Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pYcFueZgOd.exe

Overview

General Information

Sample name:pYcFueZgOd.exe
renamed because original name is a hash value
Original sample name:5c66f9bca9f767940d4cb22b59f77a5459c8625bdcc4824fbe42af548e5e5d83.exe
Analysis ID:1554999
MD5:196bba4588947b52ece8dc38cd566b24
SHA1:cb31b0ce35428b4d8ad22a52547c04a517d89e68
SHA256:5c66f9bca9f767940d4cb22b59f77a5459c8625bdcc4824fbe42af548e5e5d83
Tags:ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:32
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Query firmware table information (likely to detect VMs)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • pYcFueZgOd.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\pYcFueZgOd.exe" MD5: 196BBA4588947B52ECE8DC38CD566B24)
    • msiexec.exe (PID: 5156 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\pYcFueZgOd.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488858 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 3776 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3784 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 161E3B14046EDAE7687DCE0A2DE92319 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2084 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 086D93F0B7AD81A713F30BD085B16B8B MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-13T10:11:29.301001+010020229301A Network Trojan was detected20.109.210.53443192.168.2.649748TCP
2024-11-13T10:12:06.808572+010020229301A Network Trojan was detected20.109.210.53443192.168.2.649964TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: pYcFueZgOd.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: pYcFueZgOd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: pYcFueZgOd.exe
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DC2380 FindFirstFileW,FindClose,0_2_00DC2380
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA43B0 FindFirstFileW,GetLastError,FindClose,0_2_00DA43B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,0_2_00CBA950
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00DC14D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00DA3DE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DAC0B0 FindFirstFileW,FindClose,FindClose,0_2_00DAC0B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DBE3A0 FindFirstFileW,FindClose,0_2_00DBE3A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCE610 FindFirstFileW,FindClose,0_2_00DCE610
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00DCB3D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCB7D0 FindFirstFileW,FindClose,0_2_00DCB7D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00DA3A50
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00DDFB20
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_00DCA620
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49748
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49964
Source: pYcFueZgOd.exeString found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: pYcFueZgOd.exe, 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmp, pYcFueZgOd.exe, 00000000.00000000.2159340655.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shi7EE7.tmp.0.drString found in binary or memory: http://.css
Source: shi7EE7.tmp.0.drString found in binary or memory: http://.jpg
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi7EE7.tmp.0.drString found in binary or memory: http://html4/loose.dtd
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.drString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://t2.symcb.com0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://tl.symcd.com0&
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: https://www.advancedinstaller.com
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: https://www.thawte.com/cps0/
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DE15E0 NtdllDefWindowProc_W,0_2_00DE15E0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D61FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,0_2_00D61FB0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D00010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00D00010
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB2250 NtdllDefWindowProc_W,0_2_00CB2250
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CBC4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_00CBC4F0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB8720 NtdllDefWindowProc_W,0_2_00CB8720
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB8890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00CB8890
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CAEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00CAEBE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D00BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00D00BAA
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D00CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00D00CE3
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D00C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,0_2_00D00C22
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CF6EE0 NtdllDefWindowProc_W,0_2_00CF6EE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CAF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_00CAF190
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CCD320 NtdllDefWindowProc_W,0_2_00CCD320
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CC15F0 NtdllDefWindowProc_W,0_2_00CC15F0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB1670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_00CB1670
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CAF7C0 NtdllDefWindowProc_W,0_2_00CAF7C0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB1C90 NtdllDefWindowProc_W,0_2_00CB1C90
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D47F20 NtdllDefWindowProc_W,0_2_00D47F20
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6c83b9.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8743.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87A2.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87F1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8811.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8743.tmpJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01502CB40_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01502CB40_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_014DF7700_3_014DF770
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01502CB40_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01502CB40_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CBA9500_2_00CBA950
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DDB3500_2_00DDB350
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DB7D700_2_00DB7D70
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CC60700_2_00CC6070
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CC41B00_2_00CC41B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CBE2900_2_00CBE290
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E3E2BE0_2_00E3E2BE
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E3E64C0_2_00E3E64C
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D82A500_2_00D82A50
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E58B950_2_00E58B95
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB8CD00_2_00CB8CD0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CA2F400_2_00CA2F40
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CD52F00_2_00CD52F0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CC35A00_2_00CC35A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E1D5500_2_00E1D550
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E536310_2_00E53631
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CC76300_2_00CC7630
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D7B7A00_2_00D7B7A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CFFA400_2_00CFFA40
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E4DD6A0_2_00E4DD6A
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D13FC00_2_00D13FC0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00D9E6D0 appears 59 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00CA8800 appears 223 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00D9E770 appears 31 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00CA9390 appears 41 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00CD3810 appears 90 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00CA99C0 appears 69 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00CA7070 appears 53 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: String function: 00CA6FF0 appears 46 times
Source: pYcFueZgOd.exe, 00000000.00000003.2162923408.000000000151C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDecoder.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameInstaller.exe8 vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exeBinary or memory string: OriginalFileNameInstaller.exe8 vs pYcFueZgOd.exe
Source: pYcFueZgOd.exeBinary or memory string: OriginalFilenameDecoder.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi7EE7.tmp.0.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: sus32.evad.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA2230 FormatMessageW,GetLastError,0_2_00DA2230
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCC990 GetDiskFreeSpaceExW,0_2_00DCC990
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DE6D50 CoCreateInstance,0_2_00DE6D50
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D3AB40 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_00D3AB40
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile created: C:\Users\user\AppData\Roaming\ConsolHQ LTDJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile created: C:\Users\user\AppData\Local\Temp\shi7EE7.tmpJump to behavior
Source: pYcFueZgOd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile read: C:\Users\user\Desktop\pYcFueZgOd.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\pYcFueZgOd.exe "C:\Users\user\Desktop\pYcFueZgOd.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 161E3B14046EDAE7687DCE0A2DE92319 C
Source: C:\Users\user\Desktop\pYcFueZgOd.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\pYcFueZgOd.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488858 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 086D93F0B7AD81A713F30BD085B16B8B
Source: C:\Users\user\Desktop\pYcFueZgOd.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\pYcFueZgOd.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488858 " AI_EUIMSI=""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 161E3B14046EDAE7687DCE0A2DE92319 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 086D93F0B7AD81A713F30BD085B16B8BJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: pYcFueZgOd.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: pYcFueZgOd.exeStatic file information: File size 49199285 > 1048576
Source: pYcFueZgOd.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pYcFueZgOd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: pYcFueZgOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: pYcFueZgOd.exe
Source: pYcFueZgOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pYcFueZgOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pYcFueZgOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pYcFueZgOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pYcFueZgOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: shi7EE7.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA2350 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_00DA2350
Source: shi7EE7.tmp.0.drStatic PE information: section name: .wpp_sf
Source: shi7EE7.tmp.0.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_014ED4FD push 5563014Eh; iretd 0_3_014ED502
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D0A486 push esi; ret 0_2_00D0A488
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E36C6E push ecx; ret 0_2_00E36C81
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00D83330 push ecx; mov dword ptr [esp], 3F800000h0_2_00D83478
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CB5BE0 push ecx; mov dword ptr [esp], ecx0_2_00CB5BE1
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7F84.tmpJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile created: C:\Users\user\AppData\Local\Temp\MSI814A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8743.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87F1.tmpJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile created: C:\Users\user\AppData\Local\Temp\shi7EE7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8811.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87A2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8743.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8811.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87A2.tmpJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\decoder.dllJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7F84.tmpJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI814A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8743.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87F1.tmpJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7EE7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8811.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87A2.tmpJump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exeEvaded block: after key decisiongraph_0-67816
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-69876
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3 FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DC2380 FindFirstFileW,FindClose,0_2_00DC2380
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA43B0 FindFirstFileW,GetLastError,FindClose,0_2_00DA43B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,0_2_00CBA950
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00DC14D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00DA3DE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DAC0B0 FindFirstFileW,FindClose,FindClose,0_2_00DAC0B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DBE3A0 FindFirstFileW,FindClose,0_2_00DBE3A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCE610 FindFirstFileW,FindClose,0_2_00DCE610
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00DCB3D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCB7D0 FindFirstFileW,FindClose,0_2_00DCB7D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00DA3A50
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00DDFB20
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_00DCA620
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E3365A VirtualQuery,GetSystemInfo,0_2_00E3365A
Source: pYcFueZgOd.exeBinary or memory string: &VmCi
Source: Installer.msi.0.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E3AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E3AD13
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DD77C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_00DD77C0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DA2350 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_00DA2350
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E4C66D mov ecx, dword ptr fs:[00000030h]0_2_00E4C66D
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E5783E mov eax, dword ptr fs:[00000030h]0_2_00E5783E
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E35CA1 mov esi, dword ptr fs:[00000030h]0_2_00E35CA1
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E35D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00E35D0D
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00CD21E0 __set_se_translator,SetUnhandledExceptionFilter,0_2_00CD21E0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E36738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E36738
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E3AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E3AD13
Source: C:\Users\user\Desktop\pYcFueZgOd.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\skimarutils 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\pycfuezgod.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488858 " ai_euimsi=""
Source: C:\Users\user\Desktop\pYcFueZgOd.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\skimarutils 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\pycfuezgod.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488858 " ai_euimsi=""Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DCEAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_00DCEAB0
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,0_2_00DC4050
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,0_2_00E541E6
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,0_2_00E50186
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00E5430F
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00E544E4
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,0_2_00E54415
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00E53B80
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: EnumSystemLocalesW,0_2_00E4FC09
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,0_2_00E53D7B
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: EnumSystemLocalesW,0_2_00E53E6D
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: EnumSystemLocalesW,0_2_00E53E22
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00E53F93
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: EnumSystemLocalesW,0_2_00E53F08
Source: C:\Users\user\Desktop\pYcFueZgOd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DDBB20 CreateNamedPipeW,CreateFileW,0_2_00DDBB20
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00E372F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E372F4
Source: C:\Users\user\Desktop\pYcFueZgOd.exeCode function: 0_2_00DDA240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,0_2_00DDA240

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory131
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Account Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554999 Sample: pYcFueZgOd.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 32 5 msiexec.exe 3 9 2->5         started        8 pYcFueZgOd.exe 40 2->8         started        file3 17 C:\Windows\Installer\MSI8811.tmp, PE32 5->17 dropped 19 C:\Windows\Installer\MSI87F1.tmp, PE32 5->19 dropped 21 C:\Windows\Installer\MSI87A2.tmp, PE32 5->21 dropped 23 C:\Windows\Installer\MSI8743.tmp, PE32 5->23 dropped 10 msiexec.exe 5->10         started        13 msiexec.exe 5->13         started        25 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\shi7EE7.tmp, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Local\...\MSI814A.tmp, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\MSI7F84.tmp, PE32 8->31 dropped 15 msiexec.exe 5 8->15         started        process4 signatures5 33 Query firmware table information (likely to detect VMs) 10->33

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pYcFueZgOd.exe1%VirustotalBrowse
pYcFueZgOd.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI7F84.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7F84.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI814A.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI814A.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\shi7EE7.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\decoder.dll0%ReversingLabs
C:\Windows\Installer\MSI8743.tmp0%ReversingLabs
C:\Windows\Installer\MSI87A2.tmp0%ReversingLabs
C:\Windows\Installer\MSI87F1.tmp0%ReversingLabs
C:\Windows\Installer\MSI8811.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.drfalse
    		high
    http://html4/loose.dtdshi7EE7.tmp.0.drfalse
      		high
      https://www.advancedinstaller.compYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drfalse
        		high
        https://www.thawte.com/cps0/pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drfalse
          		high
          http://.cssshi7EE7.tmp.0.drfalse
            		high
            http://.jpgshi7EE7.tmp.0.drfalse
              		high
              https://www.thawte.com/repository0WpYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.drfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1554999
                Start date and time:2024-11-13 10:10:18 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 36s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:pYcFueZgOd.exe
                renamed because original name is a hash value
                Original Sample Name:5c66f9bca9f767940d4cb22b59f77a5459c8625bdcc4824fbe42af548e5e5d83.exe
                Detection:SUS
                Classification:sus32.evad.winEXE@8/13@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 57%
                • Number of executed functions: 66
                • Number of non-executed functions: 198
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\shi7EE7.tmpsetup.exeGet hashmaliciousUnknownBrowse
                  setup.exeGet hashmaliciousUnknownBrowse
                    VirtualDesktop.Streamer.Setup.exeGet hashmaliciousUnknownBrowse
                      VirtualDesktop.Streamer.Setup.exeGet hashmaliciousUnknownBrowse
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                          Step 3 - Setup_Install.exeGet hashmaliciousXmrigBrowse
                            http://downloads.ciscocems.com/downloads/CeDAR/Setup_Cedar%208.05.08.zipGet hashmaliciousUnknownBrowse
                              Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                  teracopy.exeGet hashmaliciousUnknownBrowse
                                    C:\Users\user\AppData\Local\Temp\MSI7F84.tmpIM-vL5WWvBl.msiGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\MSI7F84.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:6144:PBtBN+l8CKvSHJSTHLntEToqi/9rpiAO+7lMhZeBajAt7fgcY:PB/0l1K7HLnt5DgMlgZ7AtDgcY
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: IM-vL5WWvBl.msi, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\MSI814A.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):919520
                                      Entropy (8bit):6.451407326378623
                                      Encrypted:false
                                      SSDEEP:24576:1x90VXSK4fSa6HXr1iWn8Zlb2h4ntHurpllQ6a:Pq4Fb6HXr1iWnU84ntHurpllQ6a
                                      MD5:064278F42704CDCE52C8C527CF9AFBC7
                                      SHA1:007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
                                      SHA-256:070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
                                      SHA-512:9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\MSIc886c.LOG

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):280
                                      Entropy (8bit):3.4347808834234357
                                      Encrypted:false
                                      SSDEEP:6:Q2nIeAMOYrsfc/okjxaaOEqQbr62avKpnKBlv2K84UlUlosle:Q2nOGsc/7aFEVbr62aInKT8xh
                                      MD5:5E175FD9C0308725E145CD356447422E
                                      SHA1:494DC977CAFA07CFD8453D1AB319BC7077973D87
                                      SHA-256:4041C5845747A90763D1AF39BE0020A24506A29FA21B6B062974DCB4C29BC00D
                                      SHA-512:3E8E56CEAF2545CB8423449588AFDCAC3C492E05E0304227E3761E70878B4D94FD4F8A7A60AF462B4B6CBADAA5DD9BA40222A0CE207CC1E210A529A5A6B6ACFC
                                      Malicious:false
                                      Reputation:low
                                      Preview:..S.k.i.m.a.r.U.t.i.l.s. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.3./.1.1./.2.0.2.4. . .0.4.:.1.1.:.2.6. .=.=.=.....

                                      C:\Users\user\AppData\Local\Temp\shi7EE7.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5038592
                                      Entropy (8bit):6.043058205786219
                                      Encrypted:false
                                      SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                      MD5:11F7419009AF2874C4B0E4505D185D79
                                      SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                      SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                      SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: setup.exe, Detection: malicious, Browse
                                      • Filename: setup.exe, Detection: malicious, Browse
                                      • Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse
                                      • Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse
                                      • Filename: file.exe, Detection: malicious, Browse
                                      • Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse
                                      • Filename: , Detection: malicious, Browse
                                      • Filename: Bill Details.exe, Detection: malicious, Browse
                                      • Filename: Bill Details.exe, Detection: malicious, Browse
                                      • Filename: teracopy.exe, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi

                                      Download File
                                      Process:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {C80C8DC4-7882-4425-A62B-5CA32EF1048D}, Number of Words: 0, Subject: SkimarUtils, Author: ConsolHQ LTD, Name of Creating Application: SkimarUtils, Template: ;1033, Comments: This installer database contains the logic and data required to install SkimarUtils., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):2202112
                                      Entropy (8bit):6.505978865753567
                                      Encrypted:false
                                      SSDEEP:49152:V2VYVKjlgZcDgcYtAvq4Fb6HXr1iWnU84ntHurpllQ6asHCP1N0ZqgJtHhxl:YY4jlYAjFnWns1
                                      MD5:EC03685D7F65603C98E75EF2F755BDFC
                                      SHA1:942ED2C2F75155992CC355C028DEB548FCAF93E6
                                      SHA-256:4BB6045F752606CA4C7381358CB3BEC67D0B4E362A22ED5FACD187BDE6AF5C46
                                      SHA-512:B172A0E5C5C5B802F455CBF4D445C9B78024E07C6DA194543356D376ECDAE93BB323FDBEA61BA80AE0F14EB26766AE86339126E09B37EB5D1F9BFD3C7B4E632A
                                      Malicious:false
                                      Preview:......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`...*...a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\decoder.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):209920
                                      Entropy (8bit):6.447659228395253
                                      Encrypted:false
                                      SSDEEP:3072:tScXkSa4E7uzTK+NbkuO2DcUC1myXxskH9Xq4fa2KbDI0lSmb9D:Q7sO+EZ9LH2j7Mmb9
                                      MD5:A5FFDCF45D3D123139C49017B22F444E
                                      SHA1:7B3D3D293F9A34570FC91500A6580496147C7658
                                      SHA-256:8F49245444B02BF0E103C5A5850A0B2FB1F2880C917261D146E3B8BC3C166E40
                                      SHA-512:5FF195A70825EFCED761ACEEEC5A6F0D0E18C1A4074482F584EFABEF7166C957C728D71D6185E3487A1405C608D820EFA4E07C584D60A8D51625E5D8A9A89397
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..a*..2*..2*..2..3 ..2..3...2x.3...2x.3:..2x.3?..2..3?..2..3-..2*..2...2..3v..2..3+..2..^2+..2*.62+..2..3+..2Rich*..2................PE..L...?..b.........."!.....`...................p............................................@......................... ...........<....p.. .......................0 ......p...........................`...@............p..t............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc..0 ......."..................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\holder0.aiph

