509b
                                        • Opcode Fuzzy Hash: 5e88e0753de79828c876cb70cd8a15a766cb5854d33c523a5bc306625542eae9
                                        • Instruction Fuzzy Hash: AFE09235542624A7CB421B91EE1AFDE7F38EB45B15B130039FA0566530CF6809109BEC
                                        Function 0028DE10 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 316memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?), ref: 0028E08B
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 0028E091
                                        • GetProcessHeap.KERNEL32(?,?), ref: 0028E160
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 0028E166
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3D
                                        • API String ID: 3859560861-661694623
                                        • Opcode ID: 5ac864c58040ecab1c2ffcb08ad5e966cfbb055ad162d917fc60074f2274fc74
                                        • Instruction ID: 4754dddedcac3e903a74165ffaf5934dd58c92b7e20484acea59081b13b9e162
                                        • Opcode Fuzzy Hash: 5ac864c58040ecab1c2ffcb08ad5e966cfbb055ad162d917fc60074f2274fc74
                                        • Instruction Fuzzy Hash: 11D18D34911208DFDF14EFA8C858BEEBBB5BF14304F1441A9D405AB292DB74AE19CF91
                                        Function 00261B70 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 268memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00261E5F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00261E65
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00261F0F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00261F15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3D
                                        • API String ID: 3859560861-661694623
                                        • Opcode ID: d4afe0ba95bae516debae98b15c0298de76a93d65610c12ec4d1a1fce9f753a6
                                        • Instruction ID: 9106b9ae9ebe57f95b52ab4eda2615a9e3a5058b493dd094a50dead60d2274a8
                                        • Opcode Fuzzy Hash: d4afe0ba95bae516debae98b15c0298de76a93d65610c12ec4d1a1fce9f753a6
                                        • Instruction Fuzzy Hash: 54B17C70D10268DEEB20DF28CC45BDEB7B5AF01314F1442D9D919A7282DB74AA98CF91
                                        Function 002403C0 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002425D0: __Init_thread_footer.LIBCMT ref: 0024263F
                                        • SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00240502
                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 002405B7
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00240656
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00240701
                                          • Part of subcall function 00232970: RaiseException.KERNEL32(?,?,00000000,00000000,003B5A3C,C000008C,00000001,?,003B5A6D,00000000,?,002291C7,00000000,79276D7D,00000001,?), ref: 0023297C
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00240787
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$ExceptionInit_thread_footerRaise
                                        • String ID:
                                        • API String ID: 3442259968-0
                                        • Opcode ID: 1c25d6c96d33f3b5f26ed72906aab4163313c4ca94bed83890c471f7fe860622
                                        • Instruction ID: f8883ee024f9cc69d8035970982020db12440c57b8de2eb3542c822038fd155c
                                        • Opcode Fuzzy Hash: 1c25d6c96d33f3b5f26ed72906aab4163313c4ca94bed83890c471f7fe860622
                                        • Instruction Fuzzy Hash: 3DB11BB1D11359DBEB24DF54CD94BDABBB1FF48304F108299EA186B280D7B56A84CF90
                                        Function 002607E0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 204memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00260A0F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00260A15
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00260ABF
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00260AC5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3D
                                        • API String ID: 3859560861-661694623
                                        • Opcode ID: 07181cc87cd9f94efc566a968ef9f1c18310e95f3c3e29db95cd85eb0b0ca1db
                                        • Instruction ID: aa1e1c9e33984f4f7d2544517a26956036ffdbf453b7f025f29d8441450886f4
                                        • Opcode Fuzzy Hash: 07181cc87cd9f94efc566a968ef9f1c18310e95f3c3e29db95cd85eb0b0ca1db
                                        • Instruction Fuzzy Hash: FD916970A11368DEEB21DF64CC85BDABBB5AF01304F1442D9D509A7282DB745F98CF92
                                        Function 0022FCE0 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ItemMessageSendWindow
                                        • String ID:
                                        • API String ID: 799199299-0
                                        • Opcode ID: 13d69baab3f557a8bdcff46f7ed830c64ff5c61f7b0f4f03414b26ae257ff149
                                        • Instruction ID: efb0f8192619e1e6e06c7ea1d620f0284d5a3d820d2773886b8d26ca4dd08985
                                        • Opcode Fuzzy Hash: 13d69baab3f557a8bdcff46f7ed830c64ff5c61f7b0f4f03414b26ae257ff149
                                        • Instruction Fuzzy Hash: 3141D636210122BFC795CF98FA98E76B7B9FB45311F04443AE549C6562D732EC20DB20
                                        Function 0031BCD0 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0031BD04
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0031BD24
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0031BD4C
                                        • std::_Facet_Register.LIBCPMT ref: 0031BE2B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0031BE55
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                        • String ID:
                                        • API String ID: 459529453-0
                                        • Opcode ID: 326ba731969bca9570754bd9329079ffda2972e0721fdceca96528ecf7cbc1e9
                                        • Instruction ID: 627f87d7d2093b4763a3061991670bda96267f57483df9846832f2912a729a10
                                        • Opcode Fuzzy Hash: 326ba731969bca9570754bd9329079ffda2972e0721fdceca96528ecf7cbc1e9
                                        • Instruction Fuzzy Hash: 3F51AF70900218DFDB1ACF58D840BEEFBB4EF08314F25816DE845AB292DB75AE45CB91
                                        Function 00277A70 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00277A99
                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 00277AA9
                                        • SendMessageW.USER32(?,000005FA,?,00000000), ref: 00277BC1
                                          • Part of subcall function 00286040: EnterCriticalSection.KERNEL32(}m'y,79276D7D), ref: 00286080
                                          • Part of subcall function 00286040: GetCurrentThreadId.KERNEL32 ref: 00286093
                                          • Part of subcall function 00286040: LeaveCriticalSection.KERNEL32(?), ref: 00286111
                                          • Part of subcall function 00280100: SetLastError.KERNEL32(0000000E,?,0027880B,?,?,?,?), ref: 00280118
                                        • GetLastError.KERNEL32(?,?,0044C530,00000000), ref: 00277B33
                                        • ShowWindow.USER32(?,0000000A,?,?,0044C530,00000000), ref: 00277B45
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
                                        • String ID:
                                        • API String ID: 2782539745-0
                                        • Opcode ID: dfb1f299dd3242f721a821d6c9479de452466886ff9a7568428d70fbc560cf4b
                                        • Instruction ID: d4b3f4838f861f3758b17c49ea3ee66d4b5683173cc54e0279e0d811b4a66e61
                                        • Opcode Fuzzy Hash: dfb1f299dd3242f721a821d6c9479de452466886ff9a7568428d70fbc560cf4b
                                        • Instruction Fuzzy Hash: 3931CD70D10248EBDB14EFA4C84ABDEBBB4EF50308F108269E5156B2D1DBB95A19CF91
                                        Function 0022DB60 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$Init
                                        • String ID:
                                        • API String ID: 3740757921-0
                                        • Opcode ID: 29fe07a5b5b4e1d3f4d6f0e3aadc23c8b77f364ea7cc7f0f15ac1c3c7ae3fe4f
                                        • Instruction ID: d098a39b21577e757dfe95cc1496b9456b298343b1763b67d452b4553076218e
                                        • Opcode Fuzzy Hash: 29fe07a5b5b4e1d3f4d6f0e3aadc23c8b77f364ea7cc7f0f15ac1c3c7ae3fe4f
                                        • Instruction Fuzzy Hash: 32311871D15248EFDB05CFA8D944BDEBBF8EF49304F10C69AE410A7290D7B5AA04CBA1
                                        Function 002546E0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0025472A
                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00254730
                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00254753
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,003E6756,000000FF), ref: 0025477B
                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,003E6756,000000FF), ref: 00254781
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess$FormatMessage
                                        • String ID:
                                        • API String ID: 1606019998-0
                                        • Opcode ID: 84f9a11f0e8e9fd116d2bb64f6abc0672a532e3ac0447b3c0e214812ffe8145f
                                        • Instruction ID: 7a230223c515c63486c9de102c74b50f63d8eae155e19f675bcfb3eaa734dce3
                                        • Opcode Fuzzy Hash: 84f9a11f0e8e9fd116d2bb64f6abc0672a532e3ac0447b3c0e214812ffe8145f
                                        • Instruction Fuzzy Hash: EC1186B1A54219ABEB11EF94CC06BEFB7BCEB04708F100619F910AB6C1D7B599048795
                                        Function 00240DC0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00240DCB
                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00240E28
                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00240E77
                                        • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00240E88
                                        • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00240E95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID:
                                        • API String ID: 312131281-0
                                        • Opcode ID: 6c3a8ac6b5757afc4c99579a02e64ff183979f1c35b0e4f737641b4a62953ce0
                                        • Instruction ID: d39132a89b3a6a191fcd8618a3b636acafc7b562e1364d675690c8a385742d34
                                        • Opcode Fuzzy Hash: 6c3a8ac6b5757afc4c99579a02e64ff183979f1c35b0e4f737641b4a62953ce0
                                        • Instruction Fuzzy Hash: 84215E31918346ABE220DF11CD44B1ABBF1BFEE758F202B1EF1D4211A4E7F191848E86
                                        Function 0033A780 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 0033A570: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 0033A59D
                                        • _wcschr.LIBVCRUNTIME ref: 0033AAE2
                                        • _wcschr.LIBVCRUNTIME ref: 0033AB6F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer_wcschr$FileHeapModuleNameProcess
                                        • String ID: hE$lE
                                        • API String ID: 973101865-1549293132
                                        • Opcode ID: b121d129d713679239f4924b6f2eb901cc08db5c9b85cf34245050701cbc7355
                                        • Instruction ID: 915842fe26afa5c6344f082efe3549383f4ed49429da4fc7fdaff0b28a3526a6
                                        • Opcode Fuzzy Hash: b121d129d713679239f4924b6f2eb901cc08db5c9b85cf34245050701cbc7355