                                      Download File
                                      Process:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):162168468
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:2DBC0818CDB52345791955E058A40132
                                      SHA1:3CEC7455FB8C8F57FABA2B065BA7BEEBCECBA565
                                      SHA-256:896FBF58598F1376DC47013E0CCDF5422A54C28460F858ABD25B871DC02D5509
                                      SHA-512:8173DAE9455BD4D200E0C5D3A25014AA879FF3FC9A9001C02F91BB0F1EA10D226BFFD6C8E19BA2F7A37A646749E82C5A70CF62A7C461660A188343C8A19E77CB
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\6c83b9.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {C80C8DC4-7882-4425-A62B-5CA32EF1048D}, Number of Words: 0, Subject: SkimarUtils, Author: ConsolHQ LTD, Name of Creating Application: SkimarUtils, Template: ;1033, Comments: This installer database contains the logic and data required to install SkimarUtils., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):2202112
                                      Entropy (8bit):6.505978865753567
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:EC03685D7F65603C98E75EF2F755BDFC
                                      SHA1:942ED2C2F75155992CC355C028DEB548FCAF93E6
                                      SHA-256:4BB6045F752606CA4C7381358CB3BEC67D0B4E362A22ED5FACD187BDE6AF5C46
                                      SHA-512:B172A0E5C5C5B802F455CBF4D445C9B78024E07C6DA194543356D376ECDAE93BB323FDBEA61BA80AE0F14EB26766AE86339126E09B37EB5D1F9BFD3C7B4E632A
                                      Malicious:false
                                      Preview:......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)...*...4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`...*...a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Windows\Installer\MSI8743.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI87A2.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI87F1.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):453088
                                      Entropy (8bit):6.413087895399404
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FBC6CCCA9154D017D647938190E4AD8D
                                      SHA1:E753F1511F27427616E98762BA2F45D67C3D90D4
                                      SHA-256:D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
                                      SHA-512:D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI8811.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):919520
                                      Entropy (8bit):6.451407326378623
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:064278F42704CDCE52C8C527CF9AFBC7
                                      SHA1:007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
                                      SHA-256:070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
                                      SHA-512:9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):360001
                                      Entropy (8bit):5.362990898893127
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:54AF47CDC74B83878F50F08804FC9322
                                      SHA1:7E19490EEA1B3C4EA03266728BFBFD0DCF1FFDD5
                                      SHA-256:30BD3844025CE22907000E34629E594CCF126B14AAF53CF99C2675A694204C32
                                      SHA-512:32CA8A83A49F5FCC87DB47DD09AF400E55F04BDA7897932CEB774D0AADDEF9B1A52848FA7CA9D4FB1B7AFEACE5659968E08443206155B0AEAA086ABFB81C82A0
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.976619871966806
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:pYcFueZgOd.exe
                                      File size:49'199'285 bytes
                                      MD5:196bba4588947b52ece8dc38cd566b24
                                      SHA1:cb31b0ce35428b4d8ad22a52547c04a517d89e68
                                      SHA256:5c66f9bca9f767940d4cb22b59f77a5459c8625bdcc4824fbe42af548e5e5d83
                                      SHA512:1192bf94fe97de25a1fcaf70ba76c67fbf823500656ad8d6615b5169b9fd7879ddeb3f1f348988839bd838be90153c906ed1084c9abe8bb63d101d19274ee036
                                      SSDEEP:786432:KVfExzYbFwhkPMvMGp+X7l+AOeMlcft9qjpsP7qLr3HbpGwCTPxtYVqbqR0/pNj0:fUBowMvMl+ot9Wpsz2rXbpDCTptDJx+/
                                      TLSH:3AB72330364EC52BDA6615B0292C9A9F552D7E750B71A8C7B3CC2D2E1BB49C34732E27
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{.3.x...{.3.~.X.{.3.}...{.......{...x...{...~...{.3.....{.3.z...{.3.|...{...z.8.{.\.r...{.\.....{.......{.\.y...{

                                      File Icon

                                      Icon Hash:9713331b4d3b2f0c

                                      Static PE Info

                                      General

                                      Entrypoint:0x596c64
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6213B2EE [Mon Feb 21 15:42:38 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:836688c7d21e39394af41ce9a8c2d728

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F9A8D61781Dh
                                      jmp 00007F9A8D616FBFh
                                      mov ecx, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], ecx
                                      pop ecx
                                      pop edi
                                      pop edi
                                      pop esi
                                      pop ebx
                                      mov esp, ebp
                                      pop ebp
                                      push ecx
                                      ret
                                      mov ecx, dword ptr [ebp-10h]
                                      xor ecx, ebp
                                      call 00007F9A8D616613h
                                      jmp 00007F9A8D617122h
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-10h], eax
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      push eax
                                      push dword ptr fs:[00000000h]
                                      lea eax, dword ptr [esp+0Ch]
                                      sub esp, dword ptr [esp+0Ch]
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [eax], ebp
                                      mov ebp, eax
                                      mov eax, dword ptr [0069E01Ch]
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-10h], esp
                                      push dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                      lea eax, dword ptr [ebp-0Ch]
                                      mov dword ptr fs:[00000000h], eax

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x29cb940x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a70000x3d564.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e50000x256bc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2467780x70.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x2468000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x219f380x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x2180000x2c0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x299f880x260.rdata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x216c3f0x216e00b670db57563315716440578ee99e5466unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x2180000x85b8c0x85c0059a6fbcfc1f150b26bf16fdd47452e43False0.3120947721962617data4.605894063170113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x29e0000x89f00x6a001cea180402edcf39ea7c6193312cce32False0.14180424528301888DOS executable (block device driver 0aY)2.8670521481443174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x2a70000x3d5640x3d600e7d02ce3727ddc83544486f0bf581520False0.2636161850814664data5.855843008118312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x2e50000x256bc0x2580008f0f06260e93e98732bfb4145f07ccaFalse0.446171875data6.512576488264422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      IMAGE_FILE0x2a7bf00x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                      IMAGE_FILE0x2a7bf80x6ISO-8859 text, with no line terminatorsEnglishUnited States2.1666666666666665
                                      RTF_FILE0x2a7c000x2e9Rich Text Format data, version 1, ANSI, code page 1252EnglishUnited States0.5503355704697986
                                      RTF_FILE0x2a7eec0xa1Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033EnglishUnited States0.906832298136646
                                      RT_BITMAP0x2a7f900x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                      RT_BITMAP0x2a80d00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                      RT_BITMAP0x2a88f80x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                      RT_BITMAP0x2ad1a00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                      RT_BITMAP0x2adc0c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                      RT_BITMAP0x2add600x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                      RT_ICON0x2ae5880x7c5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9958534899792675
                                      RT_ICON0x2b61e40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.142848692771797
                                      RT_ICON0x2c6a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.29470954356846474
                                      RT_ICON0x2c8fb40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3621013133208255
                                      RT_ICON0x2ca05c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.45819672131147543
                                      RT_MENU0x2ca9e40x5cdataEnglishUnited States0.8478260869565217
                                      RT_MENU0x2caa400x2adataEnglishUnited States1.0714285714285714
                                      RT_DIALOG0x2caa6c0xacdataEnglishUnited States0.7151162790697675
                                      RT_DIALOG0x2cab180x2a6dataEnglishUnited States0.5132743362831859
                                      RT_DIALOG0x2cadc00x3b4dataEnglishUnited States0.43248945147679324
                                      RT_DIALOG0x2cb1740xbcdataEnglishUnited States0.7180851063829787
                                      RT_DIALOG0x2cb2300x204dataEnglishUnited States0.560077519379845
                                      RT_DIALOG0x2cb4340x282dataEnglishUnited States0.48598130841121495
                                      RT_DIALOG0x2cb6b80xccdataEnglishUnited States0.6911764705882353
                                      RT_DIALOG0x2cb7840x146dataEnglishUnited States0.5736196319018405
                                      RT_DIALOG0x2cb8cc0x226dataEnglishUnited States0.4690909090909091
                                      RT_DIALOG0x2cbaf40x388dataEnglishUnited States0.45464601769911506
                                      RT_DIALOG0x2cbe7c0x1b4dataEnglishUnited States0.5458715596330275
                                      RT_DIALOG0x2cc0300x136dataEnglishUnited States0.6064516129032258
                                      RT_DIALOG0x2cc1680x4cdataEnglishUnited States0.8289473684210527
                                      RT_STRING0x2cc1b40x45cdataEnglishUnited States0.3844086021505376
                                      RT_STRING0x2cc6100x344dataEnglishUnited States0.37320574162679426
                                      RT_STRING0x2cc9540x2f8dataEnglishUnited States0.4039473684210526
                                      RT_STRING0x2ccc4c0x598dataEnglishUnited States0.2807262569832402
                                      RT_STRING0x2cd1e40x3aaStarOffice Gallery theme i, 1627418368 objects, 1st nEnglishUnited States0.4211087420042644
                                      RT_STRING0x2cd5900x5c0dataEnglishUnited States0.3498641304347826
                                      RT_STRING0x2cdb500x568dataEnglishUnited States0.32875722543352603
                                      RT_STRING0x2ce0b80x164dataEnglishUnited States0.5421348314606742
                                      RT_STRING0x2ce21c0x520dataEnglishUnited States0.39176829268292684
                                      RT_STRING0x2ce73c0x1a0dataEnglishUnited States0.45913461538461536
                                      RT_STRING0x2ce8dc0x18adataEnglishUnited States0.5228426395939086
                                      RT_STRING0x2cea680x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                      RT_STRING0x2cec800x624dataEnglishUnited States0.3575063613231552
                                      RT_STRING0x2cf2a40x660dataEnglishUnited States0.3474264705882353
                                      RT_STRING0x2cf9040x2e2dataEnglishUnited States0.4037940379403794
                                      RT_GROUP_ICON0x2cfbe80x4cdataEnglishUnited States0.7763157894736842
                                      RT_VERSION0x2cfc340x2e4dataEnglishUnited States0.4581081081081081
                                      RT_HTML0x2cff180x37c8ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08291316526610644
                                      RT_HTML0x2d36e00x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                      RT_HTML0x2d49f80x4faHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3626373626373626
                                      RT_HTML0x2d4ef40x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                      RT_HTML0x2db9c40x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                      RT_HTML0x2dc0680x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                      RT_HTML0x2dd0b40x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                      RT_HTML0x2de6680x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                      RT_HTML0x2e06c40x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                      RT_MANIFEST0x2e3d540x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