                                        • Instruction Fuzzy Hash: A7F1E271A00609DFDB05DFA8C889B9EFBF8FF44314F158269E815AB291EB749904CF91
                                        Function 00353F70 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 417COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: realm
                                        • API String ID: 2691759472-4204190682
                                        • Opcode ID: 37a456135dc76efd2deace49ad588807e48067874540ad324b7923f6de4d62de
                                        • Instruction ID: 5e5aae5b42da30fd71bd47dcd3bb21f52e62630e67ba431bf608f1b89810987d
                                        • Opcode Fuzzy Hash: 37a456135dc76efd2deace49ad588807e48067874540ad324b7923f6de4d62de
                                        • Instruction Fuzzy Hash: 8BF1B331A00619DFDB05DFA8C848F9EBBB9EF55325F158259F8149B2A1D730DD84CB90
                                        Function 0022D8D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 231windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 0022D946
                                        • SendMessageW.USER32(?,00000000,00000000), ref: 0022DA42
                                          • Part of subcall function 0022F190: SysFreeString.OLEAUT32(00000000), ref: 0022F233
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateFreeMessageSendStringWindow
                                        • String ID: AtlAxWin140$>D
                                        • API String ID: 4045344427-2440186897
                                        • Opcode ID: d1b17f0c79798d09a962ee19fdbc8265e556c23ba5cf1cc60679fb88476715b1
                                        • Instruction ID: c97acd651946136afc3b8560ed0e7d2e0474236ed038c8d432c16fe6afe335b7
                                        • Opcode Fuzzy Hash: d1b17f0c79798d09a962ee19fdbc8265e556c23ba5cf1cc60679fb88476715b1
                                        • Instruction Fuzzy Hash: EC910374600205EFDB14CF64C888F5ABBB9FF48724F2085A9F8199B291CB75EA11CB90
                                        Function 002807C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00000004,?), ref: 0028083C
                                        • MonitorFromWindow.USER32(?,00000002), ref: 00280860
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00280882
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MonitorWindow$FromInfoRect
                                        • String ID: U2;
                                        • API String ID: 1973172141-3377301532
                                        • Opcode ID: 3c9aaccba383d8403d7a1de7a54544b05b551db4feee985680fd03628f5a4cde
                                        • Instruction ID: f7e57e108b5a0214e605d7319c1c9d81409d20fe7e45180faa9d855a110e0c44
                                        • Opcode Fuzzy Hash: 3c9aaccba383d8403d7a1de7a54544b05b551db4feee985680fd03628f5a4cde
                                        • Instruction Fuzzy Hash: 1E717975D10208AFDB54DFA4DD59FAEBBF9EF88700F204229F805A7290DB70A914CB64
                                        Function 0027C4B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 0027C4EE
                                        • SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 0027C6C1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID: AiDlgHeight$AiDlgWeight
                                        • API String ID: 3200805268-871102398
                                        • Opcode ID: 0860d1c6938c8d5e4911bf2e785e79fb11638bb48110c194f9b140ae9735d899
                                        • Instruction ID: 7f6d933b238d0c8a3a1d82f96a54de78be21a5d3bc9d21e41b59c2d0f5d43d72
                                        • Opcode Fuzzy Hash: 0860d1c6938c8d5e4911bf2e785e79fb11638bb48110c194f9b140ae9735d899
                                        • Instruction Fuzzy Hash: AA618071D00249EFCB04DFA8D985BDEBBB9EF48314F248169E815AB291D774AA14CF90
                                        Function 0035F940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,79276D7D,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 0035F974
                                          • Part of subcall function 00325170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,0041A8AD,000000FF), ref: 00325188
                                          • Part of subcall function 00325170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,0041A8AD,000000FF), ref: 003251BB
                                          • Part of subcall function 00232970: RaiseException.KERNEL32(?,?,00000000,00000000,003B5A3C,C000008C,00000001,?,003B5A6D,00000000,?,002291C7,00000000,79276D7D,00000001,?), ref: 0023297C
                                          • Part of subcall function 00229B10: HeapAlloc.KERNEL32(?,00000000,?,79276D7D,00000000,003DD840,000000FF,?,?,004B9A1C,?,0035BB18,80004005,79276D7D), ref: 00229B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocExceptionHeapObjectRaiseSingleWait
                                        • String ID: *.*$.jar$.pack
                                        • API String ID: 1065105516-3892993289
                                        • Opcode ID: 64cbdc36e23b327b60b5542e97e9a3a1e35af8e88f50969e2f538465f2afe1a2
                                        • Instruction ID: b64199fcd0d068e4577d51e923f567b3f0b52e5974d7362b6ba38d76559f1415
                                        • Opcode Fuzzy Hash: 64cbdc36e23b327b60b5542e97e9a3a1e35af8e88f50969e2f538465f2afe1a2
                                        • Instruction Fuzzy Hash: 91516F70A006169FDB11DFA9C844FAEB7B4FF44315F158269E825EB2A1DB34D908CF91
                                        Function 0028C2E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P\L$T\L$Windows.UI.Xaml.Controls.CheckBox
                                        • API String ID: 0-2012647524
                                        • Opcode ID: c8b8e01a83c75e1f3401d7a0578e287660aec05271a251ed9fa74de484dc7883
                                        • Instruction ID: 19649c6deafd7a8a4a82392e39e91e60c8688c723234eddba942d3b0f35b18d6
                                        • Opcode Fuzzy Hash: c8b8e01a83c75e1f3401d7a0578e287660aec05271a251ed9fa74de484dc7883
                                        • Instruction Fuzzy Hash: E5519FB5D11219DBDB00DF94C981BEEBBB8FB04714F20412AE815A73C0D7B96A48CBE5
                                        Function 00274340 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ([L$,[L$Windows.UI.Xaml.Controls.ListBoxItem
                                        • API String ID: 0-753802402
                                        • Opcode ID: 7994f4a4007b35f069e50a0f08d7d919d6e6cab1a6961856695a72b8a0a00b4c
                                        • Instruction ID: 7d8f0ffb55e45cd25f6824d056a0beb55f7c38db2933c69553a1c67ef6e88913
                                        • Opcode Fuzzy Hash: 7994f4a4007b35f069e50a0f08d7d919d6e6cab1a6961856695a72b8a0a00b4c
                                        • Instruction Fuzzy Hash: F45190B1D10219EBDB00DFA4DC41BEEBBB8FB04714F10456AE915A7380DB756A44CBE5
                                        Function 00288830 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \L$$\L$Windows.Foundation.Uri
                                        • API String ID: 0-2804300113
                                        • Opcode ID: 277272e6a58951d529b9ebffa90661f4af3fd9438f11253c602bacbf6f62208b
                                        • Instruction ID: 6f52d58436d9bd0a1c79e7dfa3b26e4bd6dc83b631b8287eeba2c1a4264779b8
                                        • Opcode Fuzzy Hash: 277272e6a58951d529b9ebffa90661f4af3fd9438f11253c602bacbf6f62208b
                                        • Instruction Fuzzy Hash: 32519FB5D1121ADBDB00EF94DD41BEEBBB8EB04714F10452AE815A73C0DBB56A44CBD1
                                        Function 00275470 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ListViewItem$x[L$|[L
                                        • API String ID: 0-1949322299
                                        • Opcode ID: 3e1c04872cb6dde51f4065070ce78d08c77c771a8c8d7f6e472adf3420f561ae
                                        • Instruction ID: a9d7811c677995398db57ccc85a8b0b3607f92b4cca4f254360dd2a2303c8d74
                                        • Opcode Fuzzy Hash: 3e1c04872cb6dde51f4065070ce78d08c77c771a8c8d7f6e472adf3420f561ae
                                        • Instruction Fuzzy Hash: 33519EB1D1061AEBDB00DF98C841BEEFBB8FB04715F10452AE815A7380D7B56A48CBE5
                                        Function 00273620 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.Grid$ZL$ZL
                                        • API String ID: 0-2539264344
                                        • Opcode ID: 3893a579364ad43971017272a0fe7faed808a9f842820b680380f985e1f76000
                                        • Instruction ID: b0b7ff8778a0824a084ae21ab0425afdf587f5169a30315e728cb791b8ccf3c5
                                        • Opcode Fuzzy Hash: 3893a579364ad43971017272a0fe7faed808a9f842820b680380f985e1f76000
                                        • Instruction Fuzzy Hash: 5651BEB1D1021AEBCB00DF94C881BEFFBB8FB04714F10412AE805A7280D7B56A58CBD5
                                        Function 00271D30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.TreeView$XZL$\ZL
                                        • API String ID: 0-1940702151
                                        • Opcode ID: 8ddc3cae733cdde9d78ad466242413027ec1c2d623c06d6d00ba37df91ed16ea
                                        • Instruction ID: 34ce15c697370dedb9b66d9ec6a2478a265406f400017c49b4278eb03a779209
                                        • Opcode Fuzzy Hash: 8ddc3cae733cdde9d78ad466242413027ec1c2d623c06d6d00ba37df91ed16ea
                                        • Instruction Fuzzy Hash: BD51BFB1D1061AEBDB00DF98C841BEFBBB8FF04714F20452AE815A7280D7B56A58CBD5
                                        Function 002748C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H[L$L[L$Windows.UI.Text.FontWeights
                                        • API String ID: 0-3732253990
                                        • Opcode ID: 66505ef3383ca401ae9a205e59ce33fe83dda3d6b9b896d6a48200ec5d50e2ce
                                        • Instruction ID: c07467abac6bbc93b9318f3b111ce6c79c32a380f405e038435377bc0acd8868
                                        • Opcode Fuzzy Hash: 66505ef3383ca401ae9a205e59ce33fe83dda3d6b9b896d6a48200ec5d50e2ce
                                        • Instruction Fuzzy Hash: D4518DB191025ADFDB10DFA8D841BAEBBB4FF04314F10466AE914A7380EB746A48CB95
                                        Function 002786F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00000000,00000005,?,?,?), ref: 0027881F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID: (0;$|f'$|f'
                                        • API String ID: 1268545403-2363562750
                                        • Opcode ID: 15d24894e415dadd8afd558ccf740981ac481af71133c7aa4d704a02b81ac545
                                        • Instruction ID: 0131b82048aa845d00fb88657e07880594a6a611d3e14e0d67860e87ee847e68
                                        • Opcode Fuzzy Hash: 15d24894e415dadd8afd558ccf740981ac481af71133c7aa4d704a02b81ac545
                                        • Instruction Fuzzy Hash: 2F41A130901209EFDB15DFA4C859BDEBBB4FF08314F24416DE819AB282DB75AA04CF51
                                        Function 00252730 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5958,Windows.Management.Deployment.PackageManager,0000002C,79276D7D,?,?,?,004C5954,003E6017,000000FF), ref: 00252808
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: PYL$TYL$Windows.Management.Deployment.PackageManager
                                        • API String ID: 4129690577-2446590760
                                        • Opcode ID: 7668009fbe83fe502414f452ddf45207f65adf9179048812adf4b8e7c3d617cc
                                        • Instruction ID: 33c4824059d83734f66aa43ad38a27b524e996440cd238c606c2a3a821086794
                                        • Opcode Fuzzy Hash: 7668009fbe83fe502414f452ddf45207f65adf9179048812adf4b8e7c3d617cc