                                      Imports

                                      DLLImport
                                      KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:04:11:14
                                      Start date:13/11/2024
                                      Path:C:\Users\user\Desktop\pYcFueZgOd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\pYcFueZgOd.exe"
                                      Imagebase:0xca0000
                                      File size:49'199'285 bytes
                                      MD5 hash:196BBA4588947B52ECE8DC38CD566B24
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:04:11:18
                                      Start date:13/11/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff7a91d0000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:04:11:20
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 161E3B14046EDAE7687DCE0A2DE92319 C
                                      Imagebase:0xcd0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:04:11:20
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\pYcFueZgOd.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488858 " AI_EUIMSI=""
                                      Imagebase:0xcd0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:04:11:22
                                      Start date:13/11/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 086D93F0B7AD81A713F30BD085B16B8B
                                      Imagebase:0xcd0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:23.2%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:99
                                        execution_graph 67019 d04bf0 67024 dbcfa0 GetLastError 67019->67024 67020 d04c67 67021 d04cb8 SetWindowLongW 67020->67021 67022 d04c9e 67020->67022 67021->67022 67025 dbcfaa 67024->67025 67038 ca9b10 67025->67038 67027 dbcfb8 67028 dbcfde 67027->67028 67029 dbd016 67027->67029 67035 dbd01d 67027->67035 67042 da0f40 67028->67042 67032 dbd054 DestroyWindow 67029->67032 67029->67035 67031 dbcfed 67047 dbd210 6 API calls 67031->67047 67032->67020 67035->67020 67039 ca9b1d 67038->67039 67066 e37f9e 67039->67066 67041 ca9b2a HeapAlloc 67041->67027 67069 da2350 LoadLibraryW 67042->67069 67045 da2350 3 API calls 67046 da0f70 SendMessageW SendMessageW 67045->67046 67046->67031 67048 dbd2a2 SetWindowPos 67047->67048 67074 e3615a 67048->67074 67051 dbcff7 67052 d059b0 GetWindowLongW 67051->67052 67053 d05a06 GetParent GetWindowRect GetParent 67052->67053 67054 d05a4f GetWindow GetWindowRect 67052->67054 67064 d05a31 SetWindowPos 67053->67064 67055 d05a7f MonitorFromWindow 67054->67055 67056 d05a6a GetWindowLongW 67054->67056 67058 d05a93 GetMonitorInfoW 67055->67058 67059 d05b55 67055->67059 67056->67055 67058->67059 67060 d05aad 67058->67060 67062 e3615a _ValidateLocalCookies 5 API calls 67059->67062 67061 d05ac4 GetWindowRect 67060->67061 67060->67064 67061->67064 67063 d05b6e 67062->67063 67063->67020 67064->67059 67067 e37fe5 RaiseException 67066->67067 67068 e37fb8 67066->67068 67067->67041 67068->67067 67070 da23ab GetProcAddress 67069->67070 67071 da23bb 67069->67071 67070->67071 67072 da242e FreeLibrary 67071->67072 67073 da0f5e 67071->67073 67072->67073 67073->67045 67075 e36163 IsProcessorFeaturePresent 67074->67075 67076 e36162 67074->67076 67078 e36775 67075->67078 67076->67051 67081 e36738 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 67078->67081 67080 e36858 67080->67051 67081->67080 67082 d61fb0 GetSystemDirectoryW 67083 d620bb 67082->67083 67084 d61fff 67082->67084 67085 e3615a _ValidateLocalCookies 5 API calls 67083->67085 67084->67083 67107 ca9e50 67084->67107 67087 d6210b 67085->67087 67089 d62113 67091 ca9b10 2 API calls 67089->67091 67090 d62019 67094 d62035 67090->67094 67095 d62043 67090->67095 67092 d6211d 67091->67092 67227 e36199 67092->67227 67225 ca9390 53 API calls 67094->67225 67226 ca99c0 45 API calls 3 library calls 67095->67226 67099 d62041 67122 cba950 67099->67122 67100 d622ba 67103 d62082 67103->67103 67104 cba950 117 API calls 67103->67104 67105 d620a9 _wcschr 67104->67105 67105->67083 67106 d620bf LoadLibraryExW 67105->67106 67106->67083 67108 ca9e88 67107->67108 67111 ca9edc 67107->67111 67235 e36662 EnterCriticalSection 67108->67235 67110 ca9f67 67110->67089 67110->67090 67111->67110 67113 e36662 4 API calls 67111->67113 67115 ca9ef6 67113->67115 67114 ca9e9e GetProcessHeap 67239 e3651a 44 API calls 67114->67239 67115->67110 67241 e3651a 44 API calls 67115->67241 67118 ca9ecb 67240 e36618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 67118->67240 67119 ca9f56 67242 e36618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 67119->67242 67123 cba9cd 67122->67123 67125 cba972 std::_Locinfo::_Locinfo_ctor 67122->67125 67124 ca9b10 2 API calls 67123->67124 67135 cba9d7 67123->67135 67126 cba9f4 67124->67126 67125->67123 67127 cba9b0 67125->67127 67261 ca98a0 45 API calls 67125->67261 67128 cbaa75 67126->67128 67132 cbaa5e FindClose 67126->67132 67262 ca9910 44 API calls 4 library calls 67127->67262 67244 ca9710 67128->67244 67132->67128 67135->67103 67137 cbaac2 PathIsUNCW 67139 cbac0e 67137->67139 67140 cbaad7 67137->67140 67138 cbad05 FindFirstFileW 67141 cbad1d GetFullPathNameW 67138->67141 67208 cbaddb 67138->67208 67143 cae820 101 API calls 67139->67143 67263 cae820 67140->67263 67142 cbad36 67141->67142 67198 cbae72 std::_Locinfo::_Locinfo_ctor 67141->67198 67145 cbad53 GetFullPathNameW 67142->67145 67288 ca98a0 45 API calls 67142->67288 67162 cbac16 67143->67162 67150 cbad6e std::_Locinfo::_Locinfo_ctor 67145->67150 67146 ca9b10 2 API calls 67148 cbaeed 67146->67148 67293 ca9650 67148->67293 67149 cbad51 67149->67145 67153 cbae15 67150->67153 67166 cbada5 67150->67166 67150->67198 67151 cbaadf 67151->67138 67273 caead0 101 API calls 67151->67273 67174 cbae27 67153->67174 67289 ca97c0 45 API calls 67153->67289 67154 cbaf2d 67155 cbaf41 67154->67155 67171 cbaf90 67154->67171 67156 ca9650 45 API calls 67155->67156 67163 cbaf4b 67156->67163 67158 cbb23e 67160 ca9b10 2 API calls 67158->67160 67186 cbb25f 67160->67186 67161 cbacab 67286 cbb3a0 44 API calls 3 library calls 67161->67286 67162->67138 67162->67161 67162->67198 67285 ca98a0 45 API calls 67162->67285 67163->67103 67164 cbab5e 67274 cbb330 67164->67274 67165 cbadd3 SetLastError 67165->67208 67166->67165 67167 cbadca FindClose 67166->67167 67167->67165 67171->67158 67172 cbafc1 67171->67172 67304 cbb4c0 45 API calls 67171->67304 67305 cbb410 54 API calls 67172->67305 67173 cbae48 67181 cbae5c 67173->67181 67182 cbae76 67173->67182 67174->67173 67290 ca97c0 45 API calls 67174->67290 67175 cbb30c 67175->67103 67176 cbabfd 67287 cb68f0 44 API calls 4 library calls 67176->67287 67180 cbafcc 67184 cba950 109 API calls 67180->67184 67181->67198 67181->67208 67291 ca97c0 45 API calls 67181->67291 67182->67198 67292 ca97c0 45 API calls 67182->67292 67185 cbafde 67184->67185 67191 cbb00d PathIsUNCW 67185->67191 67220 cbb21a 67185->67220 67186->67175 67194 cbb2c3 67186->67194 67209 cbb2fb 67186->67209 67312 ca98a0 45 API calls 67186->67312 67187 cbabd9 67284 cbb3a0 44 API calls 3 library calls 67187->67284 67188 cbab71 67188->67187 67188->67198 67283 ca98a0 45 API calls 67188->67283 67199 cbb149 67191->67199 67200 cbb022 67191->67200 67192 ca9b10 2 API calls 67196 cbb32b 67192->67196 67313 cbb3a0 44 API calls 3 library calls 67194->67313 67197 ca9650 45 API calls 67197->67158 67198->67146 67198->67208 67204 cae820 101 API calls 67199->67204 67205 cae820 101 API calls 67200->67205 67203 cbace1 67203->67138 67203->67198 67212 cbb151 67204->67212 67210 cbb02a 67205->67210 67206 cbb2ec 67314 cb68f0 44 API calls 4 library calls 67206->67314 67208->67103 67209->67175 67209->67192 67210->67220 67306 caead0 101 API calls 67210->67306 67212->67158 67213 cbb1e4 67212->67213 67212->67220 67309 ca98a0 45 API calls 67212->67309 67310 cbb3a0 44 API calls 3 library calls 67213->67310 67214 cbb0a0 67217 cbb330 45 API calls 67214->67217 67221 cbb0b3 67217->67221 67218 cbb138 67311 cb68f0 44 API calls 4 library calls 67218->67311 67220->67158 67220->67197 67221->67158 67222 cbb117 67221->67222 67307 ca98a0 45 API calls 67221->67307 67308 cbb3a0 44 API calls 3 library calls 67222->67308 67225->67099 67226->67099 67230 e3619e std::_Locinfo::_Locinfo_ctor 67227->67230 67228 d62272 67234 cb78a0 44 API calls 2 library calls 67228->67234 67230->67228 67231 e361ba std::_Facet_Register 67230->67231 67321 e4c243 EnterCriticalSection std::_Facet_Register 67230->67321 67232 e37f9e Concurrency::cancel_current_task RaiseException 67231->67232 67233 e36ec8 67232->67233 67234->67100 67236 e36676 67235->67236 67237 ca9e92 67236->67237 67243 e366ea SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 67236->67243 67237->67111 67237->67114 67239->67118 67240->67111 67241->67119 67242->67110 67243->67236 67245 ca9743 67244->67245 67246 ca9752 67244->67246 67245->67246 67247 ca9b10 2 API calls 67245->67247 67249 cb6990 67246->67249 67248 ca97ac 67247->67248 67250 ca9e50 53 API calls 67249->67250 67251 cb69bf 67250->67251 67252 cb6a2f 67251->67252 67253 cb69c5 67251->67253 67254 ca9b10 2 API calls 67252->67254 67256 cb69e5 67253->67256 67257 cb69f2 67253->67257 67255 cb6a39 67254->67255 67315 ca9390 53 API calls 67256->67315 67316 ca99c0 45 API calls 3 library calls 67257->67316 67260 cb69f0 67260->67137 67260->67138 67260->67208 67261->67127 67262->67123 67264 cae892 67263->67264 67265 cae862 67263->67265 67269 ca9e50 53 API calls 67264->67269 67270 cae8a6 67264->67270 67267 ca9650 45 API calls 67265->67267 67268 cae867 67267->67268 67268->67151 67269->67270 67317 caebe0 92 API calls 4 library calls 67270->67317 67272 cae8b9 67272->67151 67273->67164 67275 cbb393 67274->67275 67276 cbb346 67274->67276 67275->67188 67277 cbb380 67276->67277 67278 cbb356 67276->67278 67318 ca99c0 45 API calls 3 library calls 67277->67318 67280 ca9650 45 API calls 67278->67280 67282 cbb35c 67280->67282 67281 cbb38b 67281->67188 67282->67188 67283->67187 67284->67176 67285->67161 67286->67176 67287->67203 67288->67149 67289->67174 67290->67173 67291->67198 67292->67198 67294 ca965b 67293->67294 67295 ca966a 67294->67295 67296 ca96a2 67294->67296 67297 ca9683 67294->67297 67295->67154 67320 ca9850 45 API calls 67296->67320 67319 ca9910 44 API calls 4 library calls 67297->67319 67300 ca96a7 67302 ca9650 45 API calls 67300->67302 67301 ca969a 67301->67154 67303 ca96e6 67302->67303 67303->67154 67304->67172 67305->67180 67306->67214 67307->67222 67308->67218 67309->67213 67310->67218 67311->67220 67312->67194 67313->67206 67314->67209 67315->67260 67316->67260 67317->67272 67318->67281 67319->67301 67320->67300 67321->67230 67322 d9ec30 67350 ca6540 67322->67350 67324 d9ecaa 67355 d9f140 67324->67355 67327 d9ecf3 67370 ca77d0 67327->67370 67328 ca77d0 44 API calls 67328->67327 67330 d9ed2c 67331 d9edf0 67330->67331 67333 d9ed49 67330->67333 67334 d9ed65 67330->67334 67374 d6d900 67331->67374 67385 ca6b00 44 API calls 67333->67385 67335 ca6540 44 API calls 67334->67335 67338 d9ed58 67335->67338 67336 d9ee1c 67339 e3615a _ValidateLocalCookies 5 API calls 67336->67339 67386 ca8e50 67338->67386 67340 d9ee3c 67339->67340 67344 d9edac 67345 ca77d0 44 API calls 67344->67345 67346 d9edb8 67345->67346 67347 d9edd4 67346->67347 67348 ca77d0 44 API calls 67346->67348 67347->67331 67349 ca77d0 44 API calls 67347->67349 67348->67347 67349->67331 67351 ca6567 67350->67351 67352 ca656e 67351->67352 67405 ca7650 67351->67405 67352->67324 67354 ca65a0 std::_Locinfo::_Locinfo_ctor 67354->67324 67356 d9f1a8 67355->67356 67357 d9f193 67355->67357 67359 d9f1b0 67356->67359 67360 d9f1c5 67356->67360 67422 ca7070 67357->67422 67361 ca7070 44 API calls 67359->67361 67362 d9f1cd 67360->67362 67363 d9f1e2 67360->67363 67369 d9ece0 67361->67369 67364 ca7070 44 API calls 67362->67364 67365 d9f1ea 67363->67365 67366 d9f1ff 67363->67366 67364->67369 67367 ca7070 44 API calls 67365->67367 67368 ca7070 44 API calls 67366->67368 67366->67369 67367->67369 67368->67369 67369->67327 67369->67328 67371 ca781e std::ios_base::_Ios_base_dtor 67370->67371 67373 ca77fd 67370->67373 67371->67330 67373->67330 67373->67370 67373->67371 67436 e3af1f 44 API calls 2 library calls 67373->67436 67375 d6d998 RegOpenKeyExW 67374->67375 67376 d6d939 67374->67376 67379 d6d991 67375->67379 67377 d6d93e GetModuleHandleW 67376->67377 67378 d6d98b 67376->67378 67381 d6d966 GetProcAddress 67377->67381 67382 d6d94d 67377->67382 67378->67375 67378->67379 67380 d6d9c0 67379->67380 67384 d6d9b7 RegCloseKey 67379->67384 67380->67336 67381->67379 67383 d6d976 67381->67383 67382->67336 67383->67379 67384->67380 67385->67338 67387 ca8e90 67386->67387 67387->67387 67388 ca8ee9 67387->67388 67389 ca8eb0 67387->67389 67441 ca7060 44 API calls 2 library calls 67388->67441 67437 ca6de0 67389->67437 67392 ca8eee 67393 ca8ec7 67394 ca6e80 67393->67394 67395 ca6ee0 67394->67395 67399 ca6e9f std::_Locinfo::_Locinfo_ctor 67394->67399 67396 ca6ef1 67395->67396 67397 ca6fe5 67395->67397 67400 ca7650 44 API calls 67396->67400 67442 ca7060 44 API calls 2 library calls 67397->67442 67399->67344 67403 ca6f28 std::_Locinfo::_Locinfo_ctor 67400->67403 67404 ca6f98 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 67403->67404 67443 e3af1f 44 API calls 2 library calls 67403->67443 67404->67344 67406 ca7696 67405->67406 67407 ca765b 67405->67407 67406->67354 67420 ca7630 44 API calls 2 library calls 67406->67420 67409 ca7686 67407->67409 67410 ca7664 67407->67410 67409->67406 67412 ca768a 67409->67412 67410->67406 67413 ca766b 67410->67413 67411 ca7671 67419 ca767a 67411->67419 67421 e3af1f 44 API calls 2 library calls 67411->67421 67415 e36199 std::_Facet_Register 2 API calls 67412->67415 67416 e36199 std::_Facet_Register 2 API calls 67413->67416 67418 ca7690 67415->67418 67416->67411 67418->67354 67419->67354 67420->67411 67424 ca70bd 67422->67424 67426 ca7081 std::_Locinfo::_Locinfo_ctor 67422->67426 67423 ca7171 67435 ca7060 44 API calls 2 library calls 67423->67435 67424->67423 67428 ca7650 44 API calls 67424->67428 67426->67369 67427 ca7176 67429 ca7070 44 API calls 67427->67429 67431 ca7106 std::_Locinfo::_Locinfo_ctor 67428->67431 67430 ca71d4 67429->67430 67430->67369 67432 ca7155 std::ios_base::_Ios_base_dtor 67431->67432 67434 e3af1f 44 API calls 2 library calls 67431->67434 67432->67369 67435->67427 67438 ca6e0f 67437->67438 67440 ca6e36 std::_Locinfo::_Locinfo_ctor 67437->67440 67439 ca7650 44 API calls 67438->67439 67439->67440 67440->67393 67441->67392 67442->67403 67444 db9490 67534 dba570 392 API calls 4 library calls 67444->67534 67446 db94c5 67535 dbdb70 103 API calls 2 library calls 67446->67535 67448 db94cd 67473 dc4350 67448->67473 67452 db94e6 67453 db94ea 67452->67453 67516 daab60 55 API calls 67452->67516 67455 db9514 67517 db6200 67455->67517 67474 cbb330 45 API calls 67473->67474 67475 dc437e 67474->67475 67476 cbb330 45 API calls 67475->67476 67477 dc4387 67476->67477 67536 de1080 67477->67536 67479 dc438f 67563 dcc7e0 63 API calls _ValidateLocalCookies 67479->67563 67481 dc439c 67564 ca8e30 67481->67564 67484 dbe0a0 67485 dbe0f8 67484->67485 67493 dbe0d7 67484->67493 67486 dbe126 CreateFileW 67485->67486 67487 dbe2ae 67485->67487 67489 dbe118 67485->67489 67495 dbe14f 67486->67495 67488 ca9b10 2 API calls 67487->67488 67492 dbe2b8 67488->67492 67489->67486 67653 cbb4c0 45 API calls 67489->67653 67490 dbe1f7 67639 ddf2f0 67490->67639 67491 dbe176 GetLastError 67654 da2230 75 API calls 67491->67654 67493->67485 67493->67487 67652 cbb4c0 45 API calls 67493->67652 67495->67490 67495->67491 67499 dbe200 67501 dbe20a 67499->67501 67502 dbe28e 67499->67502 67500 dbe18d 67655 da44f0 101 API calls 67500->67655 67505 dbe255 67501->67505 67506 dbe20f GetLastError 67501->67506 67647 dbff30 67502->67647 67505->67452 67657 da2230 75 API calls 67506->67657 67507 dbe1a5 67656 dadf00 73 API calls 67507->67656 67511 dbe229 67658 da44f0 101 API calls 67511->67658 67512 dbe1bb 67512->67452 67514 dbe23d 67659 dadf00 73 API calls 67514->67659 67516->67455 67726 dbe3a0 67517->67726 67520 db6253 CreateFileW 67522 db6291 SetFilePointer 67520->67522 67523 db6280 67520->67523 67521 db6346 67533 dabe90 252 API calls 67521->67533 67522->67523 67525 db62ba 67522->67525 67523->67521 67524 db6339 CloseHandle 67523->67524 67524->67521 67756 d85030 67525->67756 67527 db62c9 67528 db62e4 ReadFile 67527->67528 67781 ca97c0 45 API calls 67527->67781 67528->67523 67530 db62f7 67528->67530 67530->67523 67782 dd8a60 110 API calls 67530->67782 67531 db62e1 67531->67528 67534->67446 67535->67448 67537 ca9650 45 API calls 67536->67537 67538 de10bf 67537->67538 67539 de10e0 GetFileVersionInfoSizeW 67538->67539 67574 ca97c0 45 API calls 67538->67574 67542 de10f8 67539->67542 67543 de1105 67539->67543 67541 de10dd 67541->67539 67542->67543 67544 de112a GetFileVersionInfoW 67542->67544 67575 ca97c0 45 API calls 67542->67575 67543->67479 67544->67543 67546 de1141 67544->67546 67548 ca9e50 53 API calls 67546->67548 67547 de1127 67547->67544 67549 de1146 67548->67549 67550 de1290 67549->67550 67551 de1150 VerQueryValueW 67549->67551 67552 ca9b10 2 API calls 67550->67552 67556 de1177 67551->67556 67554 de129a 67552->67554 67567 de12c0 67554->67567 67558 ca8e30 65 API calls 67556->67558 67557 de12a8 std::ios_base::_Ios_base_dtor 67557->67479 67559 de11a8 67558->67559 67561 de11bf 67559->67561 67576 ca97c0 45 API calls 67559->67576 67561->67543 67577 ca99c0 45 API calls 3 library calls 67561->67577 67563->67481 67578 ca9510 67564->67578 67568 de1338 67567->67568 67569 de12f3 WaitForSingleObject 67567->67569 67568->67557 67570 de132f CloseHandle 67569->67570 67571 de1303 GetExitCodeThread 67569->67571 67570->67568 67571->67570 67572 de131b 67571->67572 67572->67570 67573 de1324 TerminateThread 67572->67573 67573->67570 67574->67541 67575->67547 67576->67561 67577->67543 67580 ca9543 67578->67580 67591 ca95e2 67578->67591 67579 ca9b10 2 API calls 67581 ca9637 67579->67581 67593 e3f4a5 67580->67593 67582 ca9b10 2 API calls 67581->67582 67584 ca9641 67582->67584 67585 ca9e50 53 API calls 67587 ca958f 67585->67587 67588 ca95c2 67587->67588 67605 ca98a0 45 API calls 67587->67605 67599 e3f4e6 67588->67599 67591->67579 67592 ca8e43 67591->67592 67592->67484 67594 e3f4b9 __Getctype 67593->67594 67606 e3b5bf 67594->67606 67600 e3f4fa __Getctype 67599->67600 67628 e3b7e1 67600->67628 67603 e3ac4b __Getctype 44 API calls 67604 e3f522 67603->67604 67604->67591 67605->67588 67607 e3b5eb 67606->67607 67608 e3b60e 67606->67608 67623 e3ae92 44 API calls 2 library calls 67607->67623 67608->67607 67612 e3b616 67608->67612 67610 e3b603 67611 e3615a _ValidateLocalCookies 5 API calls 67610->67611 67613 e3b740 67611->67613 67624 e3dd92 55 API calls __cftof 67612->67624 67617 e3ac4b 67613->67617 67615 e3b697 67625 e3d2b4 13 API calls ___free_lconv_mon 67615->67625 67618 e3ac57 67617->67618 67619 e3ac6e 67618->67619 67626 e3acf6 44 API calls 2 library calls 67618->67626 67620 ca9563 67619->67620 67627 e3acf6 44 API calls 2 library calls 67619->67627 67620->67581 67620->67585 67620->67587 67623->67610 67624->67615 67625->67610 67626->67619 67627->67620 67629 e3b810 67628->67629 67630 e3b7ed 67628->67630 67634 e3b837 67629->67634 67637 e3b2c8 55 API calls 2 library calls 67629->67637 67636 e3ae92 44 API calls 2 library calls 67630->67636 67635 e3b808 67634->67635 67638 e3ae92 44 API calls 2 library calls 67634->67638 67635->67603 67636->67635 67637->67634 67638->67635 67644 ddf336 67639->67644 67640 ddf38b SetFilePointer 67642 ddf3a4 GetLastError 67640->67642 67643 ddf3b2 ReadFile 67640->67643 67641 ddf33d 67641->67499 67642->67641 67642->67643 67643->67641 67643->67644 67644->67640 67644->67641 67645 ddf466 SetFilePointer 67644->67645 67645->67641 67646 ddf48e ReadFile 67645->67646 67646->67641 67660 dc0b10 67647->67660 67649 dbe29c 67649->67452 67650 dbff3f 67650->67649 67679 dc0ff0 67650->67679 67652->67485 67653->67486 67654->67500 67655->67507 67656->67512 67657->67511 67658->67514 67659->67505 67661 dc0bfd 67660->67661 67662 dc0b5b SetFilePointer 67660->67662 67661->67650 67662->67661 67663 dc0c11 67662->67663 67664 ca9e50 53 API calls 67663->67664 67665 dc0c31 67664->67665 67666 dc0f5a 67665->67666 67669 dc0c6f ReadFile 67665->67669 67670 dc0e20 67665->67670 67667 ca9b10 2 API calls 67666->67667 67668 dc0f64 67667->67668 67715 cb2970 RaiseException 67668->67715 67669->67670 67672 dc0edc GetLastError 67669->67672 67670->67650 67712 da2230 75 API calls 67672->67712 67673 dc0f70 67673->67650 67675 dc0ef9 67713 da44f0 101 API calls 67675->67713 67677 dc0f13 67714 dadf00 73 API calls 67677->67714 67680 dc102b SetFilePointer 67679->67680 67683 dc12ac 67679->67683 67681 dc10da 67680->67681 67682 dc1056 GetLastError 67680->67682 67681->67683 67684 dc1100 ReadFile 67681->67684 67716 da2230 75 API calls 67682->67716 67683->67649 67686 dc1122 67684->67686 67687 dc1383 GetLastError 67684->67687 67686->67683 67686->67684 67686->67687 67692 ca9e50 53 API calls 67686->67692 67696 dc13f9 67686->67696 67702 dc1182 ReadFile 67686->67702 67703 dc12d9 GetLastError 67686->67703 67706 dc1323 67686->67706 67711 ca9650 45 API calls 67686->67711 67719 ca99c0 45 API calls 3 library calls 67686->67719 67723 da2230 75 API calls 67687->67723 67688 dc1070 67717 da44f0 101 API calls 67688->67717 67691 dc1088 67718 dadf00 73 API calls 67691->67718 67692->67686 67693 dc13a0 67724 da44f0 101 API calls 67693->67724 67697 ca9b10 2 API calls 67696->67697 67701 dc1403 67697->67701 67698 dc13b5 67725 dadf00 73 API calls 67698->67725 67700 dc109e 67700->67649 67702->67686 67702->67703 67720 da2230 75 API calls 67703->67720 67705 dc12f6 67721 da44f0 101 API calls 67705->67721 67706->67683 67709 dc130b 67722 dadf00 73 API calls 67709->67722 67711->67686 67712->67675 67713->67677 67714->67666 67715->67673 67716->67688 67717->67691 67718->67700 67719->67686 67720->67705 67721->67709 67722->67706 67723->67693 67724->67698 67725->67706 67727 dbe403 67726->67727 67728 dbe447 67726->67728 67783 dbfd20 RaiseException 67727->67783 67784 dbfd80 RaiseException 67728->67784 67731 dbe40c 67733 dbe50a 67731->67733 67735 dbe416 67731->67735 67732 dbe44e 67732->67733 67734 dbe456 67732->67734 67739 ca9e50 53 API calls 67733->67739 67736 dbe563 67734->67736 67737 dbe462 67734->67737 67735->67736 67738 dbe41f 67735->67738 67786 cb2970 RaiseException 67736->67786 67785 dbfdd0 117 API calls 67737->67785 67742 ca9650 45 API calls 67738->67742 67743 dbe51e 67739->67743 67745 dbe43d 67742->67745 67744 dbe56f 67743->67744 67743->67745 67748 ca9b10 2 API calls 67744->67748 67751 e3615a _ValidateLocalCookies 5 API calls 67745->67751 67746 dbe477 FindFirstFileW 67747 dbe4a9 67746->67747 67749 ca9650 45 API calls 67747->67749 67750 dbe579 67748->67750 67752 dbe4b9 67749->67752 67753 db623c 67751->67753 67754 dbe4d8 FindClose 67752->67754 67755 dbe4e6 67752->67755 67753->67520 67753->67521 67754->67755 67755->67745 67757 ca9e50 53 API calls 67756->67757 67763 d8506e 67757->67763 67758 d851e0 67759 ca9b10 2 API calls 67758->67759 67760 d851ea 67759->67760 67761 ca9b10 2 API calls 67760->67761 67764 d851f4 67761->67764 67762 d851af 67765 e3615a _ValidateLocalCookies 5 API calls 67762->67765 67763->67758 67763->67762 67766 d851d6 67763->67766 67771 d850e7 67763->67771 67767 d8520b 67764->67767 67791 e3f5b6 67764->67791 67768 d851d0 67765->67768 67770 ca9b10 2 API calls 67766->67770 67767->67527 67768->67527 67770->67758 67773 d850f5 67771->67773 67787 d85250 HeapAlloc RaiseException std::_Locinfo::_Locinfo_ctor 67771->67787 67788 e3f527 44 API calls 3 library calls 67773->67788 67776 d8510d 67776->67760 67778 d85141 67776->67778 67789 ca98a0 45 API calls 67776->67789 67778->67760 67778->67778 67779 d85191 67778->67779 67779->67762 67790 d85210 13 API calls __freea 67779->67790 67781->67531 67782->67523 67783->67731 67784->67732 67785->67746 67786->67744 67787->67773 67788->67776 67789->67778 67790->67762 67794 e4dbdd 67791->67794 67795 e4dbe8 RtlFreeHeap 67794->67795 67799 d85239 67794->67799 67796 e4dbfd GetLastError 67795->67796 67795->67799 67797 e4dc0a ___free_lconv_mon 67796->67797 67800 e3b02f 13 API calls ___free_lconv_mon 67797->67800 67799->67527 67800->67799 67801 db7d70 68103 ddba80 67801->68103 67803 db7da0 67804 ca9e50 53 API calls 67803->67804 67805 db7dac 67804->67805 67806 db80c3 67805->67806 67810 db7ddf 67805->67810 67811 db7dd4 67805->67811 67807 ca9b10 2 API calls 67806->67807 67808 db80cd 67807->67808 67809 db8163 67808->67809 67813 ca9e50 53 API calls 67808->67813 68364 ca99c0 45 API calls 3 library calls 67810->68364 68363 ca9390 53 API calls 67811->68363 67816 db8104 67813->67816 67815 db7ddd 68109 da8fc0 67815->68109 67817 db810a 67816->67817 67818 db8176 67816->67818 67825 cba950 117 API calls 67817->67825 67820 ca9b10 2 API calls 67818->67820 67822 db8180 67820->67822 67821 db7e13 67823 ca9e50 53 API calls 67821->67823 68174 dccf70 67822->68174 67826 db7e1b 67823->67826 67828 db812b 67825->67828 67826->67806 68116 d8bc00 67826->68116 68382 dc47e0 128 API calls 67828->68382 67830 cb6990 62 API calls 67832 db81f2 67830->67832 67831 db8136 68383 dd74c0 238 API calls 67831->68383 68384 dc3e40 67832->68384 67833 db865d 68200 dc3470 67833->68200 67837 ca9e50 53 API calls 67842 db85ad 67837->67842 67838 db8141 67838->67809 67841 db8669 67847 e3615a _ValidateLocalCookies 5 API calls 67841->67847 67849 db86ac 67842->67849 67850 db85b7 67842->67850 67843 db7e4d 68129 dadab0 67843->68129 67844 db83ac 67845 ca9e50 53 API calls 67844->67845 67852 db83ba 67845->67852 67854 db8686 67847->67854 67855 ca9b10 2 API calls 67849->67855 67863 cba950 117 API calls 67850->67863 67856 db868e 67852->67856 67857 db83c4 67852->67857 67859 db86b6 67855->67859 67861 ca9b10 2 API calls 67856->67861 67871 d8bc00 11 API calls 67857->67871 67862 db86fa 67859->67862 67867 ca9e50 53 API calls 67859->67867 67865 db8698 67861->67865 67868 db85d8 67863->67868 67872 ca9b10 2 API calls 67865->67872 67866 db8211 67882 db8357 67866->67882 68398 dc3a00 46 API calls 67866->68398 67869 db8748 67867->67869 68179 dc4050 67868->68179 67874 db8946 67869->67874 67889 db877b 67869->67889 67890 db8770 67869->67890 67876 db83dc 67871->67876 67877 db86a2 67872->67877 67879 ca9b10 2 API calls 67874->67879 67875 db85e7 67891 db8601 67875->67891 67900 db860f 67875->67900 67880 db83e9 67876->67880 68400 d8c5a0 45 API calls 4 library calls 67876->68400 67881 ca9b10 2 API calls 67877->67881 67885 db8950 67879->67885 67888 e3f5b6 __freea 13 API calls 67880->67888 67922 db83fd 67880->67922 67881->67849 67882->67841 67919 db8598 67882->67919 68399 dbc6b0 49 API calls 67882->68399 68232 cb2970 RaiseException 67885->68232 67887 db7e7f 67903 db7f1d 67887->67903 67904 db7f72 SetEvent 67887->67904 67888->67922 68406 ca99c0 45 API calls 3 library calls 67889->68406 68405 ca9390 53 API calls 67890->68405 67894 cba950 117 API calls 67891->67894 67894->67900 67896 db8620 67896->67833 67897 db895c 68233 dba780 392 API calls 2 library calls 67897->68233 67899 db8779 68407 da1c00 102 API calls 67899->68407 68404 dd74c0 238 API calls 67900->68404 67902 db84dd 67902->67919 67920 db8506 67902->67920 68366 dc2ab0 67903->68366 68161 ddc100 67904->68161 67906 db8991 67911 ca9e50 53 API calls 67906->67911 67907 ca9e50 53 API calls 67912 db847e 67907->67912 68010 db89a2 67911->68010 67912->67865 67916 db8488 67912->67916 67915 db7fd7 67921 db8028 67915->67921 67929 dc2ab0 17 API calls 67915->67929 67937 cba950 117 API calls 67916->67937 67918 ca9e50 53 API calls 67926 db7f2a 67918->67926 67919->67833 67919->67837 68403 dc3a00 46 API calls 67920->68403 68002 db805c 67921->68002 68380 ddc020 122 API calls 67921->68380 67922->67902 67922->67907 67923 db8bee 67927 ca9b10 2 API calls 67923->67927 67926->67806 67931 db7f32 67926->67931 67932 db8bf8 67927->67932 67935 db7fe7 67929->67935 67930 db8082 68381 ddbc20 CloseHandle 67930->68381 67954 dc4730 94 API calls 67931->67954 68234 dcc7e0 63 API calls _ValidateLocalCookies 67932->68234 67933 d8c9e0 13 API calls 67940 db8923 67933->67940 67941 ca9e50 53 API calls 67935->67941 67936 db8a5a 67950 ca9e50 53 API calls 67936->67950 67943 db84a6 67937->67943 67947 d8c9e0 13 API calls 67940->67947 67949 db7fec 67941->67949 68401 dc47e0 128 API calls 67943->68401 67946 db8c41 67955 ca9e50 53 API calls 67946->67955 67956 db8932 67947->67956 67949->67806 67958 db7ff4 67949->67958 67981 db8a62 67950->67981 67953 db80ad 67963 db7f54 67954->67963 67964 db8c4d 67955->67964 67974 dbe580 314 API calls 67958->67974 67959 ca9e50 53 API calls 68009 db8799 67959->68009 67960 cbb4c0 45 API calls 67960->68010 67961 db84af 68402 dd74c0 238 API calls 67961->68402 67968 dbe580 314 API calls 67963->67968 67969 db91e9 67964->67969 68235 dba780 392 API calls 2 library calls 67964->68235 67973 db7f61 SetEvent 67968->67973 67970 ca9b10 2 API calls 67969->67970 67975 db91f3 67970->67975 67971 db84ba 67971->67902 67973->67930 67979 db8017 67974->67979 68432 cb2970 RaiseException 67975->68432 68379 ddbdb0 122 API calls std::_Locinfo::_Locinfo_ctor 67979->68379 67980 db8a8c 67982 db8aa3 67980->67982 68419 ca97c0 45 API calls 67980->68419 67981->67923 67981->67980 68418 ca97c0 45 API calls 67981->68418 68420 dcc7e0 63 API calls _ValidateLocalCookies 67982->68420 67984 cba950 117 API calls 67984->68010 67992 db91ff 67994 db8c71 68000 ca8e30 65 API calls 67994->68000 67997 db8ab3 68003 ca8e30 65 API calls 67997->68003 68004 db8c83 68000->68004 68002->67921 68006 db8ac4 68003->68006 68423 dba570 392 API calls 4 library calls 68004->68423 68012 ca9e50 53 API calls 68006->68012 68009->67874 68009->67885 68009->67959 68024 db8896 68009->68024 68045 db8907 68009->68045 68408 d8c9e0 68009->68408 68412 ca9390 53 API calls 68009->68412 68413 ca99c0 45 API calls 3 library calls 68009->68413 68414 da1c00 102 API calls 68009->68414 68415 dbc790 46 API calls 68009->68415 68010->67923 68010->67936 68010->67960 68010->67984 68417 dcc7e0 63 API calls _ValidateLocalCookies 68010->68417 68014 db8aea 68012->68014 68013 db8cb1 68424 dbdb70 103 API calls 2 library calls 68013->68424 68014->67923 68016 db8af2 68014->68016 68021 db8b17 68016->68021 68421 ca97c0 45 API calls 68016->68421 68018 db8cb9 68019 ca9e50 53 API calls 68018->68019 68020 db8cc2 68019->68020 68020->67969 68027 db8ce8 68020->68027 68028 db8cf6 68020->68028 68422 dcc7e0 63 API calls _ValidateLocalCookies 68021->68422 68026 ca9e50 53 API calls 68024->68026 68025 db8b27 68029 ca8e30 65 API calls 68025->68029 68030 db889e 68026->68030 68425 dbdb70 103 API calls 2 library calls 68027->68425 68032 db8cf3 68028->68032 