                                        • Instruction Fuzzy Hash: D9319CB191021AEBDB00DF94C845BEEFBB4FB05715F50416AE814AB2C0DBB46B58CBD5
                                        Function 00272211 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5A80,Windows.UI.Xaml.Controls.Image,0000001E,79276D7D), ref: 002722E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.UI.Xaml.Controls.Image$xZL$|ZL
                                        • API String ID: 4129690577-4143579661
                                        • Opcode ID: af3816bb80e25002865aa92ae9af444bc3b0beebde0429adb7199a6ea9bd9793
                                        • Instruction ID: 111879aebcd5c30d0afee310dabf4bdb11890c5a47a6e2ee7bfe90beb8ed3a32
                                        • Opcode Fuzzy Hash: af3816bb80e25002865aa92ae9af444bc3b0beebde0429adb7199a6ea9bd9793
                                        • Instruction Fuzzy Hash: FE318B7191021AEBDB00DFA9C845BEEBBB4FB14314F10426AE81467280DBB56A48CBD1
                                        Function 00284A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5B70,Windows.Foundation.PropertyValue,00000020,79276D7D,00000000,00000000), ref: 00284AD6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.Foundation.PropertyValue$h[L$l[L
                                        • API String ID: 4129690577-2382600991
                                        • Opcode ID: 2dfeb36242e1b73c76c54ce89e275051bdf24eeefdeae0aadb393c35ee46b836
                                        • Instruction ID: b219a2f73119a87b89bc413afc9af893fb805e5bf504a766c37b9795536103c1
                                        • Opcode Fuzzy Hash: 2dfeb36242e1b73c76c54ce89e275051bdf24eeefdeae0aadb393c35ee46b836
                                        • Instruction Fuzzy Hash: 29318B75D1121AEBDB05EFA4C855BAEFBB4FB04714F20406AE8116B2C0DBB46A48CBD5
                                        Function 00299A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5B70,Windows.Foundation.PropertyValue,00000020,79276D7D,?,?), ref: 00299AF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: Windows.Foundation.PropertyValue$h[L$l[L
                                        • API String ID: 4129690577-2382600991
                                        • Opcode ID: 967463709c53cf394d9081c45802c9e3bf5561adfd349add2a876ac06f4ef3a4
                                        • Instruction ID: 0cfc2b097a3d6e48012b5435b9f4548c7fe706792ea82da66cc5e54745539ef5
                                        • Opcode Fuzzy Hash: 967463709c53cf394d9081c45802c9e3bf5561adfd349add2a876ac06f4ef3a4
                                        • Instruction Fuzzy Hash: 7A319C71D1121AEBDB04DFA8C845BEEFBB4FB44714F14402EE81167280DBB46A88CBD5
                                        Function 00236560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • VariantClear.OLEAUT32 ref: 00236603
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ClearHeapProcessVariant
                                        • String ID: }m'y$}m'y$}m'y
                                        • API String ID: 1301896575-414442922
                                        • Opcode ID: 38800c5dedea4cab9f42085c9f074eebabd75e54d04ca81cae77642d73c5dd26
                                        • Instruction ID: 09e5f88336773bd0799e1d90fb586deb86110b808c5efab4407e377ea5aa5135
                                        • Opcode Fuzzy Hash: 38800c5dedea4cab9f42085c9f074eebabd75e54d04ca81cae77642d73c5dd26
                                        • Instruction Fuzzy Hash: AC119471A04658FFC715DF58DC01BAAB7A8EB04720F00476EFC25D7790DB7599108B94
                                        Function 00352140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0035029A,?,79276D7D,?,?,?,000000FF,?), ref: 00352154
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0035029A,?,79276D7D,?,?,?,000000FF,?,0034FC64), ref: 00352171
                                        • GetLastError.KERNEL32(?,79276D7D,?,?,?,000000FF,?,0034FC64,?,?,00000000,00000000,79276D7D,?,?), ref: 003521D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateEvent$ErrorLast
                                        • String ID: AdvancedInstaller
                                        • API String ID: 1131763895-1372594473
                                        • Opcode ID: d5ebf7bbeaa9e3fd1633569db45d45ca5743368c0c65e107a741172e669dbeba
                                        • Instruction ID: 04470ae13a89c04133e3efccc4ddd18655464c04f3e1a04caa003941fd6a6b34
                                        • Opcode Fuzzy Hash: d5ebf7bbeaa9e3fd1633569db45d45ca5743368c0c65e107a741172e669dbeba
                                        • Instruction Fuzzy Hash: FF11B131340602BBD715CB21DD89F17F7A4BB45701F124428FA019B690CB70F955CBA4
                                        Function 00229E50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32 ref: 00229EA5
                                        • __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        • __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionHeapProcessVariableWake
                                        • String ID: }m'y
                                        • API String ID: 3269001908-184714451
                                        • Opcode ID: c9d23a6836e3176d58f2008c3a5ae40b54989d7148e0255359fb449cd1c3fa36
                                        • Instruction ID: c96d0f3ccd598fe1fa8c7f47811dd8fd8b4e24757379e5aad4de4f31dde1c3ae
                                        • Opcode Fuzzy Hash: c9d23a6836e3176d58f2008c3a5ae40b54989d7148e0255359fb449cd1c3fa36
                                        • Instruction Fuzzy Hash: 5221DEF0901B09EBC390DF58ED06F9D77A4E749734F508AAAE4248B6D0C7787A808B59
                                        Function 002795E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Destroy
                                        • String ID: Eg'$Eg'
                                        • API String ID: 3707531092-1006138911
                                        • Opcode ID: 551cff7db94402bd3a6bb7c16229d465cf5300b16463ef03791646ead1ad1c34
                                        • Instruction ID: 4905bcd5cabccd4190459f4098b2283374492f96345ef875c70b5cee607d0d59
                                        • Opcode Fuzzy Hash: 551cff7db94402bd3a6bb7c16229d465cf5300b16463ef03791646ead1ad1c34
                                        • Instruction Fuzzy Hash: 1021DE30904389EFCB11CF68C904B9DFBF8EB44710F10826AE42997291CBB5AA54CB94
                                        Function 003029C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00302A0B
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00302A23
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00302A2B
                                          • Part of subcall function 00230DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00230DE6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$CreateLong
                                        • String ID: RichEdit20W
                                        • API String ID: 4015368215-4173859555
                                        • Opcode ID: 77de2f817ac164037ca7decb877e8b625a52d350bde79daef7151e7069ddd98c
                                        • Instruction ID: 35ab9febd87c65979b3964ab6d703d705c0a56c97dc7758d62f757fb46932aad
                                        • Opcode Fuzzy Hash: 77de2f817ac164037ca7decb877e8b625a52d350bde79daef7151e7069ddd98c
                                        • Instruction Fuzzy Hash: 10015735305210BFD6149B15DD04F6BFBE9FBC9760F15821AFA08A72A0C6B1AC00CAA5
                                        Function 00284830 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00284881
                                        • GetParent.USER32(?), ref: 0028488A
                                        • SendMessageW.USER32(?,00000411,00000000,?), ref: 0028489F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Parent$MessageSend
                                        • String ID: ,
                                        • API String ID: 2251359880-3772416878
                                        • Opcode ID: e2e144afde4bcac23311ea09c9261c0092f15b3d8fbf3807ab74db91bcdc97f1
                                        • Instruction ID: 138303fba914710aa28f5cfeeee6d35bb7c371211448d24a877090101c54d940
                                        • Opcode Fuzzy Hash: e2e144afde4bcac23311ea09c9261c0092f15b3d8fbf3807ab74db91bcdc97f1
                                        • Instruction Fuzzy Hash: C011C071525302AFD710EF18DC44B1AFBF4FB89300F00492AF61482690D7B1E824CF96
                                        Function 0022EFA0 Relevance: 6.3, APIs: 4, Instructions: 271memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 0022F06A
                                        • SysFreeString.OLEAUT32(00000000), ref: 0022F0B6
                                        • SysFreeString.OLEAUT32(00000000), ref: 0022F0D8
                                        • SysFreeString.OLEAUT32(00000000), ref: 0022F233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: String$Free$Alloc
                                        • String ID:
                                        • API String ID: 986138563-0
                                        • Opcode ID: a6bf831678164a14db2777f144a7a8b98e757ccdcc738e004acc316b54037dd0
                                        • Instruction ID: de4c92dab2ce697619307b099f4942bda60ff0a4925de4c0431db1e8c63b1c1f
                                        • Opcode Fuzzy Hash: a6bf831678164a14db2777f144a7a8b98e757ccdcc738e004acc316b54037dd0
                                        • Instruction Fuzzy Hash: 18A19F71A1021AEFDB54CFA8DD44BAEB7B8EF44714F104239E919E7380DB74AA11CB61
                                        Function 00243E70 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 4c4580775849e79c435f553613ff1c9bf173082fff6c68fcc51d73616312cacc
                                        • Instruction ID: 9d52c6738fdb1063e48297c774b3cf8124a05c347050c6047f1db0a4b377d38d
                                        • Opcode Fuzzy Hash: 4c4580775849e79c435f553613ff1c9bf173082fff6c68fcc51d73616312cacc
                                        • Instruction Fuzzy Hash: C0A18974910219DFCB14DFA8C884B9EBBB4FF48300F258269E408E7391E7749A55CB91
                                        Function 00242F00 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 3d90ca7fda713637dc76565a8a60b9980c8cd7df76b341ab09b75344f221e95b
                                        • Instruction ID: e800d035a0d1ab73b9352c5ddd080e0ad25f88cb798839e22e5b137935856a85
                                        • Opcode Fuzzy Hash: 3d90ca7fda713637dc76565a8a60b9980c8cd7df76b341ab09b75344f221e95b
                                        • Instruction Fuzzy Hash: A581C130A10348DFDB14DFA8C944B9EFBB4EF44700F148269E818AB391E774AE49CB91
                                        Function 00234650 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(00000000), ref: 002346F0
                                        • SysFreeString.OLEAUT32(00000000), ref: 00234731
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID:
                                        • API String ID: 3341692771-0
                                        • Opcode ID: 7100c687682af77e892601ddf170c1299b86d34367cb962540a24ae9b3e3638d
                                        • Instruction ID: 77525a9909331e1013a9f081668e989a2bc37af238aa105ea18fa70b5b228309
                                        • Opcode Fuzzy Hash: 7100c687682af77e892601ddf170c1299b86d34367cb962540a24ae9b3e3638d
                                        • Instruction Fuzzy Hash: 8A61A372A04259EFDB10DF54D944B9ABBB8FB85720F1042AAFC1597390D776ED20CBA0
                                        Function 00254140 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 122memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,79276D7D), ref: 00254209
                                        • HeapFree.KERNEL32(00000000,?,?,79276D7D), ref: 0025420F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: tYL$tYL
                                        • API String ID: 3859560861-1534252146
                                        • Opcode ID: 11aeec09f9676ddcdd9ecc5ccee6ec296e1f7fefc58644acfc59532fa8159a91