68034 dbe0a0 139 API calls 68028->68034 68040 db8b37 68029->68040 68030->67874 68033 db88a6 68030->68033 68032->68028 68036 d8bc00 11 API calls 68033->68036 68035 db8d26 68034->68035 68037 ca9e50 53 API calls 68035->68037 68038 db88c0 68036->68038 68039 db8d2b 68037->68039 68042 db88cd 68038->68042 68416 d8ba20 47 API calls 68038->68416 68039->67969 68043 dccf70 RaiseException 68039->68043 68042->67885 68042->68045 68044 db8d53 68043->68044 68046 db8d57 68044->68046 68047 db8d66 68044->68047 68045->67933 68048 cbb330 45 API calls 68046->68048 68049 ca9e50 53 API calls 68047->68049 68048->68047 68050 db8d6b 68049->68050 68050->67969 68236 dc4730 68050->68236 68054 db8da7 68055 ca9e50 53 API calls 68054->68055 68056 db8db9 68055->68056 68056->67969 68057 cb6990 62 API calls 68056->68057 68058 db8ddd 68057->68058 68302 ddb200 56 API calls _ValidateLocalCookies 68058->68302 68104 ca9e50 53 API calls 68103->68104 68105 ddbabc 68104->68105 68106 ca9b10 2 API calls 68105->68106 68108 ddbac2 68105->68108 68107 ddbb18 68106->68107 68108->67803 68110 da8fce 68109->68110 68111 da9029 68110->68111 68112 da8fe8 WideCharToMultiByte 68110->68112 68111->67821 68113 da9004 68112->68113 68114 da9025 68112->68114 68115 da900a WideCharToMultiByte 68113->68115 68114->67821 68115->68114 68117 d8bcbc 68116->68117 68118 d8bc14 68116->68118 68117->67843 68365 d8c5a0 45 API calls 4 library calls 68117->68365 68118->68117 68433 ca9190 7 API calls 68118->68433 68120 d8bc29 68120->68117 68121 d8bc33 FindResourceW 68120->68121 68121->68117 68122 d8bc47 68121->68122 68434 ca9250 LoadResource LockResource SizeofResource 68122->68434 68124 d8bc51 68124->68117 68125 d8bc5a WideCharToMultiByte 68124->68125 68125->68117 68126 d8bcc7 68125->68126 68127 ca9b10 2 API calls 68126->68127 68128 d8bcd1 68127->68128 68130 ca9e50 53 API calls 68129->68130 68131 dadade 68130->68131 68132 dadb33 68131->68132 68135 dadae4 68131->68135 68133 ca9b10 2 API calls 68132->68133 68134 dadb3d 68133->68134 68136 dadb10 68135->68136 68137 dadb03 68135->68137 68436 da5170 49 API calls 68136->68436 68435 ca9390 53 API calls 68137->68435 68140 dadb0e 68141 d9fde0 68140->68141 68142 d9fe25 68141->68142 68143 ca9e50 53 API calls 68142->68143 68146 d9fe42 68142->68146 68144 d9fe35 68143->68144 68145 d9fe85 68144->68145 68144->68146 68148 ca9b10 2 API calls 68145->68148 68437 d89730 68146->68437 68150 d9fe8f 68148->68150 68149 d9fe6f 68151 ddbb20 68149->68151 68152 ddbb4c 68151->68152 68153 ddbb61 68151->68153 68152->67887 68154 cbb330 45 API calls 68153->68154 68155 ddbb72 68154->68155 68451 ddc490 68155->68451 68157 ddbb7d 68158 ddbbb8 CreateFileW 68157->68158 68159 ddbb8b CreateNamedPipeW 68157->68159 68160 ddbbd3 68158->68160 68159->68158 68159->68160 68160->67887 68162 ddc146 68161->68162 68163 ddc130 68161->68163 68164 ca9e50 53 API calls 68162->68164 68163->67915 68165 ddc14b 68164->68165 68166 ddc155 68165->68166 68167 ddc232 68165->68167 68470 ddc240 68166->68470 68168 ca9b10 2 API calls 68167->68168 68169 ddc23c 68168->68169 68171 ddc177 68172 cbb330 45 API calls 68171->68172 68173 ddc184 68172->68173 68173->67915 68175 dccf7d 68174->68175 68177 db81d8 68174->68177 68175->68177 68522 cb2970 RaiseException 68175->68522 68177->67830 68177->67882 68178 dccfb2 68180 ca9e50 53 API calls 68179->68180 68181 dc4092 68180->68181 68182 dc409c GetLocaleInfoW 68181->68182 68183 dc414b 68181->68183 68189 d85030 54 API calls 68182->68189 68184 ca9b10 2 API calls 68183->68184 68185 dc4155 MsgWaitForMultipleObjectsEx 68184->68185 68187 dc4187 68185->68187 68188 dc41f1 68185->68188 68191 dc41fb 68187->68191 68192 dc41a5 PeekMessageW 68187->68192 68188->67875 68190 dc40d8 68189->68190 68193 dc40f6 GetLocaleInfoW 68190->68193 68523 ca97c0 45 API calls 68190->68523 68191->67875 68195 dc41cd TranslateMessage DispatchMessageW 68192->68195 68196 dc41db MsgWaitForMultipleObjectsEx 68192->68196 68194 ca8e30 65 API calls 68193->68194 68198 dc4112 68194->68198 68195->68196 68196->68187 68196->68188 68198->67875 68199 dc40f3 68199->68193 68201 dc3e40 46 API calls 68200->68201 68202 dc34a7 68201->68202 68203 dc34ad 68202->68203 68204 dc34c3 68202->68204 68203->67841 68524 dc3a60 246 API calls 68204->68524 68206 dc34ce 68525 dc3c80 11 API calls _ValidateLocalCookies 68206->68525 68208 dc34e9 68209 ca9e50 53 API calls 68208->68209 68230 dc3567 68208->68230 68213 dc34fe 68209->68213 68210 dc35ae 68214 dc35c1 68210->68214 68527 dc3660 55 API calls 68210->68527 68211 dc3650 68529 cb2970 RaiseException 68211->68529 68216 dc3508 68213->68216 68217 dc3646 68213->68217 68221 dc35ea 68214->68221 68528 dc3660 55 API calls 68214->68528 68215 dc365c 68222 cba950 117 API calls 68216->68222 68220 ca9b10 2 API calls 68217->68220 68220->68211 68224 e3f5b6 __freea 13 API calls 68221->68224 68226 dc3600 68221->68226 68223 dc3526 68222->68223 68225 dc4050 72 API calls 68223->68225 68224->68226 68229 dc3530 68225->68229 68226->67841 68227 dc3559 68526 dd74c0 238 API calls 68227->68526 68229->68227 68231 cba950 117 API calls 68229->68231 68230->68210 68230->68211 68231->68227 68232->67897 68233->67906 68234->67946 68235->67994 68237 dc475c 68236->68237 68241 db8d96 68236->68241 68238 e36199 std::_Facet_Register 2 API calls 68237->68238 68239 dc4766 68238->68239 68530 de15e0 68239->68530 68242 dbe580 68241->68242 68243 dbe5b5 68242->68243 68250 dbe6dc 68242->68250 68244 dbe664 68243->68244 68261 dbe5bd 68243->68261 68696 dbfd80 RaiseException 68244->68696 68245 dbe92f 68246 dbc580 15 API calls 68245->68246 68248 dbe93e 68246->68248 68255 dbc580 15 API calls 68248->68255 68249 dbe762 68253 dbe80d 68249->68253 68254 dbe772 68249->68254 68250->68245 68250->68249 68251 dbe66b 68252 dbea30 68251->68252 68256 dbe67f 68251->68256 68703 cb2970 RaiseException 68252->68703 68624 dbc580 68253->68624 68258 dbc580 15 API calls 68254->68258 68300 dbe808 68255->68300 68697 dbfdd0 117 API calls 68256->68697 68264 dbe77d 68258->68264 68695 dbf950 314 API calls __freea 68261->68695 68263 dbe60d 68263->68054 68290 dbe925 68264->68290 68698 dbfd20 RaiseException 68264->68698 68265 dbea3c 68269 ca9b10 2 API calls 68265->68269 68266 dbe694 68270 cbb330 45 API calls 68266->68270 68268 dbe8b3 68274 dbe8ce 68268->68274 68631 dc2380 68268->68631 68272 dbea46 68269->68272 68273 dbe6a4 68270->68273 68271 dbe798 68271->68252 68276 dbe7a9 68271->68276 68273->68054 68278 dbe8ed 68274->68278 68281 e3f5b6 __freea 13 API calls 68274->68281 68275 dbe818 68275->68252 68275->68268 68289 dbc580 15 API calls 68275->68289 68285 d9fde0 54 API calls 68276->68285 68662 dc2810 68278->68662 68279 dbe97e 68700 da5170 49 API calls 68279->68700 68280 dbe973 68699 ca9390 53 API calls 68280->68699 68281->68278 68287 dbe7be 68285->68287 68286 dbe97c 68293 dbe9c2 68286->68293 68289->68275 68292 dbea02 68290->68292 68294 e3f5b6 __freea 13 API calls 68290->68294 68292->68054 68294->68292 68300->68279 68300->68280 68363->67815 68364->67815 68365->67843 68367 dc2ae6 68366->68367 68368 dc2ac0 68366->68368 68870 cb2970 RaiseException 68367->68870 68368->68367 68370 dc2ad2 DeleteFileW 68368->68370 68370->68367 68370->68368 68371 dc2bb8 68372 db7f25 68371->68372 68374 e3f5b6 __freea 13 API calls 68371->68374 68372->67918 68373 dc2bf4 68877 cb2970 RaiseException 68373->68877 68374->68372 68375 dc2b01 std::ios_base::_Ios_base_dtor 68375->68371 68375->68373 68871 ddf6d0 68375->68871 68377 dc2c00 68379->67921 68380->67930 68381->67953 68382->67831 68383->67838 68385 dc3e7e EnumResourceLanguagesW 68384->68385 68391 dc3fe1 68384->68391 68393 dc3ebd 68385->68393 68386 dc3f0e 68389 e3f5b6 __freea 13 API calls 68386->68389 68395 dc3f1b __Getctype 68386->68395 68387 dc4011 68879 cb2970 RaiseException 68387->68879 68389->68395 68390 dc3fbf 68390->68391 68392 e3f5b6 __freea 13 API calls 68390->68392 68391->67866 68392->68391 68393->68386 68393->68387 68394 dc3f50 68393->68394 68394->68395 68878 cbb3a0 44 API calls 3 library calls 68394->68878 68395->68387 68395->68390 68397 dc401d 68397->67866 68399->67844 68400->67880 68401->67961 68402->67971 68404->67896 68405->67899 68406->67899 68407->68009 68409 d8ca0d 68408->68409 68410 d8ca4b 68408->68410 68411 e3f5b6 __freea 13 API calls 68409->68411 68410->68009 68411->68410 68412->68009 68413->68009 68414->68009 68415->68009 68416->68042 68417->68010 68418->67980 68419->67982 68420->67997 68421->68021 68422->68025 68423->68013 68424->68018 68425->68032 68432->67992 68433->68120 68434->68124 68435->68140 68436->68140 68438 d89785 68437->68438 68439 d89746 68437->68439 68441 ca9b10 2 API calls 68438->68441 68447 d89790 68438->68447 68440 d89762 68439->68440 68448 ca98a0 45 API calls 68439->68448 68449 ca9910 44 API calls 4 library calls 68440->68449 68444 d897aa 68441->68444 68444->68149 68445 d89772 68450 ca9910 44 API calls 4 library calls 68445->68450 68447->68149 68448->68440 68449->68445 68450->68438 68452 ca9e50 53 API calls 68451->68452 68453 ddc4ca 68452->68453 68454 ddc53a 68453->68454 68455 ddc4d0 68453->68455 68456 ca9b10 2 API calls 68454->68456 68459 ddc4fd 68455->68459 68460 ddc4f2 68455->68460 68457 ddc544 68456->68457 68469 ddbdb0 122 API calls std::_Locinfo::_Locinfo_ctor 68457->68469 68468 ca99c0 45 API calls 3 library calls 68459->68468 68467 ca9390 53 API calls 68460->68467 68463 ddc4fb 68464 cba950 117 API calls 68463->68464 68465 ddc525 68464->68465 68465->68157 68466 ddc588 68466->68157 68467->68463 68468->68463 68469->68466 68471 ddc2b8 ReadFile 68470->68471 68472 ddc277 ConnectNamedPipe 68470->68472 68474 ddc34c 68471->68474 68475 ddc2e0 68471->68475 68472->68471 68473 ddc284 GetLastError 68472->68473 68473->68471 68476 ddc291 68473->68476 68477 ca9e50 53 API calls 68474->68477 68475->68474 68478 ddc2e5 68475->68478 68476->68471 68479 ddc297 68476->68479 68480 ddc351 68477->68480 68481 cb6990 62 API calls 68478->68481 68482 ca9e50 53 API calls 68479->68482 68483 ddc29c 68480->68483 68484 ddc357 68480->68484 68485 ddc2f0 68481->68485 68482->68483 68486 ca9b10 2 API calls 68483->68486 68489 ddc2a4 68483->68489 68484->68489 68487 ca9650 45 API calls 68485->68487 68490 ddc391 68486->68490 68488 ddc302 68487->68488 68488->68171 68489->68171 68491 ddc415 WriteFile 68490->68491 68492 ddc3d6 68490->68492 68494 ddc44c 68491->68494 68495 ddc432 68491->68495 68493 ca9e50 53 API calls 68492->68493 68496 ddc3db 68493->68496 68498 ddc240 118 API calls 68494->68498 68497 ca9e50 53 API calls 68495->68497 68499 ddc3e3 68496->68499 68501 ca9b10 2 API calls 68496->68501 68500 ddc437 68497->68500 68498->68500 68499->68171 68500->68171 68500->68496 68502 ddc43d 68500->68502 68503 ddc487 68501->68503 68502->68499 68504 ca9e50 53 API calls 68503->68504 68505 ddc4ca 68504->68505 68506 ddc53a 68505->68506 68507 ddc4d0 68505->68507 68508 ca9b10 2 API calls 68506->68508 68511 ddc4fd 68507->68511 68512 ddc4f2 68507->68512 68509 ddc544 68508->68509 68521 ddbdb0 122 API calls std::_Locinfo::_Locinfo_ctor 68509->68521 68520 ca99c0 45 API calls 3 library calls 68511->68520 68519 ca9390 53 API calls 68512->68519 68515 ddc4fb 68516 cba950 117 API calls 68515->68516 68517 ddc525 68516->68517 68517->68171 68518 ddc588 68518->68171 68519->68515 68520->68515 68521->68518 68522->68178 68523->68199 68524->68206 68525->68208 68526->68230 68529->68215 68531 ca9e50 53 API calls 68530->68531 68532 de1688 68531->68532 68533 de17e9 68532->68533 68536 ca9e50 53 API calls 68532->68536 68534 ca9b10 2 API calls 68533->68534 68535 de17f3 68534->68535 68554 de18e0 IsWindow 68535->68554 68538 de16ab 68536->68538 68538->68533 68540 ca9e50 53 API calls 68538->68540 68541 de1717 68540->68541 68541->68533 68542 ca9e50 53 API calls 68541->68542 68555 de193b EndDialog 68554->68555 68556 de1946 68554->68556 68555->68556 68622 de1830 10 API calls 68556->68622 68625 dbc5ba 68624->68625 68627 dbc5cb 68624->68627 68626 ca9b10 2 API calls 68625->68626 68625->68627 68628 dbc65a 68626->68628 68627->68275 68629 dbc691 68628->68629 68630 e3f5b6 __freea 13 API calls 68628->68630 68629->68275 68630->68629 68632 ca9e50 53 API calls 68631->68632 68633 dc23cc 68632->68633 68695->68263 68696->68251 68697->68266 68698->68271 68699->68286 68700->68286 68703->68265 68870->68375 68872 ddf710 68871->68872 68873 ddf745 68872->68873 68874 ddf734 FreeLibrary 68872->68874 68875 ddf799 68873->68875 68876 ddf788 CloseHandle 68873->68876 68874->68873 68875->68375 68876->68875 68877->68377 68878->68394 68879->68397 68880 dc14d0 68881 ca9e50 53 API calls 68880->68881 68885 dc1525 68881->68885 68882 dc1f4f 68883 ca9b10 2 API calls 68882->68883 68884 dc1f59 68883->68884 68885->68882 68886 ca9e50 53 API calls 68885->68886 68887 dc1564 68886->68887 68887->68882 68888 ca9e50 53 API calls 68887->68888 68889 dc1582 68888->68889 68889->68882 68890 dc1681 68889->68890 68962 da39b0 101 API calls 68889->68962 68891 ca9e50 53 API calls 68890->68891 68938 dc16be std::locale::_Setgloballocale 68891->68938 68893 dc15b3 68894 cbb330 45 API calls 68893->68894 68895 dc15c0 68894->68895 68899 cbb330 45 API calls 68895->68899 68896 dc1bf5 68950 de0810 68896->68950 68897 e36199 std::_Facet_Register 2 API calls 68897->68938 68901 dc1618 68899->68901 68963 dc2090 101 API calls 68901->68963 68902 dc1c43 68906 dc1dac CloseHandle 68902->68906 68939 dc1c4e 68902->68939 68904 dc1cca CreateEventW 68909 dc1ce1 68904->68909 68905 dc1cf7 CreateThread 68907 dc1d2b WaitForSingleObject GetExitCodeThread 68905->68907 68908 dc1d24 68905->68908 68990 ddf930 280 API calls 68905->68990 68906->68939 68910 dc1d6b 68907->68910 68911 dc1d43 68907->68911 68908->68907 68909->68905 68910->68902 68915 dc1d7a CloseHandle 68910->68915 68911->68902 68914 dc1d59 CloseHandle 68911->68914 68912 dc1dce CloseHandle 68913 dc1dd8 68912->68913 68916 d8c9e0 13 API calls 68913->68916 68914->68902 68915->68902 68927 dc1e0c std::ios_base::_Ios_base_dtor 68916->68927 68917 dc1e8b 68919 e3f5b6 __freea 13 API calls 68917->68919 68922 dc1e9f 68917->68922 68918 dc17cc 68919->68922 68920 dc1f43 68972 cb2970 RaiseException 68920->68972 68923 e3615a _ValidateLocalCookies 5 API calls 68922->68923 68924 dc1f2f 68923->68924 68925 ddf6d0 2 API calls 68925->68927 68927->68917 68927->68920 68927->68925 68928 ca9e50 53 API calls 68928->68938 68929 d9fde0 54 API calls 68929->68938 68930 d9fde0 54 API calls 68940 dc1a75 std::locale::_Setgloballocale 68930->68940 68932 dc1a9e FindFirstFileW 68934 dc1ae2 FindClose 68932->68934 68932->68940 68933 cbb330 45 API calls 68933->68938 68934->68940 68936 cbb330 45 API calls 68936->68940 68937 ddf850 281 API calls 68937->68940 68938->68882 68938->68896 68938->68897 68938->68918 68938->68920 68938->68928 68938->68929 68938->68933 68938->68939 68938->68940 68942 da4920 127 API calls 68938->68942 68943 d9f300 46 API calls 68938->68943 68944 ddf7b0 68938->68944 68964 da39b0 101 API calls 68938->68964 68965 ddf850 CreateFileW 68938->68965 68939->68912 68939->68913 68940->68930 68940->68932 68940->68936 68940->68937 68940->68938 68941 dc1c57 68940->68941 68941->68939 68942->68938 68943->68938 68945 ddf7be LoadLibraryW 68944->68945 68946 ddf7b9 68944->68946 68947 ddf7d7 68945->68947 68946->68938 68948 ddf7f7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 68947->68948 68949 ddf7f1 68947->68949 68948->68938 68949->68938 68951 de0848 CreateEventW 68950->68951 68952 de0876 CreateThread 68950->68952 68955 de085d 68951->68955 