                                        • Instruction ID: 78d3510e74d372019d854c40deb385d9f7504317c6daf2310558e7ee4a3e062a
                                        • Opcode Fuzzy Hash: 11aeec09f9676ddcdd9ecc5ccee6ec296e1f7fefc58644acfc59532fa8159a91
                                        • Instruction Fuzzy Hash: 1F313731A14614DBCB12EF69DC00BEAF7A8EB41739F10432AFD25CB6C0D739995486A4
                                        Function 0023CCF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(79276D7D,79276D7D,?), ref: 0023CD2F
                                        • EnterCriticalSection.KERNEL32(?,79276D7D,?), ref: 0023CD3C
                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 0023CE13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: rw
                                        • API String ID: 3991485460-1192573183
                                        • Opcode ID: 359cf1cb0fbccacee3a6301e5816dac231d151a6cae6842f6a16f633b095fe5e
                                        • Instruction ID: 7702a842d5527694c4ba01817f9af7156ff9b0ba5cd676060b34130bdfa578b5
                                        • Opcode Fuzzy Hash: 359cf1cb0fbccacee3a6301e5816dac231d151a6cae6842f6a16f633b095fe5e
                                        • Instruction Fuzzy Hash: 8041D6B52147468FCB26DF38C840BAABBB5EF45310F204579F996E7391CB31A925CB90
                                        Function 0033C6B0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 0033C70F
                                        • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 0033C71C
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0033C739
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0033C75B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 470a920d5d25b1cba88960c5bf1bc39fae1f61f3d22f8b5e275411b16d28218c
                                        • Instruction ID: 565736790137e786173b4363e1d7dd8df98656126bf261dd849156b9122cd40e
                                        • Opcode Fuzzy Hash: 470a920d5d25b1cba88960c5bf1bc39fae1f61f3d22f8b5e275411b16d28218c
                                        • Instruction Fuzzy Hash: 022122B67803067BE7215F54ECD2F6AB75DEB90B04F250129FA01AB1C0EBA17D158BA4
                                        Function 0027642D Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00000010,?,00000060), ref: 00276467
                                        • GetWindowRect.USER32(?,?), ref: 002764B6
                                        • GetWindowLongW.USER32(?,000000EC), ref: 002764DF
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 00276571
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$LongRect
                                        • String ID:
                                        • API String ID: 463821813-0
                                        • Opcode ID: 5ebeabeb83306730ded0b5af3a4f839ceacda58499d007ff45896fc3873664bc
                                        • Instruction ID: 86155174c2147630698a322e3544c9c93506e2748ee6d015058d12fcd2801f92
                                        • Opcode Fuzzy Hash: 5ebeabeb83306730ded0b5af3a4f839ceacda58499d007ff45896fc3873664bc
                                        • Instruction Fuzzy Hash: A4415E71108745AFC305CF69DD55E6AFBB4FF89300F148A2AF98593260D771A894CF85
                                        Function 00325170 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,0041A8AD,000000FF), ref: 00325188
                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,0041A8AD,000000FF), ref: 003251BB
                                        • GetStdHandle.KERNEL32(000000F5,?,79276D7D,00000000,003DD840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00325226
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,79276D7D,00000000,003DD840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 0032522D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AttributeConsoleHandleText
                                        • String ID:
                                        • API String ID: 3849414675-0
                                        • Opcode ID: 21f2969ca1fbe9f3c6f6f8453ddce5b368f1c7f2a1f27a88bf6b90ffad9176d1
                                        • Instruction ID: 1612e1e8c50ca7aa9b0e080fcf5c1e2edef42a739e805ad75b6b8e289b1ac9a1
                                        • Opcode Fuzzy Hash: 21f2969ca1fbe9f3c6f6f8453ddce5b368f1c7f2a1f27a88bf6b90ffad9176d1
                                        • Instruction Fuzzy Hash: AC21F632304611AFDA10DF98EC89F5AF769EB85720F20432EF625DB3D0CB3169118BA4
                                        Function 002798E0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 0027996F
                                        • GetParent.USER32(00000000), ref: 00279977
                                        • GetParent.USER32(00000000), ref: 0027997C
                                        • SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 0027998D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Parent$MessageSend
                                        • String ID:
                                        • API String ID: 2251359880-0
                                        • Opcode ID: 6ee25229495da29a68b815525221698402272dda23528da8f49fc14e47f71521
                                        • Instruction ID: b556a042f45f8fb1f0c10adfa573196c2d052d381406217c359dc11cf86d7df5
                                        • Opcode Fuzzy Hash: 6ee25229495da29a68b815525221698402272dda23528da8f49fc14e47f71521
                                        • Instruction Fuzzy Hash: 6E21D732210216AFE7159B28EC84FAEF7ACEF91754F148539F609C2150EB31DDA1CA69
                                        Function 002389D0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00238A19
                                        • GetParent.USER32(?), ref: 00238A4D
                                          • Part of subcall function 003B5D0D: GetProcessHeap.KERNEL32(00000008,00000008,?,00230DC7,?,?,00230B74,?), ref: 003B5D12
                                          • Part of subcall function 003B5D0D: HeapAlloc.KERNEL32(00000000,?,?,00230B74,?), ref: 003B5D19
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00238A80
                                        • ShowWindow.USER32(?,00000000), ref: 00238A96
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$HeapLong$AllocParentProcessShow
                                        • String ID:
                                        • API String ID: 78937335-0
                                        • Opcode ID: 0765b1c791680a416a3769137c3b8c838bf670c1ae346e91f9254b53b0b57b74
                                        • Instruction ID: cc640b7999b302c0588a0cddf50b55549e43359d0413fc8b453066ea1910cff8
                                        • Opcode Fuzzy Hash: 0765b1c791680a416a3769137c3b8c838bf670c1ae346e91f9254b53b0b57b74
                                        • Instruction Fuzzy Hash: 8121BF70604B019FC724EF29D944E6BBBE8FF89714B004A2EF496C6661DB30E804CB61
                                        Function 0023CB20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,79276D7D), ref: 0023CB8A
                                        • EnterCriticalSection.KERNEL32(?,79276D7D), ref: 0023CB97
                                        • LeaveCriticalSection.KERNEL32(?), ref: 0023CBE8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: rw
                                        • API String ID: 3991485460-1192573183
                                        • Opcode ID: 401b38079ca21856d0e160739a6cb016bde821fba31a9d011849ac5a22fbbfd8
                                        • Instruction ID: 4ee2c808cc3c0b1db742296f8e3266c529355e9989a13ffa36d8c40c2a79983f
                                        • Opcode Fuzzy Hash: 401b38079ca21856d0e160739a6cb016bde821fba31a9d011849ac5a22fbbfd8
                                        • Instruction Fuzzy Hash: 9121D1729003459FDF11DF24D845BEABBB4EB16328F2005B9EC59AB382D7325909CB60
                                        Function 0023CC10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,79276D7D), ref: 0023CC7A
                                        • EnterCriticalSection.KERNEL32(?,79276D7D), ref: 0023CC87
                                        • LeaveCriticalSection.KERNEL32(?), ref: 0023CCCE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: rw
                                        • API String ID: 3991485460-1192573183
                                        • Opcode ID: 939cef17cab645e225bf7353ae8c0a1ec41e47eb02162a37f2728249b6727f33
                                        • Instruction ID: d90eaaf1d0263080935d744b2ad1051572a8532b98e3cf7e85b1ca75ee42b7d0
                                        • Opcode Fuzzy Hash: 939cef17cab645e225bf7353ae8c0a1ec41e47eb02162a37f2728249b6727f33
                                        • Instruction Fuzzy Hash: 6D21B2719002459FDB11CF24D844BE9BBB4FF15324F2006BAEC59AB292D7319909CBA0
                                        Function 00285D40 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(}m'y,79276D7D), ref: 00285D80
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00285DB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave
                                        • String ID: rw$}m'y
                                        • API String ID: 3168844106-2181794445
                                        • Opcode ID: c833a687ab3db55ced60246e3373132543df5216dfbeccca42668ed02d7254e4
                                        • Instruction ID: beef0cab9fa14229fefefed2524130d45680c3cce4e29b4177dfa30ef958e74f
                                        • Opcode Fuzzy Hash: c833a687ab3db55ced60246e3373132543df5216dfbeccca42668ed02d7254e4
                                        • Instruction Fuzzy Hash: F5212135A15625DFDB15DF18C948BAEBBB4FB05324F204269F821A72D0C371AD248BA0
                                        Function 0023CA60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,79276D7D,?), ref: 0023CABD
                                        • EnterCriticalSection.KERNEL32(?,79276D7D,?), ref: 0023CACA
                                        • LeaveCriticalSection.KERNEL32(?), ref: 0023CAF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: rw
                                        • API String ID: 3991485460-1192573183
                                        • Opcode ID: e2ae9eb8a276e7207d92b464a18c64afb2b03803d82f4ccb852e4cbca78722e0
                                        • Instruction ID: 41a4c6097f0392fb397c2dd6e18f27081674eadf55c5512bf12882b893822cd9
                                        • Opcode Fuzzy Hash: e2ae9eb8a276e7207d92b464a18c64afb2b03803d82f4ccb852e4cbca78722e0
                                        • Instruction Fuzzy Hash: 1621D3769043499FCF05CF64CC40BEABB74EB56324F2046ADE855A7392DB325A09CBA0
                                        Function 003612C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000001,?,79276D7D,?,?,00000000,003DD670,000000FF,?,003612A8,00000000,80004005,?,004C4C50,?,?), ref: 003612F7
                                        • GetExitCodeThread.KERNEL32(00000001,80004005,?,?,00000000,003DD670,000000FF,?,003612A8,00000000), ref: 00361311
                                        • TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,003DD670,000000FF,?,003612A8,00000000), ref: 00361329
                                        • CloseHandle.KERNEL32(00000001,?,?,00000000,003DD670,000000FF,?,003612A8,00000000,80004005,?,004C4C50,?,?,00343989), ref: 00361332
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                        • String ID:
                                        • API String ID: 3774109050-0
                                        • Opcode ID: d71a9385dbd4627e6e277954a200844d13cb0e59b6f0320672b46979fe62a6c3
                                        • Instruction ID: 72bd1f27c8614b461ec058ce153df8306c2e3e321e79d919457e8d498673c8ee
                                        • Opcode Fuzzy Hash: d71a9385dbd4627e6e277954a200844d13cb0e59b6f0320672b46979fe62a6c3
                                        • Instruction Fuzzy Hash: 17019E75500705EFCB218F54DD04BA6F7FCFB04720F14862EF82692AA0DB75A804CA58
                                        Function 002BF9D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 255windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00000000,?), ref: 002BFAD1
                                        • SendMessageW.USER32(00000000,00000317,?,00000014), ref: 002BFB65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageRectSendWindow
                                        • String ID: U2;
                                        • API String ID: 2814762282-3377301532
                                        • Opcode ID: 68140c11de25c3fba9adb5fc687e88c36b96880ce0ea23b6804fb0c3bac2db58
                                        • Instruction ID: 116bc07cd36b9ff26efc949e1d34101f095500c6df7d3452bf34b940d3f2c69c
                                        • Opcode Fuzzy Hash: 68140c11de25c3fba9adb5fc687e88c36b96880ce0ea23b6804fb0c3bac2db58
                                        • Instruction Fuzzy Hash: 39B18974A10609DFDB14CFA8CA54B9DFBB4FF48304F18826AE815AB391D770A991CB90
                                        Function 00360320 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                        • DeleteFileW.KERNEL32(?), ref: 003603FA
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 0036052F
                                          • Part of subcall function 0034F280: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,79276D7D,00000001,7686EB20,00000000), ref: 0034F2CF
                                          • Part of subcall function 0034F280: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,79276D7D,00000001,7686EB20,00000000), ref: 0034F305
                                          • Part of subcall function 0034C7E0: LoadStringW.USER32(000000A1,?,00000514,79276D7D), ref: 0034C836
                                        Strings
                                        • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 003603AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: File$DeleteInit_thread_footer$CreateHeapLoadProcessReadString
                                        • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                        • API String ID: 3544038457-3685554107
                                        • Opcode ID: 9654b671643dbaa262e6b84d8e48a6c2efbcb7ff1f299e5b235112d0706e0b8e
                                        • Instruction ID: 572807d99d2ba39988f22fcc28339ca34d2a02163ac6431a9053041e946adc87
                                        • Opcode Fuzzy Hash: 9654b671643dbaa262e6b84d8e48a6c2efbcb7ff1f299e5b235112d0706e0b8e
                                        • Instruction Fuzzy Hash: D691D131A006059FDB05DFA8C845B9EBBB5FF45324F1982A9E915DB2A2DB30DD04CF90
                                        Function 00344C40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDefaultLangID.KERNEL32(79276D7D,-00000044,?,-00000048,00000000), ref: 00344C76
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 00344050: GetLocaleInfoW.KERNEL32(?,00000002,0044337C,00000000), ref: 003440C1
                                          • Part of subcall function 00344050: GetLocaleInfoW.KERNEL32(?,00000002,00343B85,-00000001,00000078,-00000001), ref: 003440FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: InfoInit_thread_footerLocale$DefaultHeapLangProcessSystem
                                        • String ID: SystemDefault LangID=$T`L
                                        • API String ID: 185108660-2155230632
                                        • Opcode ID: 36b501b219b3973b4ef68242681dc05509d62e658b07f86148f3ab6258e223c1
                                        • Instruction ID: baa8bfde4a86314b4029ec5916c329c965785f01a99dfd7663bf0dc748e8b8c7
                                        • Opcode Fuzzy Hash: 36b501b219b3973b4ef68242681dc05509d62e658b07f86148f3ab6258e223c1
                                        • Instruction Fuzzy Hash: EA51BE31A00A159BDB11DF68C845BAAF7F5FF81321F1583A9E8259B2D6DB34AD00CB90
                                        Function 00292AC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.Grid$}m'y
                                        • API String ID: 0-1336049469
                                        • Opcode ID: f217e118cadcefe29e4bbcb62f4c31cc4f77e62e4b63b1305edc3bb33037b7a9
                                        • Instruction ID: 57b2f69192694fc95ddd3f74d41335254090b0174cf2c3fd68e1377acb28fd5a
                                        • Opcode Fuzzy Hash: f217e118cadcefe29e4bbcb62f4c31cc4f77e62e4b63b1305edc3bb33037b7a9
                                        • Instruction Fuzzy Hash: CB61A6B0900609EFDB11DFA4C945BAFBBB8FF08714F10466AE810A7391DB75AA05CF94
                                        Function 0026D130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003B6662: EnterCriticalSection.KERNEL32(004C4CD8,?,?,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B666D
                                          • Part of subcall function 003B6662: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229EF6,004C5904,79276D7D,?,?,003DDE0D,000000FF,?,0035BABC,79276D7D), ref: 003B66AA
                                        • __Init_thread_footer.LIBCMT ref: 0026D28D
                                          • Part of subcall function 003B6618: EnterCriticalSection.KERNEL32(004C4CD8,?,?,00229F67,004C5904,00436640), ref: 003B6622
                                          • Part of subcall function 003B6618: LeaveCriticalSection.KERNEL32(004C4CD8,?,00229F67,004C5904,00436640), ref: 003B6655
                                          • Part of subcall function 003B6618: RtlWakeAllConditionVariable.NTDLL ref: 003B66CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                        • String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
                                        • API String ID: 2296764815-2445763458
                                        • Opcode ID: 70ba758029971c5bb89b984284560f8bfa6c8fef7e1edfd41bb811e1283a06b5
                                        • Instruction ID: 902cc3a6bb5fbbaad762a358b0276622eeb9912da120470e96bacaeaeb588a9e
                                        • Opcode Fuzzy Hash: 70ba758029971c5bb89b984284560f8bfa6c8fef7e1edfd41bb811e1283a06b5
                                        • Instruction Fuzzy Hash: ED71B570900289EFDB05CF68C915BDEBBB0BF14304F148259E815673D1DBB95A58CFA2
                                        Function 00313C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,79276D7D,00000000,00000000), ref: 00313D11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Path
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 2875597873-3019864461
                                        • Opcode ID: e457d38334d7f8421301595f31b58c8da52608018f6793662ab521956dd360cd
                                        • Instruction ID: da140901bf9890722872ddbf086f93619ab1e3662e9e75aaef90d8ed72e82495
                                        • Opcode Fuzzy Hash: e457d38334d7f8421301595f31b58c8da52608018f6793662ab521956dd360cd
                                        • Instruction Fuzzy Hash: C751C371E10604DBDB19DF58D885BEEF7B5FF48704F20811DE8016B281DB75AA58CBA1
                                        Function 00358550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,79276D7D,?,?,004C6054), ref: 0035858F
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,004C6054), ref: 003585F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryPathTemp
                                        • String ID: ADVINST_LOGS
                                        • API String ID: 2885754953-2492584244
                                        • Opcode ID: 1a7556f3f65239f1a9eacec909a575f059ca49fadcc9e5e150eead22e0c9e94e
                                        • Instruction ID: 5dbfe3f2538c5c148a9dc401f3b00153a178b8491dfaaf6c8b0718e45aa32f08
                                        • Opcode Fuzzy Hash: 1a7556f3f65239f1a9eacec909a575f059ca49fadcc9e5e150eead22e0c9e94e
                                        • Instruction Fuzzy Hash: B351D375940219CBCB319F28C844BB6B3B4FF14315F2546AEED49A72A1EF748D89CB90
                                        Function 0035C3A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNEL32(?,?,?,?,00000000,79276D7D,?,00000010,?,?,003DF36E,000000FF), ref: 0035C428
                                          • Part of subcall function 00229E50: GetProcessHeap.KERNEL32 ref: 00229EA5
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229ED7
                                          • Part of subcall function 00229E50: __Init_thread_footer.LIBCMT ref: 00229F62
                                          • Part of subcall function 0035C240: ConnectNamedPipe.KERNEL32(?,00000000,79276D7D,?,000000FF,?,00000000,004262A6,000000FF,?,0035C45A,000000FF,?,00000001), ref: 0035C27A
                                          • Part of subcall function 0035C240: GetLastError.KERNEL32(?,0035C45A,000000FF,?,00000001), ref: 0035C284
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessWrite
                                        • String ID: \\.\pipe\ToServer$}m'y
                                        • API String ID: 3549655173-328139405
                                        • Opcode ID: f163b118c779f600b6cdc379c204a94b4617091fc833d119cf907119da87196f
                                        • Instruction ID: ee28f5e779b3de300e0d2b3fe4a0c77210a1e150e60b648d480775c887cec979
                                        • Opcode Fuzzy Hash: f163b118c779f600b6cdc379c204a94b4617091fc833d119cf907119da87196f
                                        • Instruction Fuzzy Hash: EC41CD71610214AFDB05CF59D805FAEB7A8EB44728F00826EFC15DB390DBB5A904CB94
                                        Function 002862E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Hosting.WindowsXamlManager$}m'y
                                        • API String ID: 0-4239443272
                                        • Opcode ID: 7693f3b8eb9b6d7aeafd59b46d2f1868f741d6899411e9e6984101ad05bfb446
                                        • Instruction ID: 2a130ff2cfedc2b05205c4e6cc8e8569ec1240ce4c0ba6917fd80c03d0454f64
                                        • Opcode Fuzzy Hash: 7693f3b8eb9b6d7aeafd59b46d2f1868f741d6899411e9e6984101ad05bfb446
                                        • Instruction Fuzzy Hash: 795190B5D1121ADBDB00DF98C845BEEFBB4FB04714F10416AE815A7380DBB5AA48CBD5
                                        Function 002729D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.Pivot$}m'y
                                        • API String ID: 0-3743839013
                                        • Opcode ID: 115a34185b725024b0a89ee6957d0589f02f58c7b9a0fc83ce398fe7321abffe
                                        • Instruction ID: 42396115a41b873d1e33b431bafa238cbd4ed8ecb56c9c9f6fc1750c3e8ce4ed
                                        • Opcode Fuzzy Hash: 115a34185b725024b0a89ee6957d0589f02f58c7b9a0fc83ce398fe7321abffe
                                        • Instruction Fuzzy Hash: 7D519FB1D1061AEBDB00DF99C881BEFBBB4FB04714F20452AE815A7280D7B56A48CBD5
                                        Function 00272C40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ListBox$}m'y
                                        • API String ID: 0-3985360200
                                        • Opcode ID: 0769e5076cbdc361199698286da546cfbffb9933d716350b7363a3fd20df5d29
                                        • Instruction ID: 84af2b1a43e272455c98cfed73ff76d5d65ec7efc89e743b16f3b54c1003ccea
                                        • Opcode Fuzzy Hash: 0769e5076cbdc361199698286da546cfbffb9933d716350b7363a3fd20df5d29
                                        • Instruction Fuzzy Hash: 97519DB1D1021AEFDB11DF99C841BEEBBB8FB04714F10452AE815A7380D7B56A48CBD5
                                        Function 0025D470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.ToolTip$}m'y
                                        • API String ID: 0-284662525
                                        • Opcode ID: f5fed02049416cf5ac8d8088999953a90c2f7a88ed4f531573e76f36883f9cbc
                                        • Instruction ID: e50c587df26defe1911a6b849a3e6dcbd1366946df40b844e6e43920cdf9023f
                                        • Opcode Fuzzy Hash: f5fed02049416cf5ac8d8088999953a90c2f7a88ed4f531573e76f36883f9cbc