68953 de098c WaitForSingleObject GetExitCodeThread 68952->68953 68954 de08b2 68952->68954 68974 de0bd0 68952->68974 68956 de09b9 CloseHandle 68953->68956 68957 dc1c3d 68953->68957 68958 de09dd 68954->68958 68960 de0970 68954->68960 68955->68952 68956->68957 68957->68902 68957->68904 68957->68905 68973 cb2970 RaiseException 68958->68973 68960->68953 68961 de09e9 68962->68893 68963->68890 68964->68938 68967 ddf87d 68965->68967 68966 ddf8f9 68966->68938 68967->68966 68968 ca9b10 2 API calls 68967->68968 68969 ddf92b 68968->68969 68989 ddf940 280 API calls __freea 68969->68989 68971 ddf939 68971->68938 68972->68882 68973->68961 68975 de09f0 RaiseException 68974->68975 68976 de0bd4 68975->68976 68979 de09f0 68976->68979 68978 de0bd9 68981 de0a2a 68979->68981 68980 de0b83 68980->68978 68981->68980 68988 cb2970 RaiseException 68981->68988 68983 de0bc5 68984 de09f0 RaiseException 68983->68984 68985 de0bd4 68984->68985 68986 de09f0 RaiseException 68985->68986 68987 de0bd9 68986->68987 68987->68978 68988->68983 68989->68971 68991 cd21e0 68992 cd21f3 std::ios_base::_Ios_base_dtor 68991->68992 68997 e37d0c 68992->68997 68995 cd2209 SetUnhandledExceptionFilter 68996 cd221b 68995->68996 69002 e37d44 68997->69002 68999 e37d15 69000 e37d44 __set_se_translator 54 API calls 68999->69000 69001 cd21fd 69000->69001 69001->68995 69001->68996 69015 e37d52 22 API calls 4 library calls 69002->69015 69004 e37d49 69004->68999 69016 e4f247 EnterCriticalSection std::locale::_Setgloballocale 69004->69016 69006 e3fe16 69007 e3fe21 69006->69007 69017 e4f28c 44 API calls 6 library calls 69006->69017 69009 e3fe2b IsProcessorFeaturePresent 69007->69009 69013 e3fe4a 69007->69013 69010 e3fe37 69009->69010 69018 e3ad13 8 API calls 2 library calls 69010->69018 69019 e4c73e 69013->69019 69015->69004 69016->69006 69017->69007 69018->69013 69022 e4c5a5 69019->69022 69023 e4c5e4 69022->69023 69024 e4c5d2 69022->69024 69034 e4c44e 69023->69034 69047 e37247 GetModuleHandleW 69024->69047 69027 e4c61b 69029 e3fe54 69027->69029 69040 e4c63c 69027->69040 69028 e4c5d7 69028->69023 69048 e4c68f GetModuleHandleExW 69028->69048 69029->68999 69035 e4c45a __Getctype 69034->69035 69054 e4a89a EnterCriticalSection 69035->69054 69037 e4c464 69055 e4c4ba 69037->69055 69039 e4c471 std::locale::_Setgloballocale 69039->69027 69117 e4c66d 69040->69117 69043 e4c65a 69045 e4c68f std::locale::_Setgloballocale 3 API calls 69043->69045 69044 e4c64a GetCurrentProcess TerminateProcess 69044->69043 69046 e4c662 ExitProcess 69045->69046 69047->69028 69049 e4c6ce GetProcAddress 69048->69049 69050 e4c6ef 69048->69050 69049->69050 69053 e4c6e2 69049->69053 69051 e4c6f5 FreeLibrary 69050->69051 69052 e4c5e3 69050->69052 69051->69052 69052->69023 69053->69050 69054->69037 69056 e4c4c6 __Getctype 69055->69056 69057 e4c52d 69056->69057 69062 e4c55b 69056->69062 69063 e4d049 69056->69063 69058 e4c54a 69057->69058 69067 e4d2ed 69057->69067 69061 e4d2ed std::locale::_Setgloballocale 44 API calls 69058->69061 69061->69062 69062->69039 69064 e4d055 __EH_prolog3 69063->69064 69071 e4cda1 69064->69071 69066 e4d07c std::locale::_Init 69066->69057 69068 e4d314 69067->69068 69069 e4d2fb 69067->69069 69068->69058 69069->69068 69082 ca1990 69069->69082 69072 e4cdad __Getctype 69071->69072 69077 e4a89a EnterCriticalSection 69072->69077 69074 e4cdbb 69078 e4cf59 69074->69078 69076 e4cdc8 std::locale::_Setgloballocale 69076->69066 69077->69074 69079 e4cf70 69078->69079 69080 e4cf78 69078->69080 69079->69076 69080->69079 69081 e4dbdd ___free_lconv_mon 13 API calls 69080->69081 69081->69079 69083 ca19cd 69082->69083 69090 ca6450 69083->69090 69085 ca1a67 69100 e3651a 44 API calls 69085->69100 69087 ca1a8d 69088 e3615a _ValidateLocalCookies 5 API calls 69087->69088 69089 ca1aa5 69088->69089 69089->69069 69091 ca64b1 69090->69091 69097 ca6505 69090->69097 69092 ca64b9 69091->69092 69093 ca6536 69091->69093 69101 ca6aa0 69092->69101 69116 ca69c0 44 API calls 69093->69116 69097->69085 69098 ca6540 44 API calls 69099 ca64bf 69098->69099 69099->69097 69099->69098 69100->69087 69102 ca6aab 69101->69102 69103 ca6aef 69101->69103 69104 ca6ada 69102->69104 69105 ca6ab8 69102->69105 69106 ca7630 44 API calls 69103->69106 69108 ca6aea 69104->69108 69111 e36199 std::_Facet_Register RaiseException EnterCriticalSection 69104->69111 69105->69103 69107 ca6abf 69105->69107 69113 ca6ac5 69106->69113 69110 e36199 std::_Facet_Register RaiseException EnterCriticalSection 69107->69110 69108->69099 69109 e3af1f 44 API calls 69112 ca6af9 69109->69112 69110->69113 69114 ca6ae4 69111->69114 69113->69109 69115 ca6ace 69113->69115 69114->69099 69115->69099 69122 e5783e 6 API calls std::locale::_Setgloballocale 69117->69122 69119 e4c672 69120 e4c677 GetPEB 69119->69120 69121 e4c646 69119->69121 69120->69121 69121->69043 69121->69044 69122->69119 69123 def190 69134 deeab0 69123->69134 69126 def1ba 69143 def260 69126->69143 69128 ca7070 44 API calls 69128->69126 69131 def1d1 69181 def7a0 56 API calls 4 library calls 69131->69181 69133 def1dc 69135 ca7070 44 API calls 69134->69135 69136 deeac8 69135->69136 69137 deeae0 69136->69137 69139 ca77d0 44 API calls 69136->69139 69182 df1130 69137->69182 69139->69136 69140 deeaf8 69142 deeb1e 69140->69142 69186 ca85c0 44 API calls std::ios_base::_Ios_base_dtor 69140->69186 69142->69126 69142->69128 69144 def2aa 69143->69144 69145 def5b1 69143->69145 69147 ca7070 44 API calls 69144->69147 69146 e3615a _ValidateLocalCookies 5 API calls 69145->69146 69148 def1ca 69146->69148 69149 def2d0 69147->69149 69180 def5e0 55 API calls _ValidateLocalCookies 69148->69180 69150 def472 69149->69150 69169 def2df 69149->69169 69152 ca6e80 44 API calls 69150->69152 69151 def3c2 69153 ca8e50 44 API calls 69151->69153 69152->69151 69154 def3d6 69153->69154 69188 ca8ef0 69154->69188 69155 ca6e80 44 API calls 69155->69169 69157 ca7070 44 API calls 69157->69169 69160 ca6e80 44 API calls 69161 def405 69160->69161 69163 ca77d0 44 API calls 69161->69163 69162 ca8ef0 44 API calls 69162->69169 69164 def411 69163->69164 69165 ca77d0 44 API calls 69164->69165 69166 def41d 69165->69166 69167 ca6e80 44 API calls 69166->69167 69179 def44e 69166->69179 69168 def430 69167->69168 69171 ca6e80 44 API calls 69168->69171 69169->69151 69169->69155 69169->69157 69169->69162 69170 ca77d0 44 API calls 69169->69170 69192 cc92b0 44 API calls 69169->69192 69170->69169 69171->69179 69172 def556 69173 ca77d0 44 API calls 69172->69173 69173->69145 69174 ca7070 44 API calls 69174->69179 69176 ca8ef0 44 API calls 69176->69179 69177 ca6e80 44 API calls 69177->69179 69178 ca77d0 44 API calls 69178->69179 69179->69172 69179->69174 69179->69176 69179->69177 69179->69178 69193 cc92b0 44 API calls 69179->69193 69180->69131 69181->69133 69183 df1196 69182->69183 69184 df1162 std::ios_base::_Ios_base_dtor 69182->69184 69183->69140 69184->69183 69187 cca8a0 44 API calls std::ios_base::_Ios_base_dtor 69184->69187 69186->69140 69187->69184 69189 ca8f30 69188->69189 69189->69189 69190 ca6e80 44 API calls 69189->69190 69191 ca8f4b 69190->69191 69191->69160 69192->69169 69193->69179 69194 de0f70 69203 de0be0 69194->69203 69197 de102e GetLastError 69199 de0fda 69197->69199 69198 de0fca 69198->69199 69201 de0fe1 GetFileVersionInfoW 69198->69201 69200 de1040 DeleteFileW 69199->69200 69202 de1047 69199->69202 69200->69202 69201->69197 69201->69199 69218 da29d0 69203->69218 69206 de0c25 SHGetFolderPathW 69208 de0c43 std::locale::_Setgloballocale 69206->69208 69207 de0d8a 69209 e3615a _ValidateLocalCookies 5 API calls 69207->69209 69208->69207 69211 de0cba GetTempPathW 69208->69211 69210 de0db8 GetFileVersionInfoSizeW 69209->69210 69210->69197 69210->69198 69225 e38750 69211->69225 69215 de0d0e Wow64DisableWow64FsRedirection CopyFileW 69216 de0d60 69215->69216 69216->69207 69217 de0d78 Wow64RevertWow64FsRedirection 69216->69217 69217->69207 69219 da2b00 79 API calls 69218->69219 69220 da29f9 69219->69220 69221 e36662 4 API calls 69220->69221 69222 da2aa7 69220->69222 69223 da2a20 std::locale::_Setgloballocale 69221->69223 69222->69206 69222->69207 69223->69222 69229 e36618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69223->69229 69226 de0ce2 GetTempFileNameW 69225->69226 69227 de0e20 69226->69227 69228 de0e2a 69227->69228 69228->69215 69229->69222 69230 e35d0d GetProcessHeap HeapAlloc 69231 e35d25 69230->69231 69232 e35d29 69230->69232 69240 e35a9f 69232->69240 69234 e35d34 69235 e35d50 69234->69235 69237 e35d44 69234->69237 69254 e35bab 15 API calls std::locale::_Setgloballocale 69235->69254 69238 e35d6e 69237->69238 69239 e35d5d GetProcessHeap HeapFree 69237->69239 69239->69231 69241 e35ab9 LoadLibraryExA 69240->69241 69242 e35aac DecodePointer 69240->69242 69243 e35ad2 69241->69243 69244 e35b4a 69241->69244 69242->69234 69255 e35b4f GetProcAddress EncodePointer 69243->69255 69244->69234 69246 e35ae2 69246->69244 69256 e35b4f GetProcAddress EncodePointer 69246->69256 69248 e35af9 69248->69244 69257 e35b4f GetProcAddress EncodePointer 69248->69257 69250 e35b10 69250->69244 69258 e35b4f GetProcAddress EncodePointer 69250->69258 69252 e35b27 69252->69244 69253 e35b2e DecodePointer 69252->69253 69253->69244 69254->69237 69255->69246 69256->69248 69257->69250 69258->69252 69259 e4d0b0 69262 e4cdfc 69259->69262 69261 e4d0e1 69263 e4ce08 __Getctype 69262->69263 69268 e4a89a EnterCriticalSection 69263->69268 69265 e4ce16 69269 e4ce57 69265->69269 69267 e4ce23 69267->69261 69268->69265 69270 e4ce72 69269->69270 69271 e4cee5 std::_Locinfo::_Locinfo_ctor 69269->69271 69270->69271 69272 e4cec5 69270->69272 69279 e3f5dc 69270->69279 69271->69267 69272->69271 69273 e3f5dc 44 API calls 69272->69273 69275 e4cedb 69273->69275 69278 e4dbdd ___free_lconv_mon 13 API calls 69275->69278 69276 e4cebb 69277 e4dbdd ___free_lconv_mon 13 API calls 69276->69277 69277->69272 69278->69271 69280 e3f604 69279->69280 69281 e3f5e9 69279->69281 69282 e3f613 69280->69282 69301 e4ee3d 44 API calls 2 library calls 69280->69301 69281->69280 69283 e3f5f5 69281->69283 69288 e4ee70 69282->69288 69300 e3b02f 13 API calls ___free_lconv_mon 69283->69300 69287 e3f5fa std::locale::_Setgloballocale 69287->69276 69289 e4ee7d 69288->69289 69290 e4ee88 69288->69290 69302 e4dc17 69289->69302 69292 e4ee90 69290->69292 69298 e4ee99 __Getctype 69290->69298 69293 e4dbdd ___free_lconv_mon 13 API calls 69292->69293 69296 e4ee85 69293->69296 69294 e4eec3 RtlReAllocateHeap 69294->69296 69294->69298 69295 e4ee9e 69309 e3b02f 13 API calls ___free_lconv_mon 69295->69309 69296->69287 69298->69294 69298->69295 69310 e4c243 EnterCriticalSection std::_Facet_Register 69298->69310 69300->69287 69301->69282 69303 e4dc55 69302->69303 69308 e4dc25 __Getctype 69302->69308 69312 e3b02f 13 API calls ___free_lconv_mon 69303->69312 69305 e4dc40 RtlAllocateHeap 69306 e4dc53 69305->69306 69305->69308 69306->69296 69308->69303 69308->69305 69311 e4c243 EnterCriticalSection std::_Facet_Register 69308->69311 69309->69296 69310->69298 69311->69308 69312->69306 69313 e33814 69339 e33575 69313->69339 69315 e33824 69316 e33881 69315->69316 69326 e338a5 69315->69326 69348 e337b2 6 API calls 2 library calls 69316->69348 69318 e3388c RaiseException 69335 e33a7a 69318->69335 69319 e3391d LoadLibraryExA 69320 e33930 GetLastError 69319->69320 69321 e3397e 69319->69321 69322 e33959 69320->69322 69330 e33943 69320->69330 69325 e33989 FreeLibrary 69321->69325 69327 e33990 69321->69327 69349 e337b2 6 API calls 2 library calls 69322->69349 69323 e339ee GetProcAddress 69324 e33a4c 69323->69324 69329 e339fe GetLastError 69323->69329 69351 e337b2 6 API calls 2 library calls 69324->69351 69325->69327 69326->69319 69326->69321 69326->69324 69326->69327 69327->69323 69327->69324 69332 e33a11 69329->69332 69330->69321 69330->69322 69331 e33964 RaiseException 69331->69335 69332->69324 69350 e337b2 6 API calls 2 library calls 69332->69350 69336 e33a32 RaiseException 69337 e33575 ___delayLoadHelper2@8 6 API calls 69336->69337 69338 e33a49 69337->69338 69338->69324 69340 e33581 69339->69340 69341 e335a7 69339->69341 69352 e3361b GetModuleHandleW GetProcAddress GetProcAddress DloadGetSRWLockFunctionPointers 69340->69352 69341->69315 69343 e335a2 69354 e335a8 GetModuleHandleW GetProcAddress GetProcAddress 69343->69354 69344 e33586 69344->69343 69353 e33744 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 69344->69353 69347 e337ed 69347->69315 69348->69318 69349->69331 69350->69336 69351->69335 69352->69344 69353->69343 69354->69347 69355 d87fe0 69356 d88057 69355->69356 69357 d88017 69355->69357 69358 e36662 4 API calls 69357->69358 69359 d88021 69358->69359 69359->69356 69363 e3651a 44 API calls 69359->69363 69361 d88043 69364 e36618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69361->69364 69363->69361 69364->69356 69365 d8dda0 69366 d8ddd9 69365->69366 69367 d8de42 RegCreateKeyExW 69365->69367 69368 d8ddde GetModuleHandleW 69366->69368 69369 d8de35 69366->69369 69370 d8de3b 69367->69370 69371 d8dded 69368->69371 69372 d8de06 GetProcAddress 69368->69372 69369->69367 69369->69370 69373 d8de74 69370->69373 69375 d8de6b RegCloseKey 69370->69375 69372->69370 69374 d8de16 69372->69374 69374->69370 69375->69373 69376 d96da0 69377 d96deb 69376->69377 69379 d96dd8 69376->69379 69384 d874e0 56 API calls 3 library calls 69377->69384 69382 e3615a _ValidateLocalCookies 5 API calls 69379->69382 69380 d96df5 69381 ca77d0 44 API calls 69380->69381 69381->69379 69383 d96e3a 69382->69383 69384->69380 69385 cb27b1 69386 cb2837 69385->69386 69387 cb285c GetWindowLongW CallWindowProcW 69386->69387 69388 cb2846 CallWindowProcW 69386->69388 69391 cb28ab 69386->69391 69389 cb2890 GetWindowLongW 69387->69389 69387->69391 69388->69391 69390 cb289d SetWindowLongW 69389->69390 69389->69391 69390->69391 69392 ca8750 69393 ca875a CloseHandle 69392->69393 69394 ca8768 69392->69394 69393->69394 69395 db3cc0 69396 db3d1a GetShortPathNameW 69395->69396 69397 db3cf2 69395->69397 69399 db3d2b 69396->69399 69415 db3cff 69396->69415 69448 d8bb60 HeapAlloc RaiseException 69397->69448 69401 ca9e50 53 API calls 69399->69401 69400 db3cf7 69402 ca9710 2 API calls 69400->69402 69406 db3d30 69401->69406 69402->69415 69403 db3e17 69404 ca9b10 2 API calls 69403->69404 69405 db3e21 69404->69405 69407 ca9e50 53 API calls 69405->69407 69406->69403 69408 db3e0d 69406->69408 69411 db3d71 69406->69411 69449 ca98a0 45 API calls 69406->69449 69410 db3e61 69407->69410 69409 ca9b10 2 API calls 69408->69409 69409->69403 69414 db402f 69410->69414 69419 db3e6b 69410->69419 69411->69408 69413 db3d7d GetShortPathNameW 69411->69413 69413->69415 69418 db3d97 std::_Locinfo::_Locinfo_ctor 69413->69418 69416 ca9b10 2 API calls 69414->69416 69417 db4039 69416->69417 69418->69408 69420 db3db4 69418->69420 69451 db4040 69419->69451 69450 d8ba20 47 API calls 69420->69450 69423 db3dca 69426 cbb330 45 API calls 69423->69426 69424 db3ec2 69425 db3fe5 69424->69425 69427 ca7070 44 API calls 69424->69427 69585 ca69d0 44 API calls std::ios_base::_Ios_base_dtor 69425->69585 69426->69415 69429 db3f02 69427->69429 69431 db4040 310 API calls 69429->69431 69430 db3ff1 69433 e3615a _ValidateLocalCookies 5 API calls 69430->69433 69432 db3f15 69431->69432 69434 ca77d0 44 API calls 69432->69434 69435 db4029 69433->69435 69436 db3f24 69434->69436 69436->69425 69437 ca7070 44 API calls 69436->69437 69438 db3f66 69437->69438 69439 db4040 310 API calls 69438->69439 69440 db3f79 69439->69440 69441 ca77d0 44 API calls 69440->69441 69442 db3f88 69441->69442 69442->69425 69443 ca7070 44 API calls 69442->69443 69444 db3fc6 69443->69444 69445 db4040 310 API calls 69444->69445 69446 db3fd9 69445->69446 69447 ca77d0 44 API calls 69446->69447 69447->69425 69448->69400 69449->69411 69450->69423 69452 ca9e50 53 API calls 69451->69452 69453 db4078 69452->69453 69454 db42e3 69453->69454 69455 db4082 69453->69455 69456 ca9b10 2 API calls 69454->69456 69459 cb6990 62 API calls 69455->69459 69457 db42ed 69456->69457 69458 ca9b10 2 API calls 69457->69458 69460 db42f7 69458->69460 69461 db40ac 69459->69461 69462 db471a 69460->69462 69464 db4399 69460->69464 69465 db461e 69460->69465 69467 cb6990 62 API calls 69461->69467 69463 ca9e50 53 API calls 69462->69463 69466 db4740 69463->69466 69671 dcfc00 164 API calls _ValidateLocalCookies 69464->69671 69469 ca9e50 53 API calls 69465->69469 69470 db4a5b 69466->69470 69482 db4764 69466->69482 69495 db47ab 69466->69495 69471 db40c6 69467->69471 69473 db4623 69469->69473 69474 ca9b10 2 API calls 69470->69474 69475 ca9e50 53 API calls 69471->69475 69472 db439e 69476 db449c 69472->69476 69477 db43a6 69472->69477 69473->69470 69586 dbea50 69473->69586 69478 db4a65 69474->69478 69479 db40cf 69475->69479 69675 caaf80 71 API calls _ValidateLocalCookies 69476->69675 69481 ca9e50 53 API calls 69477->69481 69479->69457 69483 db40d9 69479->69483 69485 db43ab 69481->69485 69682 d93c70 55 API calls 2 library calls 69482->69682 69496 db40f9 69483->69496 69497 db4104 69483->69497 69484 db44b0 69488 db44ca 69484->69488 69491 ca77d0 44 API calls 69484->69491 69485->69470 69672 dadf00 73 API calls 69485->69672 69492 ca77d0 44 API calls 69488->69492 69489 db4675 69680 da44f0 101 API calls 69489->69680 69490 db4776 69501 ca8e30 65 API calls 69490->69501 69491->69488 69493 db450f 69492->69493 69676 dcff90 56 API calls std::ios_base::_Ios_base_dtor 69493->69676 69506 ca9e50 53 API calls 69495->69506 69667 ca9390 53 API calls 69496->69667 69668 ca99c0 45 API calls 3 library calls 69497->69668 69507 db4794 69501->69507 69503 db451e 69677 d93c70 55 API calls 2 library calls 69503->69677 69504 db4102 69512 cb6990 62 API calls 69504->69512 69505 db43e2 69509 db446f 69505->69509 69514 ca9e50 53 API calls 69505->69514 69539 db47fd 69506->69539 69510 ca77d0 44 API calls 69507->69510 69674 dadb40 242 API calls 69509->69674 69516 db47a6 69510->69516 69511 db4534 69521 cb6990 62 API calls 69511->69521 69517 db412a 69512->69517 69519 db43f9 69514->69519 69515 db4686 69520 ca7070 44 API calls 69515->69520 69524 ca9e50 53 API calls 69516->69524 69669 d9f980 45 API calls 2 library calls 69517->69669 69518 db447c 69529 ca77d0 44 API calls 69518->69529 69519->69470 69541 db4403 69519->69541 69523 db46f5 69520->69523 69525 db454c 69521->69525 69681 d93e80 54 API calls _ValidateLocalCookies 69523->69681 69528 db48c9 69524->69528 69530 d9f300 46 API calls 69525->69530 69526 db4149 69535 cb6990 62 API calls 69526->69535 69528->69470 69543 ca9e50 53 API calls 69528->69543 69532 db4a3c 69529->69532 69533 db4584 69530->69533 69531 db470b 69536 ca77d0 44 API calls 69531->69536 69537 e3615a _ValidateLocalCookies 5 API calls 69532->69537 69550 d8c9e0 13 API calls 69533->69550 69534 db443c 69673 dd74c0 238 API calls 69534->69673 69542 db415c 69535->69542 69536->69462 69540 db4a55 69537->69540 69539->69470 69545 ca8e30 65 API calls 69539->69545 69540->69424 69541->69534 69541->69541 69546 db442b 69541->69546 69552 cb6990 62 API calls 69542->69552 69548 db48f8 69543->69548 69544 db4453 69544->69509 69549 db4873 69545->69549 69551 cba950 117 API calls 69546->69551 69548->69470 69554 db4902 SHGetFolderPathW 69548->69554 69555 ca8e30 65 API calls 69549->69555 69556 db45b4 69550->69556 69551->69534 69553 db4173 69552->69553 69670 dcf880 133 API calls std::_Locinfo::_Locinfo_ctor 69553->69670 69563 db492f 69554->69563 69564 db4982 69554->69564 69558 db488b 69555->69558 69560 ca77d0 44 API calls 69556->69560 69683 ca69d0 44 API calls std::ios_base::_Ios_base_dtor 69558->69683 69562 db45ed 69560->69562 69566 db460a 69562->69566 69567 db45f6 69562->69567 69563->69564 69573 db4945 PathFileExistsW 69563->69573 69685 dd4900 151 API calls 69564->69685 69679 db4a70 15 API calls 69566->69679 69678 db4a70 15 API calls 69567->69678 69571 db4998 69572 db4605 69571->69572 69686 dadb40 242 API calls 69571->69686 69572->69518 69573->69564 69576 db4956 69573->69576 69574 db4619 69574->69462 69684 ca99c0 45 API calls 3 library calls 69576->69684 69577 db4196 69578 db428c 69577->69578 69579 db425c PathFileExistsW 69577->69579 69582 e3615a _ValidateLocalCookies 5 API calls 69578->69582 69579->69578 69580 db4267 69579->69580 69580->69578 69584 ca7070 44 API calls 69580->69584 69583 db42dd 69582->69583 69583->69424 69584->69578 69585->69430 69587 dbea81 69586->69587 69588 dbeb04 69586->69588 69703 dbfd20 RaiseException 69587->69703 69705 dbfd80 RaiseException 69588->69705 69591 dbea8a 69593 dbeb73 69591->69593 69594 dbea9d 69591->69594 69592 dbeb0b 69592->69593 69595 dbeb17 69592->69595 69687 cb2970 RaiseException 69593->69687 69597 d9fde0 54 API calls 69594->69597 69706 dbfdd0 117 API calls 69595->69706 69600 dbeab4 69597->69600 69599 dbeb7f 69602 ca9650 45 API calls 69599->69602 69603 cbb330 45 API calls 69600->69603 69601 dbeb2c 69604 cbb330 45 API calls 69601->69604 69605 dbebb4 69602->69605 69606 dbeac7 69603->69606 69607 dbeb02 69604->69607 69608 dbebcc 69605->69608 69609 dbec27 69605->69609 69614 d9f300 46 API calls 69606->69614 69607->69489 69707 dbfd20 RaiseException 69608->69707 69610 dbec22 69609->69610 69709 dc2090 101 API calls 69609->69709 69688 da3de0 69610->69688 69612 dbebee 69616 dbed43 69612->69616 69619 dbebff 69612->69619 69617 dbeaf7 69614->69617 69713 cb2970 RaiseException 69616->69713 69704 dc0000 HeapAlloc RaiseException RaiseException 69617->69704 69618 dbec3b 69622 cba950 117 API calls 69618->69622 69708 da39b0 101 API calls 69619->69708 69634 dbec4d 69622->69634 69624 dbed4f 69627 dbed81 69624->69627 69640 dbee46 69624->69640 69625 dbec10 69630 cba950 117 API calls 69625->69630 69626 dbecff 69626->69489 69714 dbff90 HeapAlloc RaiseException RaiseException 69627->69714 69628 dbee93 69716 dbfdd0 117 API calls 69628->69716 69629 dbec99 69711 dbfd80 RaiseException 69629->69711 69630->69610 69632 dbeef4 69642 ca9b10 2 API calls 69632->69642 69633 dbed39 69644 ca9b10 2 API calls 69633->69644 69634->69629 69634->69633 69641 dbec88 69634->69641 69637 dbed8c 69638 dbed9c 69637->69638 69715 dbff90 HeapAlloc RaiseException RaiseException 69637->69715 69648 dbee01 69638->69648 69652 dbee7a 69638->69652 69659 d9fde0 54 API calls 69638->69659 69639 dbee7c 69639->69632 69649 dbee81 69639->69649 69640->69628 69640->69632 69640->69639 69647 dbee6a 69640->69647 69641->69629 69710 cbb4c0 45 API calls 69641->69710 69650 dbeefe 69642->69650 69643 dbeca2 69643->69616 69657 dbecb6 69643->69657 69644->69616 69645 dbee9f 69651 cbb330 45 API calls 69645->69651 69647->69649 69653 dbee71 69647->69653 69666 dbee2c 69648->69666 69717 cb2970 RaiseException 69648->69717 69649->69628 69656 dbee88 69649->69656 69651->69652 69652->69489 69658 cbb330 45 API calls 69653->69658 69660 cbb330 45 API calls 69656->69660 69712 da39b0 101 API calls 69657->69712 69658->69652 69662 dbedee 69659->69662 69660->69652 69664 cbb330 45 API calls 69662->69664 69663 dbecc7 69665 cba950 117 API calls 69663->69665 69664->69648 69665->69610 69666->69489 69667->69504 69668->69504 69669->69526 69670->69577 69671->69472 69672->69505 69673->69544 69674->69518 69675->69484 69676->69503 69677->69511 69678->69572 69679->69574 69680->69515 69681->69531 69682->69490 69683->69516 69684->69564 69685->69571 69686->69572 69687->69599 69689 ca9650 45 API calls 69688->69689 69690 da3e23 69689->69690 69691 cba950 117 API calls 69690->69691 69692 da3e6a 69691->69692 69718 d87720 69692->69718 69694 da3f84 69725 d877d0 69694->69725 69697 da3f20 GetFileAttributesW 69702 da3e72 69697->69702 69698 e3615a _ValidateLocalCookies 5 API calls 69699 da3fcd 69698->69699 69699->69626 69700 da3de0 118 API calls 69700->69697 69701 da3f69 FindNextFileW 69701->69694 69701->69702 69702->69694 69702->69697 69702->69700 69702->69701 69703->69591 69705->69592 69706->69601 69707->69612 69708->69625 69709->69618 69710->69629 69711->69643 69712->69663 69713->69624 69714->69637 69715->69638 69716->69645 69717->69632 69719 d87782 std::locale::_Setgloballocale 69718->69719 69720 ca9e50 53 API calls 69719->69720 69721 d8779a 69720->69721 69722 d877a0 69721->69722 69723 ca9b10 2 API calls 69721->69723 69722->69702 69724 d877ce 69723->69724 69726 d87821 69725->69726 69727 d8786a 69726->69727 69728 d8785d FindClose 69726->69728 69727->69698 69728->69727 69729 db6660 69793 db64d0 69729->69793 69731 db66ac 69879 dda240 GetUserNameW 69731->69879 69734 ca7070 44 API calls 69735 db6729 69734->69735 69736 db67a6 69735->69736 69737 e36662 4 API calls 69735->69737 69738 ca6540 44 API calls 69736->69738 69739 db674c 69737->69739 69748 db67b5 69738->69748 69739->69736 69740 ca7070 44 API calls 69739->69740 69741 db678b 69740->69741 69903 e3651a 44 API calls 69741->69903 69743 e36199 std::_Facet_Register 2 API calls 69745 db6870 69743->69745 69744 db6795 69904 e36618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69744->69904 69747 ca7070 44 API calls 69745->69747 69749 db68cc 69747->69749 69748->69743 69750 ca7070 44 API calls 69749->69750 69751 db6929 69750->69751 69752 ca6540 44 API calls 69751->69752 69753 db6945 69752->69753 69754 ca6540 44 API calls 69753->69754 69755 db6958 69754->69755 69756 ca6540 44 API calls 69755->69756 69757 db6968 69756->69757 69758 ca6540 44 API calls 69757->69758 69759 db697a 69758->69759 69760 ca77d0 44 API calls 69759->69760 69761 db69be 69760->69761 69762 ca77d0 44 API calls 69761->69762 69763 db69d6 69762->69763 69765 ca77d0 44 API calls 69763->69765 69786 db6a37 std::ios_base::_Ios_base_dtor 69763->69786 69764 ca77d0 44 API calls 69767 db6a6b 69764->69767 69768 db6a14 69765->69768 69766 ca77d0 44 API calls 69769 db6aae 69766->69769 69771 ca77d0 44 API calls 69767->69771 69772 ca77d0 44 API calls 69768->69772 69770 ca77d0 44 API calls 69769->69770 69773 db6aba 69770->69773 69774 db6a77 69771->69774 69775 db6a20 69772->69775 69776 ca77d0 44 API calls 69773->69776 69777 ca77d0 44 API calls 69774->69777 69778 ca77d0 44 API calls 69775->69778 69779 db6ac9 69776->69779 69780 db6a83 69777->69780 69781 db6a2c 69778->69781 69782 db6ad8 69779->69782 69787 db6b06 GetCurrentProcess OpenProcessToken 69779->69787 69783 ca77d0 44 API calls 69780->69783 69784 ca77d0 44 API calls 69781->69784 69788 e3615a _ValidateLocalCookies 5 API calls 69782->69788 69785 db6a8e std::ios_base::_Ios_base_dtor 69783->69785 69784->69786 69785->69766 69786->69764 69786->69785 69789 db6b4c 69787->69789 69790 db6b20 GetTokenInformation 69787->69790 69791 db6bd3 69788->69791 69789->69782 69792 db6b82 CloseHandle 69789->69792 69790->69789 69792->69782 69794 ca9e50 53 API calls 69793->69794 69795 db650a 69794->69795 69796 db664f 69795->69796 69905 dcce80 56 API calls 69795->69905 69797 ca9b10 2 API calls 69796->69797 69798 db6659 69797->69798 69801 db64d0 136 API calls 69798->69801 69800 db6533 69802 db654c 69800->69802 69803 db6554 GetTickCount 69800->69803 69804 db66ac 69801->69804 69802->69803 69906 e35347 GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 69803->69906 69805 dda240 49 API calls 69804->69805 69807 db66be 69805->69807 69809 ca7070 44 API calls 69807->69809 69808 db6561 69810 ca9e50 53 API calls 69808->69810 69811 db6729 69809->69811 69812 db6581 69810->69812 69813 db67a6 69811->69813 69814 e36662 4 API calls 69811->69814 69812->69796 69818 db6589 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 69812->69818 69815 ca6540 44 API calls 69813->69815 69816 db674c 69814->69816 69831 db67b5 69815->69831 69816->69813 69817 ca7070 44 API calls 69816->69817 69819 db678b 69817->69819 69820 ca8e30 65 API calls 69818->69820 69909 e3651a 44 API calls 69819->69909 69822 db65bb 69820->69822 69907 dcce80 56 API calls 69822->69907 69823 e36199 std::_Facet_Register 2 API calls 69826 db6870 69823->69826 69824 db6795 69910 e36618 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 69824->69910 69830 ca7070 44 API calls 69826->69830 69828 db65cc 69908 dccfc0 128 API calls 69828->69908 69833 db68cc 69830->69833 69831->69823 69832 db65da 69834 ca9650 45 API calls 69832->69834 69836 ca7070 44 API calls 69833->69836 69835 db65e9 69834->69835 69835->69731 69837 db6929 69836->69837 69838 ca6540 44 API calls 69837->69838 69839 db6945 69838->69839 69840 ca6540 44 API calls 69839->69840 69841 db6958 69840->69841 69842 ca6540 44 API calls 69841->69842 69843 db6968 69842->69843 69844 ca6540 44 API calls 69843->69844 69845 db697a 69844->69845 69846 ca77d0 44 API calls 69845->69846 69847 db69be 69846->69847 69848 ca77d0 44 API calls 69847->69848 69849 db69d6 69848->69849 69851 ca77d0 44 API calls 69849->69851 69872 db6a37 std::ios_base::_Ios_base_dtor 69849->69872 69850 ca77d0 44 API calls 69853 db6a6b 69850->69853 69854 db6a14 69851->69854 69852 ca77d0 44 API calls 69855 db6aae 69852->69855 69857 ca77d0 44 API calls 69853->69857 69858 ca77d0 44 API calls 69854->69858 69856 ca77d0 44 API calls 69855->69856 69859 db6aba 69856->69859 69860 db6a77 69857->69860 69861 db6a20 69858->69861 69862 ca77d0 44 API calls 69859->69862 69863 ca77d0 44 API calls 69860->69863 69864 ca77d0 44 API calls 69861->69864 69865 db6ac9 69862->69865 69866 db6a83 69863->69866 69867 db6a2c 69864->69867 69868 db6ad8 69865->69868 69873 db6b06 GetCurrentProcess OpenProcessToken 69865->69873 69869 ca77d0 44 API calls 69866->69869 69870 ca77d0 44 API calls 69867->69870 69874 e3615a _ValidateLocalCookies 5 API calls 69868->69874 69871 db6a8e std::ios_base::_Ios_base_dtor 69869->69871 69870->69872 69871->69852 69872->69850 69872->69871 69875 db6b4c 69873->69875 69876 db6b20 GetTokenInformation 69873->69876 69877 db6bd3 69874->69877 69875->69868 69878 db6b82 CloseHandle 69875->69878 69876->69875 69877->69731 69878->69868 69880 dda31e GetEnvironmentVariableW 69879->69880 69881 dda2d4 GetLastError 69879->69881 69883 dda35e 69880->69883 69890 dda3a2 69880->69890 69881->69880 69882 dda2df 69881->69882 69884 dda2e9 69882->69884 69911 cd3200 44 API calls 2 library calls 69882->69911 69885 dda365 69883->69885 69912 cd3200 44 API calls 2 library calls 69883->69912 69886 dda30c GetUserNameW 69884->69886 69888 dda38a GetEnvironmentVariableW 69885->69888 69886->69880 69888->69890 69891 dda3ea 69890->69891 69892 ca7070 44 API calls 69890->69892 69893 ca6e80 44 API calls 69891->69893 69892->69891 69894 dda3ff 69893->69894 69895 ca6e80 44 API calls 69894->69895 69896 dda415 69895->69896 69897 ca77d0 44 API calls 69896->69897 69898 dda421 69897->69898 69899 ca77d0 44 API calls 69898->69899 69900 dda42d 69899->69900 69901 e3615a _ValidateLocalCookies 5 API calls 69900->69901 69902 db66be 69901->69902 69902->69734 69903->69744 69904->69736 69905->69800 69906->69808 69907->69828 69908->69832 69909->69824 69910->69813 69911->69886 69912->69888 69913 cc9cf0 69914 cc9d5b 69913->69914 69916 cc9d25 std::ios_base::_Ios_base_dtor 69913->69916 69915 ca77d0 44 API calls 69915->69916 69916->69914 69916->69915