                                        • Instruction Fuzzy Hash: EA51B0B1D1021ADBDB10DF98C941BEFBBB8FB04715F10466AE815A7380DB746A48CBD5
                                        Function 002B7480 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.Controls.RichEditBox$}m'y
                                        • API String ID: 0-1359917148
                                        • Opcode ID: b3b3979a259daa66f2f2f3dc5f568722c0db2d1799b5915651175c910e8206de
                                        • Instruction ID: 2863a547784154cc3a03447f199b1a7dc2ca4f6f20dba9ad9127bc2b24964a1e
                                        • Opcode Fuzzy Hash: b3b3979a259daa66f2f2f3dc5f568722c0db2d1799b5915651175c910e8206de
                                        • Instruction Fuzzy Hash: F751BEB1D1425AEFDB00DF98C945BEEBBB8FB04715F10452AE811A7280D7B46A48CBD5
                                        Function 0025D9F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Windows.UI.Xaml.ScalarTransition$}m'y
                                        • API String ID: 0-1493348250
                                        • Opcode ID: fedf2196d34f6dc50e1f7d29d6c569c0cb2af5860a99183ff6fab898e96a96e4
                                        • Instruction ID: 365ee76cf2c3f6d6cfcc8a0a0e435ed4531cffeebaf95d8e72f92f0ac0a61e7a
                                        • Opcode Fuzzy Hash: fedf2196d34f6dc50e1f7d29d6c569c0cb2af5860a99183ff6fab898e96a96e4
                                        • Instruction Fuzzy Hash: F251AFB1D1025ADFDB10DF94C841BAEBBB8FB04715F10416AE811A7280D7B56A48CBD5
                                        Function 00237110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,0044337C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,79276D7D), ref: 00237280
                                          • Part of subcall function 0030DDA0: GetModuleHandleW.KERNEL32(Advapi32.dll,79276D7D,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 0030DDE3
                                        • CloseHandle.KERNEL32(?,79276D7D), ref: 002372B9
                                        Strings
                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00237178
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Module
                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                        • API String ID: 1412095732-2431777889
                                        • Opcode ID: 7336e97a586d687a97163fc6ad5572479f3b95fcd69fcf0e2001fb0128478b16
                                        • Instruction ID: cf571694d0a9fd16892dcf9da73c44fca62bd812e1dc4b4d7cee9ead70005abb
                                        • Opcode Fuzzy Hash: 7336e97a586d687a97163fc6ad5572479f3b95fcd69fcf0e2001fb0128478b16
                                        • Instruction Fuzzy Hash: E4515AB0D14258EAEF20DFA8C859BDEFBB4BF14704F108159E445B7281DBB46A48CFA5
                                        Function 003D2981 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003CDBDD: RtlFreeHeap.NTDLL(00000000,00000000,?,003D221D,?,00000000,?,?,003D24BE,?,00000007,?,?,003D2B18,?,?), ref: 003CDBF3
                                          • Part of subcall function 003CDBDD: GetLastError.KERNEL32(?,?,003D221D,?,00000000,?,?,003D24BE,?,00000007,?,?,003D2B18,?,?), ref: 003CDBFE
                                        • ___free_lconv_mon.LIBCMT ref: 003D29C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast___free_lconv_mon
                                        • String ID: XK$pK
                                        • API String ID: 4068849827-1722102153
                                        • Opcode ID: 4393700833a176f597537467c0f922dad59ab6a72547fbab1ad680c2f42c71ea
                                        • Instruction ID: fcd1aed0022ac9b39051635745a03776dde31851a4fed2f8a2f9862db58808b8
                                        • Opcode Fuzzy Hash: 4393700833a176f597537467c0f922dad59ab6a72547fbab1ad680c2f42c71ea
                                        • Instruction Fuzzy Hash: 4B3139326007059FEB32AA39E845F5B77E9EF50350F12482AF499DB255DF75EC908B20
                                        Function 00278A90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DestroySleepWindow
                                        • String ID: (0;
                                        • API String ID: 3305115879-2807173533
                                        • Opcode ID: 5ac1e45aef1b3b527463cce4947be13ffa8d30756e733870dbcb99f509d5d5d9
                                        • Instruction ID: 27fcc3eef1a01bae82128ed28e5b14fe5c6ae72d6b58a15fe07d4b250d685ede
                                        • Opcode Fuzzy Hash: 5ac1e45aef1b3b527463cce4947be13ffa8d30756e733870dbcb99f509d5d5d9
                                        • Instruction Fuzzy Hash: 3E418231A50348EFCB11DF68DC49BDDBBB5BF09700F1441A9E909AB292CB745E04CBA6
                                        Function 003D277F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 003D284F
                                        • __freea.LIBCMT ref: 003D285E
                                          • Part of subcall function 003CDC17: RtlAllocateHeap.NTDLL(00000000,00000000,003CD0E1,?,003CEE85,?,00000000,?,003BF625,00000000,003CD0E1,?,?,?,?,003CCEDB), ref: 003CDC49
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AllocateHeapStringType__freea
                                        • String ID: `&#
                                        • API String ID: 4073780324-3593461860
                                        • Opcode ID: 0b4b52f7658b0a5dc8534e963de4939ac9bf8bb39a7a4eb81e88141adfc9982c
                                        • Instruction ID: c140448a30adf88a2f3d084d9ab6d8b8e39b6300b882d8315a5e1ef0eafba5ba
                                        • Opcode Fuzzy Hash: 0b4b52f7658b0a5dc8534e963de4939ac9bf8bb39a7a4eb81e88141adfc9982c
                                        • Instruction Fuzzy Hash: 6E31ED72A0021AABCF229F65EC41EEFBBA8EF54710F05412AF904AB251E635CC51D7A0
                                        Function 003273D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,79276D7D,00459754), ref: 00327428
                                        • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00327524
                                          • Part of subcall function 00319AC0: std::locale::_Init.LIBCPMT ref: 00319B9D
                                          • Part of subcall function 003172B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00317385
                                        Strings
                                        • Failed to get Windows error message [win32 error 0x, xrefs: 00327446
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                        • String ID: Failed to get Windows error message [win32 error 0x
                                        • API String ID: 1983821583-3373098694
                                        • Opcode ID: a0ded40433861bc1ec7bf4c2c71fa61df8365cbef2d73beda91fc45e8848804d
                                        • Instruction ID: d1319d37387ff47f324678463593b331d08b4f47e67e58fdf7127f811f4a7e3a
                                        • Opcode Fuzzy Hash: a0ded40433861bc1ec7bf4c2c71fa61df8365cbef2d73beda91fc45e8848804d
                                        • Instruction Fuzzy Hash: 9C419070A043199BDB11DF68D909BAFBBF8FF44704F108659E455EB290D7B89A08CB91
                                        Function 00295190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5CC8,Windows.UI.Xaml.Documents.Hyperlink,00000023,79276D7D,00000004,000000FF,?,004C5CC4,003E6017,000000FF), ref: 00295268
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: PT)$Windows.UI.Xaml.Documents.Hyperlink
                                        • API String ID: 4129690577-2743552777
                                        • Opcode ID: 149e7be85c17d4a4eec6adadbc293b19ac68f47b2ee1fadcb0022f2ea572079d
                                        • Instruction ID: a71b8e37f78628e0992c0c0a480cf78a81d819474a9c8079f018e96df309fe65
                                        • Opcode Fuzzy Hash: 149e7be85c17d4a4eec6adadbc293b19ac68f47b2ee1fadcb0022f2ea572079d
                                        • Instruction Fuzzy Hash: 4C316B71E1061AEBDB01DF94C945BAEBBB4FB14715F10416AE8106B3C0DBB96B48CBD1
                                        Function 00372050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,0045A350,00000001,79276D7D,00000000), ref: 003720FE
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 0037211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Event$CreateOpen
                                        • String ID: _pbl_evt
                                        • API String ID: 2335040897-4023232351
                                        • Opcode ID: 9af23868a9d523a3dbe1aa7f6213827150653f3f1027c475cba248f45679db69
                                        • Instruction ID: f2070550c4f98cc50ac9de5619625d938ab5771a4ca34e9f7ee845e46b2b3bc9
                                        • Opcode Fuzzy Hash: 9af23868a9d523a3dbe1aa7f6213827150653f3f1027c475cba248f45679db69
                                        • Instruction Fuzzy Hash: 18318B31D10218EFDB10DFA8D846BDEB7B4EF04714F608229E811B7280DB746A09CFA5
                                        Function 0022E110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00313430: GetModuleFileNameW.KERNEL32(00000000,?,00000400,79276D7D), ref: 00313479
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,004BF0E0,80000001,00000001,00000000,?,79276D7D), ref: 0022E1A2
                                        • RegCloseKey.ADVAPI32(?,?,00002AF8,004BF0E0,80000001,00000001,00000000,?,79276D7D), ref: 0022E1EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CloseFileModuleNameQueryValue
                                        • String ID: }m'y
                                        • API String ID: 1288538307-184714451
                                        • Opcode ID: c817896011b39e9e9870062799218d159a0d317aeea11cbac1550133016ac0f0
                                        • Instruction ID: 899aceab924d0a0fc4d1e3af5f3b0bf782b8fef2a38eb14d3614f66531369ba8
                                        • Opcode Fuzzy Hash: c817896011b39e9e9870062799218d159a0d317aeea11cbac1550133016ac0f0
                                        • Instruction Fuzzy Hash: B6318D30914208EBDF15DFA4DC55BEEB7B8AF14700F108169E419AB2C1DFB46A48CB91
                                        Function 00239710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 0023973C
                                        • SetWindowPos.USER32(?,00000000,00000000,}m'y,00000000,00000000,00000015,?,?,00000000,?,?,?,?,79276D7D,00000000), ref: 002397BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID: }m'y
                                        • API String ID: 3200805268-184714451
                                        • Opcode ID: be64964e86c05d2cf4b1eea0eb9d0148e0ce8d430897a0be30df0f848cf6d404
                                        • Instruction ID: 653bae5aa1c9907129d8eaa3312202b271fd389861e2130fe1ff3cb95306da5d
                                        • Opcode Fuzzy Hash: be64964e86c05d2cf4b1eea0eb9d0148e0ce8d430897a0be30df0f848cf6d404
                                        • Instruction Fuzzy Hash: AA21ACB1618206AFD714CF28CD85E7BB7EDEBC9710F108529F95487281D770E8148BAA
                                        Function 0022D640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000002), ref: 0022D6CB
                                        • IsWindow.USER32(00000002), ref: 0022D6E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window
                                        • String ID: H?D
                                        • API String ID: 2353593579-2829560543
                                        • Opcode ID: b87c0d044d1e8172d3c38e6c1473b8f02b89692c3d80440dbc27de0bd10966c0
                                        • Instruction ID: d1c5f7c48952eeea2534b59a63c45c80dadb9e2885ca8313a3921d08140cf662
                                        • Opcode Fuzzy Hash: b87c0d044d1e8172d3c38e6c1473b8f02b89692c3d80440dbc27de0bd10966c0
                                        • Instruction Fuzzy Hash: FC217C30610701AFCB24DFA5E955F6BB7B9EF44B10F048A2DE42A87AA0CB35E814CB50
                                        Function 00316870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0031689B
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003168FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                        • String ID: bad locale name
                                        • API String ID: 3988782225-1405518554
                                        • Opcode ID: ec176131485312f17158d43d36cdefe22d80264d5dd8beb36b63474b70ee144f
                                        • Instruction ID: 093c8d6dc871a2e2dc425043c441639d539ad0e6cad23984c471536aeeed2771
                                        • Opcode Fuzzy Hash: ec176131485312f17158d43d36cdefe22d80264d5dd8beb36b63474b70ee144f
                                        • Instruction Fuzzy Hash: 1D210270504784DFD721CF69C80079ABFF4AF15704F14869EE4858BB81D7B6DA04C791
                                        Function 002C80F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 002C813A
                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 002C8147
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Destroy
                                        • String ID: {D
                                        • API String ID: 3707531092-1498132776
                                        • Opcode ID: 90a496fe722cc34cacb2f153f90c01c2fad5708aa249eb1e24dae6fa941f133f
                                        • Instruction ID: 876d8f917aa9353a8d1b215db33572952e45d21bb97b31052d0fde074a66018a
                                        • Opcode Fuzzy Hash: 90a496fe722cc34cacb2f153f90c01c2fad5708aa249eb1e24dae6fa941f133f
                                        • Instruction Fuzzy Hash: 5A31BC70809689EFCB00DFA5C904B8EFBF4BF10314F1082A9E45497AD1CBB4AA18CB95
                                        Function 00229190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003B5A3D: EnterCriticalSection.KERNEL32(004C4C5C,00000001,?,?,002291C7,00000000,79276D7D,00000001,?,?,?,-00000010,003DDD00,000000FF,?,002293A0), ref: 003B5A48
                                          • Part of subcall function 003B5A3D: LeaveCriticalSection.KERNEL32(004C4C5C,?,002291C7,00000000,79276D7D,00000001,?,?,?,-00000010,003DDD00,000000FF,?,002293A0,?,00000001), ref: 003B5A74
                                        • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,79276D7D,00000001,?,?,?,-00000010,003DDD00,000000FF,?,002293A0,?), ref: 002291E6
                                          • Part of subcall function 00229250: LoadResource.KERNEL32(00000000,00000000,79276D7D,00000001,00000000,?,00000000,003DD610,000000FF,?,002291FC,?,?,?,-00000010,003DDD00), ref: 0022927B
                                          • Part of subcall function 00229250: LockResource.KERNEL32(00000000,?,002291FC,?,?,?,-00000010,003DDD00,000000FF,?,002293A0,?,00000001,?,002369F0,-00000010), ref: 00229286
                                          • Part of subcall function 00229250: SizeofResource.KERNEL32(00000000,00000000,?,002291FC,?,?,?,-00000010,003DDD00,000000FF,?,002293A0,?,00000001,?,002369F0), ref: 00229294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
                                        • String ID: HLL$HLL
                                        • API String ID: 529824247-2104390300
                                        • Opcode ID: 557001dd7f2f805e10224da571a7a8d148bb389c774aee3c3fcabca6484f7cfb
                                        • Instruction ID: 87e56e87dbdf2796286f0cbe90ecd6523bb3c065b7eff7d4605da70e48091a56
                                        • Opcode Fuzzy Hash: 557001dd7f2f805e10224da571a7a8d148bb389c774aee3c3fcabca6484f7cfb
                                        • Instruction Fuzzy Hash: 72110836B04624ABD7254F59AC81B7AB3D8E784764F00027EED09D7380EB759C104690
                                        Function 004366F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,79276D7D,?,?,?,?,?,003DE74D,000000FF), ref: 0043673C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: DirectoryRemove
                                        • String ID: ,bL$8bL
                                        • API String ID: 597925465-1623662416
                                        • Opcode ID: f70fa359359dbd83c2bbbd5fb3fae2cafb927139c455d49eaf9584a627ecc5c4
                                        • Instruction ID: 4300864b8b106c05ef9aef6d4c0a0ebfd69aa59ddc390646d24cb73d1635f47d
                                        • Opcode Fuzzy Hash: f70fa359359dbd83c2bbbd5fb3fae2cafb927139c455d49eaf9584a627ecc5c4
                                        • Instruction Fuzzy Hash: 9011A071900604EBC711EF48DC41B5AF7B8FB49720F61877AE464A7290D7756D008BA4
                                        Function 00241200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000005), ref: 00241274
                                        Strings
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00241249
                                        • d, xrefs: 00241240
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                        • API String ID: 975332729-3357045315
                                        • Opcode ID: 2c99552884055c628e4163b7031e82bec71bbe77137ae93e184427951e0e52e8
                                        • Instruction ID: 57594c8354e3f4a8d03a0b13a58a6c03bf0b83ca8f7eb2b70811ce06c3d34953
                                        • Opcode Fuzzy Hash: 2c99552884055c628e4163b7031e82bec71bbe77137ae93e184427951e0e52e8
                                        • Instruction Fuzzy Hash: 03213874D15298EFDF04CFE4D958BCDBBB1BF18308F248098E401AB295D7B95A08CB91
                                        Function 0022D329 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 0022D369
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 0022D375
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: a37144e6cd046763ab35164a692ca380fc7502a59336e76b77bb2721a434c8e3
                                        • Instruction ID: 7d5dacfd689792f982ae9de2a366467fb6639d5c5a905274fd21dae3975a8c54
                                        • Opcode Fuzzy Hash: a37144e6cd046763ab35164a692ca380fc7502a59336e76b77bb2721a434c8e3
                                        • Instruction Fuzzy Hash: 0A213674D15298EFDB05DFE4D898BCDBBB1BF18304F248099E401AB295DBB95A08CF81
                                        Function 0022CF5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 0022CF9D
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 0022CFA6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: e3389407cdc278ba45cbf3c953b32422de4aacf2afac430a7ae5df1b20000c53
                                        • Instruction ID: 5daad7bc212b6c1d5f9e8df446a181040f6b78c350660cb52e0361542e0f56f3
                                        • Opcode Fuzzy Hash: e3389407cdc278ba45cbf3c953b32422de4aacf2afac430a7ae5df1b20000c53
                                        • Instruction Fuzzy Hash: DC214774D15298EFDB05CFE0D8587CDBBB1BF18308F148099E401AB291DBB95A08CB91
                                        Function 002412CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(0000000D), ref: 0024133B
                                        Strings
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 0024130E
                                        • d, xrefs: 00241305
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                        • API String ID: 975332729-3357045315
                                        • Opcode ID: 484b43182bb1a478d42839178179eee52213c8a984b402808c623ca3e025b260
                                        • Instruction ID: 05e4ca5021ddee312ad8f02392a9eb378050344a9e9ae7eb0db7bd2bb234a403
                                        • Opcode Fuzzy Hash: 484b43182bb1a478d42839178179eee52213c8a984b402808c623ca3e025b260
                                        • Instruction Fuzzy Hash: 31211374D15298EFDB04CFE0D958BCDBFB1BF18308F248099E401AB292D7B95A08CB51
                                        Function 0022D3F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 0022D42D
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 0022D439
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 82bfa770c119477f49137c0875293be1bea71dee9c18dbe28d90c5d21ab148ed
                                        • Instruction ID: 90c695f32bb926ab5a886ef4c6d666382c9592f2705f21d59188055d4acb7f0b
                                        • Opcode Fuzzy Hash: 82bfa770c119477f49137c0875293be1bea71dee9c18dbe28d90c5d21ab148ed
                                        • Instruction Fuzzy Hash: D7214434D15298EEDB05DFE0D9987CDBBB1BF18308F208059E401AB286DBB95A08CF41
                                        Function 0022D021 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 0022D05C
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 0022D065
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 2957f3d1068a11be0e2b97ac8cd88f908e61be496f671b5699d46c041de6d8e2
                                        • Instruction ID: 886885604deb83ff5823c81609352371c7732354e969c7b245bafab7a4a65ff5
                                        • Opcode Fuzzy Hash: 2957f3d1068a11be0e2b97ac8cd88f908e61be496f671b5699d46c041de6d8e2
                                        • Instruction Fuzzy Hash: 1A211274D15298EEDB05CFE0D9987CDBBB1BF18308F248099E401AB296DBB95A08CB55
                                        Function 002812B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0028130F
                                        • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,0027FDEC,00000000,79276D7D,?,?), ref: 00281328
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Window$Create
                                        • String ID: tooltips_class32
                                        • API String ID: 870168347-1918224756
                                        • Opcode ID: 5cba48e81555b759539cf7b147c85ce6a4bc717041bc0d71f3743c88ecbeb1cd
                                        • Instruction ID: d1d25121e303ce6fa18514999810c0c9cef520df23386d13a875ed3f64330ddb
                                        • Opcode Fuzzy Hash: 5cba48e81555b759539cf7b147c85ce6a4bc717041bc0d71f3743c88ecbeb1cd
                                        • Instruction Fuzzy Hash: 27012B313D12127EF7644664DD1AFE13298D780B41F348339BB40FD0D0D6A6E921C60C
                                        Function 00282130 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000411,00000000,0000002C), ref: 00282192
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: ,$}m'y
                                        • API String ID: 3850602802-3752572645
                                        • Opcode ID: 279f74f12c28fda69e6245b0f87178524e6c9e0ed15cb8fc3c3a8aabcd7ef5cb
                                        • Instruction ID: 4e1acd0fe77eaa1a82fe090bb80196b37a016e1df052e7d3ff4ae4b773b06c85
                                        • Opcode Fuzzy Hash: 279f74f12c28fda69e6245b0f87178524e6c9e0ed15cb8fc3c3a8aabcd7ef5cb
                                        • Instruction Fuzzy Hash: E2017C74615341DFE318DF29C855B9AB7E0AB88300F448A2EA989C7291DBB4E808CB81
                                        Function 00241391 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000013), ref: 002413C4
                                        Strings
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 002413A9
                                        • Unknown exception, xrefs: 00241399
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                        • API String ID: 975332729-2259502730
                                        • Opcode ID: 39fbec301e8ae75793f31d6de19e5deaad62fdf108d56a44077aa0e37ea19597
                                        • Instruction ID: 46c586b15bac04b1509c00adf819397f13652b972c02d650fac6b435e64a1600
                                        • Opcode Fuzzy Hash: 39fbec301e8ae75793f31d6de19e5deaad62fdf108d56a44077aa0e37ea19597
                                        • Instruction Fuzzy Hash: 4D01C034D05288EFDF04DBE4C914ACDBFB0AF19300F648098E0016B392CBB55E08DB91
                                        Function 0022D4B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Unknown exception, xrefs: 0022D4C0
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 0022D4D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                        • API String ID: 2558294473-452454139
                                        • Opcode ID: 45e43d279514a60c66cfab6802ae62bbb0c71d2df672fde6be1c718f19a5a101
                                        • Instruction ID: b1b6385b426d51b72dfbb5bd67ea921278174112ab0a09643d1842218ba5d14e
                                        • Opcode Fuzzy Hash: 45e43d279514a60c66cfab6802ae62bbb0c71d2df672fde6be1c718f19a5a101
                                        • Instruction Fuzzy Hash: 24019234D0529CEBDF05EBE4D9156CDBBB16F59300F248198D4016B386DBB45B08DB92
                                        Function 0022D0E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Unknown exception, xrefs: 0022D0EA
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 0022D0FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                        • API String ID: 2558294473-452454139
                                        • Opcode ID: 7d24f2158d52b671d74647b945c41fcfffa6e634115036af641b2c4d97bc435c
                                        • Instruction ID: b8bdbfd952692974b902e604f7e73e9c140c8f2912a8a4132f9908bfc520f8d1
                                        • Opcode Fuzzy Hash: 7d24f2158d52b671d74647b945c41fcfffa6e634115036af641b2c4d97bc435c
                                        • Instruction Fuzzy Hash: B601F134D0529CEBDF01DBE4D9186CDBFB1AF59300F208098E0016B382DBB44B08DB92
                                        Function 0028BE85 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedPushEntrySList.KERNEL32(004C5968,004C5C48), ref: 0028BEB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: EntryInterlockedListPush
                                        • String ID: @\L$D\L
                                        • API String ID: 4129690577-244307285
                                        • Opcode ID: 15ee2aa6fff45343d7911e4c8b5e176d0bdf6e6dae8df858d942436b2c033e1b
                                        • Instruction ID: 6423a4df20fc6e71e31eda7e0bf37db3d410f48b9de3a7f00583364f4a95f6eb
                                        • Opcode Fuzzy Hash: 15ee2aa6fff45343d7911e4c8b5e176d0bdf6e6dae8df858d942436b2c033e1b
                                        • Instruction Fuzzy Hash: 3401DF39A01709DACB06DFA4D841FBEB7B0EB44311F20446FD8006B380CB782A41CB84
                                        Function 00236620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 00236629
                                        • SysAllocString.OLEAUT32(}m'y), ref: 0023663F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AllocClearStringVariant
                                        • String ID: }m'y
                                        • API String ID: 1959693985-184714451
                                        • Opcode ID: 512e4bc91e1236484d427e353757f8e02402b17be83b7cad62b0bdf3f5eb02f2
                                        • Instruction ID: ee188f7145b0f2b5ca25726f04a4a6af804a13760bef2513d98d8a3843cce53a
                                        • Opcode Fuzzy Hash: 512e4bc91e1236484d427e353757f8e02402b17be83b7cad62b0bdf3f5eb02f2
                                        • Instruction Fuzzy Hash: 76F0C074720357A7DB205F74D81964AB6DCEF50395F10C82FEA85E7220E675C4908B9D
                                        Function 003D2DAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetOEMCP.KERNEL32(00000000,?,?,?,00000104), ref: 003D2DD7
                                        • GetACP.KERNEL32(00000000,?,?,?,00000104), ref: 003D2DEE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `&#
                                        • API String ID: 0-3593461860
                                        • Opcode ID: f510d634c80a6b5ac4bd9196d6841ac790787e194b2f452ba55cb5e7869de996
                                        • Instruction ID: 5b5cd1023a4c2a79d1b18d19cf406034f73ab75035fceba96922bfb3c80d8040
                                        • Opcode Fuzzy Hash: f510d634c80a6b5ac4bd9196d6841ac790787e194b2f452ba55cb5e7869de996
                                        • Instruction Fuzzy Hash: 00F06231400A04CFD711EB68E848B6E77B4BB10339F940369E535CA6E1D7715DA5CB94
                                        Function 003B598C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00233650: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4C5C,00000000,79276D7D,00220000,Function_001BD840,000000FF,?,003B59BB,?,?,?,00226438), ref: 00233675
                                          • Part of subcall function 00233650: GetLastError.KERNEL32(?,003B59BB,?,?,?,00226438), ref: 0023367F
                                        • IsDebuggerPresent.KERNEL32(?,?,?,00226438), ref: 003B59BF
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00226438), ref: 003B59CE
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003B59C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 450123788-631824599
                                        • Opcode ID: b07da1e6a4a8de8dc5cac3d9d36092f3e7ba23b67cbfc49a0f97680c4522fb5c
                                        • Instruction ID: 7a8a51f44fdad77a08c573e2b7069dcb4ade5e474fd8f9320016a845d375a697
                                        • Opcode Fuzzy Hash: b07da1e6a4a8de8dc5cac3d9d36092f3e7ba23b67cbfc49a0f97680c4522fb5c
                                        • Instruction Fuzzy Hash: ACE09270200B10CFD3A1AF34E405782BAE4AF08318F11886EE586C6A80DBF4E944CF95
                                        Function 003B33FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B33E0
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: XCL$3;
                                        • API String ID: 1269201914-4034168182
                                        • Opcode ID: 70972c4ff468167647b8e0b853aac2cb102d7c5ee168ff6fe9b7ce1e275e7468
                                        • Instruction ID: 3ee7615cfd6c1de3bb04529c394504b61d21577b6524c5e1b6cda079aecd5266
                                        • Opcode Fuzzy Hash: 70972c4ff468167647b8e0b853aac2cb102d7c5ee168ff6fe9b7ce1e275e7468
                                        • Instruction Fuzzy Hash: E0B0128D39C3507C3149610C1D02EB7015CC0C4F18734C12FF908CA840E8886D5C0037
                                        Function 003B344C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B341F
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: L4;$~4;
                                        • API String ID: 1269201914-751004607
                                        • Opcode ID: e2a6b1df0289815d8088cad54f403b8781c6240fc1cb661171e4cb54d1efe62f
                                        • Instruction ID: 747bb3a6eb4c032e85784d125027ec85672d6fb3a1ab013f6089196d56d04693
                                        • Opcode Fuzzy Hash: e2a6b1df0289815d8088cad54f403b8781c6240fc1cb661171e4cb54d1efe62f
                                        • Instruction Fuzzy Hash: 05B0128D3ACD116C3146718E1D03EF6092CC0C4F14730C53FF204C6841E9480D4C0037
                                        Function 003B74BE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B748D
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: XFL${t;
                                        • API String ID: 1269201914-1157156505
                                        • Opcode ID: 1aa1ca2bb46e4a4c5ef2d54e04c1b6118855598a539fa9084631c0b3a8618951
                                        • Instruction ID: 6943077c346aec49fcdd54fdd7c75c7e286609f73f6c5e9c3ce431fb861ad0b2
                                        • Opcode Fuzzy Hash: 1aa1ca2bb46e4a4c5ef2d54e04c1b6118855598a539fa9084631c0b3a8618951
                                        • Instruction Fuzzy Hash: 7EB0128539D1106C3285512D1D02EB6511CC1D4F15330C12FF104C6D40F4480C580037
                                        Function 003B74B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B748D
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: \FL${t;
                                        • API String ID: 1269201914-2964843146
                                        • Opcode ID: 9c8e7bcc9233c5333a04b4949055f4824c290b9a2d346465eefb5711d8db07a2
                                        • Instruction ID: f26b1e949c6f41779eae23ed2b61ef89d3e3ed68a866b275eb4c063a9c827708
                                        • Opcode Fuzzy Hash: 9c8e7bcc9233c5333a04b4949055f4824c290b9a2d346465eefb5711d8db07a2
                                        • Instruction Fuzzy Hash: E8B012C539C0106C3285516D1D02EB6511CC1D4F19730C02FF504C6840F4480C080037
                                        Function 003B74AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B748D
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: `FL${t;
                                        • API String ID: 1269201914-3748930988
                                        • Opcode ID: b1d7c432f74ffa6a906ef6910b4101b6970186e67adde4b876475d78d42a5d53
                                        • Instruction ID: 0e927b5d27f0382f25ee16e2a91a2db7da2a47541332f5a8b59d0244b53ebe75
                                        • Opcode Fuzzy Hash: b1d7c432f74ffa6a906ef6910b4101b6970186e67adde4b876475d78d42a5d53
                                        • Instruction Fuzzy Hash: 66B012C539C1146C32C5952D2D02EF6512CC1C4F15330C03FF104C6840F4480C040137
                                        Function 003B74A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B748D
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: dFL${t;
                                        • API String ID: 1269201914-725287359
                                        • Opcode ID: 095cbb3aad6d5149184918b3335d021deaa1337a9fc402b6eb23d8bad0453fcb
                                        • Instruction ID: 2f8f2ece48b71b0d72d8b74a97b09bd3b088097f69b5e693aa679af6221af094
                                        • Opcode Fuzzy Hash: 095cbb3aad6d5149184918b3335d021deaa1337a9fc402b6eb23d8bad0453fcb
                                        • Instruction Fuzzy Hash: 90B0128539C2106C32C5512D2E02EF6511CC1C4F15330C02FF104C6840F4490C05003B
                                        Function 003B7496 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B748D
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: hFL${t;
                                        • API String ID: 1269201914-3969608651
                                        • Opcode ID: c77a9b12fc2d80e1f5e1f46f448d3bc8e7d4d2261d78a9f30e276cb2d4cee56f
                                        • Instruction ID: 5cef96a3cff306e5195bb744c06c6accdb829664df0c2fd71649295c2e15af31
                                        • Opcode Fuzzy Hash: c77a9b12fc2d80e1f5e1f46f448d3bc8e7d4d2261d78a9f30e276cb2d4cee56f
                                        • Instruction Fuzzy Hash: 96B0128539E2106C32C5513D1D02EF6512CC1C4F15330C12FF104C6940F4480C444037
                                        Function 003B351F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 003B34D8
                                          • Part of subcall function 003B3814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003B3887
                                          • Part of subcall function 003B3814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003B3898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1370260126.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                        • Associated: 00000000.00000002.1370231688.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370550573.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370567124.00000000004C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370585637.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_220000_RIv8fq9APB.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: @CL$a5;
                                        • API String ID: 1269201914-3101152609
                                        • Opcode ID: eeeff223486a944e64fb83168ba4c4351c0a78274fb7a37c6d0b8cf065a33c10
                                        • Instruction ID: 06e38ebd67f11b89a5b6a249e55d10d316603549d6a92598dcca947bbc65ac58
                                        • Opcode Fuzzy Hash: eeeff223486a944e64fb83168ba4c4351c0a78274fb7a37c6d0b8cf065a33c10
                                        • Instruction Fuzzy Hash: 28B0129539C0106C3146614D2D02EF6013CC1C4F1CB34C02FF504C7840E4480E0C4037