                                        Executed Functions

                                        Function 00DB7D70 Relevance: 33.2, APIs: 2, Strings: 16, Instructions: 1745COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        • SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00DB7F67
                                        • SetEvent.KERNEL32(?), ref: 00DB7FC5
                                          • Part of subcall function 00DC2AB0: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,28CB4BA0), ref: 00DC2ADB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
                                        • String ID: W$%hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$h[$h$l$>
                                        • API String ID: 4144826820-2286512649
                                        • Opcode ID: 82506c46efda586acb84b2ec38e47b6f0761b7ec1178537e6c5e3526961bae1b
                                        • Instruction ID: 16f408752f5bf57be649ea509b285c04cccfe2dc96ae338567bd30276b313518
                                        • Opcode Fuzzy Hash: 82506c46efda586acb84b2ec38e47b6f0761b7ec1178537e6c5e3526961bae1b
                                        • Instruction Fuzzy Hash: F2E2C37090064ADFDB00DBA8C845BEEF7B5FF45314F188269E416EB292EB349D05DBA1
                                        Function 00DDB350 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 551COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 780 ddb350-ddb37d 781 ddb37f-ddb392 780->781 782 ddb395-ddb39e call ca9e50 780->782 785 ddb56a-ddb5b9 call ca9b10 call ca9e50 782->785 786 ddb3a4-ddb3e2 call ca8e30 782->786 794 ddb5bf-ddb5d6 785->794 795 ddb769-ddb76e call ca9b10 785->795 796 ddb3e4 786->796 797 ddb3e7-ddb402 786->797 804 ddb5e0-ddb5f3 794->804 801 ddb773-ddb78a call ca9b10 795->801 796->797 802 ddb408-ddb414 797->802 803 ddb525 797->803 814 ddb965-ddb96a 801->814 815 ddb790-ddb799 801->815 802->803 816 ddb41a-ddb426 802->816 806 ddb527-ddb530 803->806 807 ddb5f5-ddb5ff call ca98a0 804->807 808 ddb602-ddb606 804->808 811 ddb535-ddb54a 806->811 812 ddb532 806->812 807->808 822 ddb60e-ddb613 808->822 820 ddb54c-ddb54f 811->820 821 ddb554-ddb567 811->821 812->811 818 ddb79b-ddb7e2 call da0f40 SetWindowTextW call d059b0 GetDlgItem SendMessageW 815->818 819 ddb802-ddb807 815->819 825 ddb428 816->825 826 ddb42b-ddb441 816->826 851 ddb7e6-ddb7ff 818->851 819->814 827 ddb80d-ddb81a 819->827 820->821 823 ddb619-ddb61b 822->823 824 ddb731 822->824 823->824 829 ddb621-ddb634 call e3f76b 823->829 830 ddb733-ddb74b 824->830 825->826 847 ddb44a-ddb46b 826->847 848 ddb443-ddb445 826->848 831 ddb81c-ddb84f GetDlgItem * 2 SendMessageW 827->831 832 ddb877-ddb87f 827->832 829->801 852 ddb63a-ddb640 829->852 836 ddb74d-ddb750 830->836 837 ddb755-ddb768 830->837 838 ddb855-ddb859 831->838 839 ddb851-ddb853 831->839 841 ddb8a4-ddb8ac 832->841 842 ddb881-ddb8a1 EndDialog 832->842 836->837 846 ddb85a-ddb872 SendMessageW 838->846 839->846 841->814 843 ddb8b2-ddb8c5 GetDlgItem 841->843 849 ddb93c-ddb93f call ca9710 843->849 850 ddb8c7-ddb8d3 843->850 846->851 863 ddb46d-ddb46f 847->863 864 ddb474-ddb4a2 call db2440 847->864 853 ddb515-ddb51e 848->853 861 ddb944-ddb962 EndDialog 849->861 866 ddb96d-ddb98d call ca9b10 call ddb9a0 850->866 867 ddb8d9-ddb8eb 850->867 852->801 855 ddb646-ddb659 call ca9e50 852->855 853->806 856 ddb520-ddb523 853->856 855->795 874 ddb65f-ddb687 855->874 856->806 863->853 882 ddb4b5-ddb4ef call ca9e50 call caebe0 call cbb330 864->882 883 ddb4a4-ddb4b3 call e36a15 864->883 894 ddb98f-ddb997 call e36168 866->894 895 ddb99a-ddb99d 866->895 871 ddb8ed-ddb8f6 call ca98a0 867->871 872 ddb8f9-ddb907 867->872 871->872 884 ddb909-ddb90e 872->884 885 ddb922-ddb924 872->885 887 ddb689-ddb693 call ca98a0 874->887 888 ddb696-ddb6b7 call e3f76b 874->888 916 ddb4f9-ddb506 call e36a15 882->916 917 ddb4f1-ddb4f4 882->917 905 ddb508-ddb50e 883->905 892 ddb914-ddb920 call e3f76b 884->892 893 ddb910-ddb912 884->893 885->866 889 ddb926-ddb92c 885->889 887->888 888->801 911 ddb6bd-ddb6c0 888->911 889->866 898 ddb92e-ddb93a 889->898 892->885 893->889 894->895 898->861 905->853 911->801 913 ddb6c6-ddb6dc call cae780 911->913 921 ddb6de-ddb6ef 913->921 922 ddb702-ddb707 913->922 916->905 917->916 923 ddb6f9-ddb6fd 921->923 924 ddb6f1-ddb6f4 921->924 925 ddb709-ddb70d call cbb330 922->925 926 ddb712-ddb723 922->926 923->804 924->923 925->926 928 ddb72d-ddb72f 926->928 929 ddb725-ddb728 926->929 928->830 929->928
                                        Strings
                                        • SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 00DDB3BE
                                        • PackageCode, xrefs: 00DDB69B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
                                        • API String ID: 0-2409377028
                                        • Opcode ID: 2ef98742e7dcfc07124e387dde8946ad46f2a4e8e584a80587c68750aeb08f1c
                                        • Instruction ID: a80028fadeb920a5f32d7fddb52285491282c0dd83a7efb8883cab9d1e13c662
                                        • Opcode Fuzzy Hash: 2ef98742e7dcfc07124e387dde8946ad46f2a4e8e584a80587c68750aeb08f1c
                                        • Instruction Fuzzy Hash: 3F12F271A00209EFDB10DF68DC49BAEBBB8EF45324F15412AF915AB391DB75E900DB60
                                        Function 00CBA950 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 877fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNEL32(00000000), ref: 00CBAA5F
                                        • PathIsUNCW.SHLWAPI(00000001,*.*), ref: 00CBAAC3
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 00CBAD0C
                                        • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00CBAD26
                                        • GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00CBAD5A
                                        • FindClose.KERNEL32(00000000), ref: 00CBADCB
                                        • SetLastError.KERNEL32(0000007B), ref: 00CBADD5
                                        • PathIsUNCW.SHLWAPI(?,?,28CB4BA0,?,00000000), ref: 00CBB00E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Path$Find$CloseFullName$ErrorFileFirstLast
                                        • String ID: *.*$\\?\$\\?\UNC\
                                        • API String ID: 2310598285-1700010636
                                        • Opcode ID: 71567b0543c6d96958099faf7b6d6b6a7957c97af921d562c3fd75c1e6f9df86
                                        • Instruction ID: 2e7f99b5b62b0c198a86e587ffc524d675a177710d22eceea6723c33a3814bea
                                        • Opcode Fuzzy Hash: 71567b0543c6d96958099faf7b6d6b6a7957c97af921d562c3fd75c1e6f9df86
                                        • Instruction Fuzzy Hash: 32620371A006069FDB14DF68C889BAEB7B5FF44314F148668E865EB391DB71EE00CB91
                                        Function 00DCEAB0 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1186 dceab0-dceb0d GetCurrentProcess OpenProcessToken 1188 dceb1c-dceb3d GetTokenInformation 1186->1188 1189 dceb0f-dceb17 GetLastError 1186->1189 1191 dceb3f-dceb48 GetLastError 1188->1191 1192 dceb6b-dceb6f 1188->1192 1190 dcebda-dcebed 1189->1190 1193 dcebfd-dcec19 call e3615a 1190->1193 1194 dcebef-dcebf6 CloseHandle 1190->1194 1195 dcebbe GetLastError 1191->1195 1196 dceb4a-dceb69 call dc2c10 GetTokenInformation 1191->1196 1192->1195 1197 dceb71-dceba0 AllocateAndInitializeSid 1192->1197 1194->1193 1198 dcebc4 1195->1198 1196->1192 1196->1195 1197->1198 1201 dceba2-dcebbc EqualSid FreeSid 1197->1201 1202 dcebc6-dcebd3 call e36a15 1198->1202 1201->1202 1202->1190
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00DCEAF8
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00DCEB05
                                        • GetLastError.KERNEL32 ref: 00DCEB0F
                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00DCEB39
                                        • GetLastError.KERNEL32 ref: 00DCEB3F
                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 00DCEB65
                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DCEB98
                                        • EqualSid.ADVAPI32(00000000,?), ref: 00DCEBA7
                                        • FreeSid.ADVAPI32(?), ref: 00DCEBB6
                                        • CloseHandle.KERNEL32(00000000), ref: 00DCEBF0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                        • String ID:
                                        • API String ID: 695978879-0
                                        • Opcode ID: aa0cf89f1b3c29c6571ff7cdf2228168de519641898660d80017d7c32cc4880c
                                        • Instruction ID: 9d03a0313bb2d858c606ddc5fe850cf4795ac8c228a721088213a1c04dc4d699
                                        • Opcode Fuzzy Hash: aa0cf89f1b3c29c6571ff7cdf2228168de519641898660d80017d7c32cc4880c
                                        • Instruction Fuzzy Hash: CB4128B590020AAFDF119FA4CD49FEEBBB9FF08314F144119E811B3290DB75AA08DB64
                                        Function 00DC14D0 Relevance: 15.7, APIs: 10, Instructions: 749COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapProcess
                                        • String ID:
                                        • API String ID: 275895251-0
                                        • Opcode ID: a726f760ceb7714a2bc1bcdbde5ac21a7a302e333cfaff5247d15ec4039354b5
                                        • Instruction ID: 8b8617c1571a6e97a43152b49034d2d1f39990102ce9cf41dcc6e7d04901e4c4
                                        • Opcode Fuzzy Hash: a726f760ceb7714a2bc1bcdbde5ac21a7a302e333cfaff5247d15ec4039354b5
                                        • Instruction Fuzzy Hash: FA62B03490025ADFDB10DFA8C984B9EBBF5BF46314F18829DE415AB292DB709E45CF60
                                        Function 00DC4050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1554 dc4050-dc4096 call ca9e50 1557 dc409c-dc40e6 GetLocaleInfoW call d85030 1554->1557 1558 dc414b-dc4185 call ca9b10 MsgWaitForMultipleObjectsEx 1554->1558 1569 dc40e8-dc40f3 call ca97c0 1557->1569 1570 dc40f6-dc412d GetLocaleInfoW call ca8e30 1557->1570 1562 dc4187-dc4199 1558->1562 1563 dc41f1-dc41fa 1558->1563 1565 dc41a0-dc41a3 1562->1565 1567 dc41fb-dc4204 1565->1567 1568 dc41a5-dc41cb PeekMessageW 1565->1568 1572 dc41cd-dc41d9 TranslateMessage DispatchMessageW 1568->1572 1573 dc41db-dc41ef MsgWaitForMultipleObjectsEx 1568->1573 1569->1570 1577 dc412f-dc4132 1570->1577 1578 dc4137-dc414a 1570->1578 1572->1573 1573->1563 1573->1565 1577->1578
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • GetLocaleInfoW.KERNEL32(?,00000002,00EC337C,00000000), ref: 00DC40C1
                                        • GetLocaleInfoW.KERNEL32(?,00000002,00DC3B85,-00000001,00000078,-00000001), ref: 00DC40FD
                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00DC4181
                                        • PeekMessageW.USER32(?,00000000), ref: 00DC41C7
                                        • TranslateMessage.USER32(00000000), ref: 00DC41D2
                                        • DispatchMessageW.USER32(00000000), ref: 00DC41D9
                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00DC41EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
                                        • String ID: %d-%s
                                        • API String ID: 445213441-1781338863
                                        • Opcode ID: fa6e293237d6ccbff2f1e1809b6fe173f6ed6483555c2a5005cf0a0cf1f8d66d
                                        • Instruction ID: 91c7b6d0dd2342f07855c21cbe63bf6e17898e29fd0fd5408b323c3079857342
                                        • Opcode Fuzzy Hash: fa6e293237d6ccbff2f1e1809b6fe173f6ed6483555c2a5005cf0a0cf1f8d66d
                                        • Instruction Fuzzy Hash: 4151F47194030AABE710DF58CC45FAABBB8EF45724F144229F614A72D0DB71A905CB60
                                        Function 00DA2350 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 85libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1631 da2350-da23a9 LoadLibraryW 1632 da23ab-da23b9 GetProcAddress 1631->1632 1633 da23d4-da2419 1631->1633 1632->1633 1634 da23bb-da23c8 1632->1634 1639 da241c-da242c 1633->1639 1636 da23cb-da23cd 1634->1636 1636->1633 1637 da23cf-da23d2 1636->1637 1637->1639 1641 da242e-da2435 FreeLibrary 1639->1641 1642 da243c-da244f 1639->1642 1641->1642
                                        APIs
                                        • LoadLibraryW.KERNEL32(ComCtl32.dll,28CB4BA0,00000000,?,00000000), ref: 00DA238E
                                        • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00DA23B1
                                        • FreeLibrary.KERNEL32(00000000), ref: 00DA242F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: ,($=-$ComCtl32.dll$LoadIconMetric
                                        • API String ID: 145871493-3367511128
                                        • Opcode ID: 9be8407bfa78ef7c089f271a1e45d1ef973de9de87fb71e1b48867721cc0d6cf
                                        • Instruction ID: 1ee1591a7e7b1af4904af4dd7b564e8aacf90f7b16027b73c050de4fd3956af2
                                        • Opcode Fuzzy Hash: 9be8407bfa78ef7c089f271a1e45d1ef973de9de87fb71e1b48867721cc0d6cf
                                        • Instruction Fuzzy Hash: 72318471904219AFDF148F99CD45BAFBBF8EB49750F04412EF915A7380D7B98904CBA0
                                        Function 00DDA240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1804 dda240-dda2d2 GetUserNameW 1805 dda31e-dda35c GetEnvironmentVariableW 1804->1805 1806 dda2d4-dda2dd GetLastError 1804->1806 1808 dda35e-dda363 1805->1808 1809 dda3a2-dda3ac 1805->1809 1806->1805 1807 dda2df-dda2e7 1806->1807 1812 dda2ff-dda307 call cd3200 1807->1812 1813 dda2e9-dda2fd 1807->1813 1814 dda37b-dda385 call cd3200 1808->1814 1815 dda365-dda379 1808->1815 1810 dda3ae-dda3b5 1809->1810 1811 dda3b7-dda3bd 1809->1811 1816 dda3c0-dda3db 1810->1816 1811->1816 1817 dda30c-dda31c GetUserNameW 1812->1817 1813->1817 1819 dda38a-dda39c GetEnvironmentVariableW 1814->1819 1815->1819 1821 dda3dd-dda3e5 call ca7070 1816->1821 1822 dda3ea-dda449 call ca6e80 * 2 call ca77d0 * 2 call e3615a 1816->1822 1817->1805 1819->1809 1821->1822
                                        APIs
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 00DDA2CE
                                        • GetLastError.KERNEL32 ref: 00DDA2D4
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 00DDA31C
                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00DDA352
                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00DDA39C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: EnvironmentNameUserVariable$ErrorLast
                                        • String ID: UserDomain
                                        • API String ID: 3567734997-2275544873
                                        • Opcode ID: 5e7b34d6287c227416e3545bf2cc1a2cd3c89eb7b34e38848b4a5288433e10a9
                                        • Instruction ID: 7dfb952d6f112904f6628d3f38c60d22e072bfae29a0c17e242a6fe3970a5376
                                        • Opcode Fuzzy Hash: 5e7b34d6287c227416e3545bf2cc1a2cd3c89eb7b34e38848b4a5288433e10a9
                                        • Instruction Fuzzy Hash: 06610571A00209DFDB14DFA8C955BEEBBB5FF08304F14412AE401B7280DB75AA4ACBA1
                                        Function 00D61FB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D61FF1
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • _wcschr.LIBVCRUNTIME ref: 00D620AF
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 00D620C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
                                        • String ID: Kernel32.dll
                                        • API String ID: 1122257418-1926710522
                                        • Opcode ID: a3adfbfc27c0721f7a0c1c28b1f9cf8efd65063da715ec036b77845f64096706
                                        • Instruction ID: 307d9c762b987710553b5ef0662d1a7ac993f195e27aff95d59c52a89f4fa433
                                        • Opcode Fuzzy Hash: a3adfbfc27c0721f7a0c1c28b1f9cf8efd65063da715ec036b77845f64096706
                                        • Instruction Fuzzy Hash: D4A18AB0501B45EFE714CF64C819BAABBF4FF04318F14825DD8599B681D7BAA618CF90
                                        Function 00DCC990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DCCA6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: DiskFreeSpace
                                        • String ID: \$\$\
                                        • API String ID: 1705453755-3791832595
                                        • Opcode ID: d9be91c4d8462ed407dd825513eb351e49416e33294897716797bc70a5ec2d51
                                        • Instruction ID: 19d21eb00f8097b7d91c68e5caf458af8cc88374051feb6b7e35c78ce92fb78d
                                        • Opcode Fuzzy Hash: d9be91c4d8462ed407dd825513eb351e49416e33294897716797bc70a5ec2d51
                                        • Instruction Fuzzy Hash: 9741E62292421A86CB30DF248449FABB7F4FF94354F19661EEACDD3140F7708C8587A5
                                        Function 00E35D0D Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000008,?,00CB0DC7,?,?,00CB0B74,?), ref: 00E35D12
                                        • HeapAlloc.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35D19
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00CB0B74,?), ref: 00E35D5F
                                        • HeapFree.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35D66
                                          • Part of subcall function 00E35BAB: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00E35D55,00000000,?,?,00CB0B74,?), ref: 00E35BCF
                                          • Part of subcall function 00E35BAB: HeapAlloc.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35BD6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Alloc$Free
                                        • String ID:
                                        • API String ID: 1864747095-0
                                        • Opcode ID: 6b8365a3b3581fdc9fcbe35da0113579134af985b6576aa26d28aeeec5832b51
                                        • Instruction ID: 7513a63bc491524fd2860757e625db3dafbbbc0b0953d1905dc9c7fdbbef6351
                                        • Opcode Fuzzy Hash: 6b8365a3b3581fdc9fcbe35da0113579134af985b6576aa26d28aeeec5832b51
                                        • Instruction Fuzzy Hash: 83F0B433604F125BD7253FB9BD0CA5B2EADAF80791F025528F506F6354DE20C805DB60
                                        Function 00DA43B0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00DA444F
                                        • FindClose.KERNEL32(00000000), ref: 00DA44AE
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Find$AllocCloseFileFirstHeap
                                        • String ID:
                                        • API String ID: 2507753907-0
                                        • Opcode ID: 2e3b29a5342001944eeaef472b0fb15a1eca5b6710d517a13ffbf3d8ab3e36c4
                                        • Instruction ID: 0f580fb4238c31acf4c30609f4f6df1e1ad28a5f6fd64f166cbb570ae9b170d1
                                        • Opcode Fuzzy Hash: 2e3b29a5342001944eeaef472b0fb15a1eca5b6710d517a13ffbf3d8ab3e36c4
                                        • Instruction Fuzzy Hash: 05310130905218DBDB38DF54CC49BAAB7F4FB89314F24866AE919A7380D7F19D44CBA0
                                        Function 00DC2380 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapProcess
                                        • String ID:
                                        • API String ID: 275895251-0
                                        • Opcode ID: 9510ef2980162730115b95b130ec100a46332ff020b18fcc22760268333d1273
                                        • Instruction ID: 0779eb6b068672509c114f7be6c66c8901c1d8b80dc6106ec65a00e79a0bf194
                                        • Opcode Fuzzy Hash: 9510ef2980162730115b95b130ec100a46332ff020b18fcc22760268333d1273
                                        • Instruction Fuzzy Hash: B7E16D70A0064ADFDB14DFA8CC85FAEB7B4FF45324F18816DE815AB291DB74A905CB60
                                        Function 00DA3DE0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f37c99c6c114097e24867574e48e74cab473ee63ea7fbce319e6ed3fa5f7c998
                                        • Instruction ID: 6061500d381f4613eaf7d47d6943ebafe1635c6c8758a8b7c6a768d44d088eb7
                                        • Opcode Fuzzy Hash: f37c99c6c114097e24867574e48e74cab473ee63ea7fbce319e6ed3fa5f7c998
                                        • Instruction Fuzzy Hash: EF415A319116499FDB24DF68C959BEAB7B5FF11320F188229F825A72D1EB709E04CB60
                                        Function 00DDBB20 Relevance: 3.1, APIs: 2, Instructions: 85filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,28CB4BA0,28CB4BA0,?,?,?,00000000,00EA6015), ref: 00DDBBA8
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,28CB4BA0,28CB4BA0,?,?,?,00000000,00EA6015,000000FF), ref: 00DDBBCA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Create$FileNamedPipe
                                        • String ID:
                                        • API String ID: 1328467360-0
                                        • Opcode ID: 0be21065670027ae898440ca2436b598838d5d1138b2c5b1c7ca803bb0d41efe
                                        • Instruction ID: 48c680c05956192abf2914d0ae7c6bb6e15da22b33d729fdd3d969559c80bbad
                                        • Opcode Fuzzy Hash: 0be21065670027ae898440ca2436b598838d5d1138b2c5b1c7ca803bb0d41efe
                                        • Instruction Fuzzy Hash: 3831D231684745AFD7218F14CC01B96BBA5EB05720F14865FF9A5AB7D0DB71A900CB54
                                        Function 00CD21E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • __set_se_translator.LIBVCRUNTIME ref: 00CD21F8
                                        • SetUnhandledExceptionFilter.KERNEL32(00DA0760), ref: 00CD220E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled__set_se_translator
                                        • String ID:
                                        • API String ID: 2480343447-0
                                        • Opcode ID: ed8422ec33cd381af97493309fd8d0cd32b763360b79d64a6337dfba66d2085c
                                        • Instruction ID: 7139e214c752db0974433378e1d596350de961bc3425abec6618657adfc564e6
                                        • Opcode Fuzzy Hash: ed8422ec33cd381af97493309fd8d0cd32b763360b79d64a6337dfba66d2085c
                                        • Instruction Fuzzy Hash: 82E0267A9003002EC31253619C0EF4B3FA4ABA3B11F054049F608A3262C770640CC772
                                        Function 00DE6D50 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DA2890: __Init_thread_footer.LIBCMT ref: 00DA2970
                                        • CoCreateInstance.COMBASE(00EC31D8,00000000,00000001,00EDF490,000000B0), ref: 00DE6DCE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateInit_thread_footerInstance
                                        • String ID:
                                        • API String ID: 3436645735-0
                                        • Opcode ID: e93b4d84384f9143d56a4869217b4cc3f4c558f7a65f9481897282fb831da366
                                        • Instruction ID: 3b67b5740c8c9d4e57f40249e4277b9d3ebfcca362afa956a8ba27ec31ed79f5
                                        • Opcode Fuzzy Hash: e93b4d84384f9143d56a4869217b4cc3f4c558f7a65f9481897282fb831da366
                                        • Instruction Fuzzy Hash: 6711ED71604344EFD720CF59CC05B86BBF8EB06B20F10461EE825AB7C0C7B6A404CBA0
                                        Function 00DE15E0 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                        • String ID:
                                        • API String ID: 3807588171-0
                                        • Opcode ID: b954390aaf924a981bac3727238d7fd17f76f4e1933f7e9c8acda4ce8ab4d480
                                        • Instruction ID: 086d31494ac00c8af5a8f34631bc2e4cd190a388cab82777f8a34f1e8a3dcdb0
                                        • Opcode Fuzzy Hash: b954390aaf924a981bac3727238d7fd17f76f4e1933f7e9c8acda4ce8ab4d480
                                        • Instruction Fuzzy Hash: 4B6186B5500744CFE710DF65C54938ABBF0FF05308F248A5DD88AAB382D7B9A60ADB90
                                        Function 00DA2BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00DA2C0E
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00DA2C55
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00DA2C74
                                        • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00DA2CA3
                                        • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00DA2D18
                                        • RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00DA2D81
                                        • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00DA2DE4
                                        • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00DA2E36
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00DA2ED3
                                        • GetProcAddress.KERNEL32(00000000), ref: 00DA2EDA
                                        • __Init_thread_footer.LIBCMT ref: 00DA2EEE
                                        • GetCurrentProcess.KERNEL32(?), ref: 00DA2F11
                                        • IsWow64Process.KERNEL32(00000000), ref: 00DA2F18
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00DA2F52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
                                        • String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
                                        • API String ID: 1906320730-525127412
                                        • Opcode ID: 10286c5b96dd48e6a07238be58aa93db83a4eb6648eb0ac0be9a77755e61a1a7
                                        • Instruction ID: 756676d83ea0c36e711115dc27165d5417cb203aee79c8ed27f9e5806e3f16f2
                                        • Opcode Fuzzy Hash: 10286c5b96dd48e6a07238be58aa93db83a4eb6648eb0ac0be9a77755e61a1a7
                                        • Instruction Fuzzy Hash: 70A1A27190031CDEDB20DF25CC45BAAB7F8FB16714F0441AAE848F6290EB749A84CF91
                                        Function 00DA2F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 51 da2f80-da2ff8 RegOpenKeyExW 53 da2ffe-da302f RegQueryValueExW 51->53 54 da3262-da327b 51->54 57 da307f-da30aa RegQueryValueExW 53->57 58 da3031-da3043 call da9180 53->58 55 da328e-da32a9 call e3615a 54->55 56 da327d-da3284 RegCloseKey 54->56 56->55 57->54 59 da30b0-da30c1 57->59 67 da3054-da306b call da9180 58->67 68 da3045-da3052 58->68 62 da30cd-da30cf 59->62 63 da30c3-da30cb 59->63 62->54 66 da30d5-da30dc 62->66 63->62 63->63 70 da30e0-da30ee call da9180 66->70 74 da306d 67->74 75 da3072-da3078 67->75 71 da307a 68->71 77 da30f9-da3107 call da9180 70->77 78 da30f0-da30f4 70->78 71->57 74->75 75->71 83 da3109-da310d 77->83 84 da3112-da3120 call da9180 77->84 79 da3234 78->79 82 da323b-da3248 79->82 85 da325a-da325c 82->85 86 da324a 82->86 83->79 90 da312b-da3139 call da9180 84->90 91 da3122-da3126 84->91 85->54 85->70 88 da3250-da3258 86->88 88->85 88->88 94 da313b-da313f 90->94 95 da3144-da3152 call da9180 90->95 91->79 94->79 98 da315d-da316b call da9180 95->98 99 da3154-da3158 95->99 102 da316d-da3171 98->102 103 da3176-da3184 call da9180 98->103 99->79 102->79 106 da318f-da319d call da9180 103->106 107 da3186-da318a 103->107 110 da31a9-da31b7 call da9180 106->110 111 da319f-da31a4 106->111 107->79 115 da31b9-da31be 110->115 116 da31c0-da31ce call da9180 110->116 112 da3231 111->112 112->79 115->112 119 da31d0-da31d5 116->119 120 da31d7-da31e5 call da9180 116->120 119->112 123 da31ee-da31fc call da9180 120->123 124 da31e7-da31ec 120->124 127 da31fe-da3203 123->127 128 da3205-da3213 call da9180 123->128 124->112 127->112 131 da321c-da322a call da9180 128->131 132 da3215-da321a 128->132 131->82 135 da322c 131->135 132->112 135->112
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00DA2FF0
                                        • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00DA302B
                                        • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00DA30A6
                                        • RegCloseKey.KERNEL32(00000000), ref: 00DA327E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpen
                                        • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                        • API String ID: 1586453840-3149529848
                                        • Opcode ID: db3f683faccc30db17a30c7e335b880eb669c46aec0dce9e97d09b6dce09570b
                                        • Instruction ID: 9d6edfd05ae25c9b0dcde914fd428c1462fd6e7e6d3c4d9d353297f1c623c1e1
                                        • Opcode Fuzzy Hash: db3f683faccc30db17a30c7e335b880eb669c46aec0dce9e97d09b6dce09570b
                                        • Instruction Fuzzy Hash: 2F71E6307003499BDB209B24CC567AAB266EB93344F185079F905BB381EB38DF46DB76
                                        Function 00DC4960 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 136 dc4960-dc499f 137 dc49e4-dc49ef 136->137 138 dc49a1-dc49b5 call e36662 136->138 139 dc4a34-dc4a5c call da2b00 137->139 140 dc49f1-dc4a05 call e36662 137->140 138->137 146 dc49b7-dc49e1 call dc4e60 call e3651a call e36618 138->146 148 dc4b01-dc4b03 139->148 149 dc4a62-dc4a69 139->149 140->139 150 dc4a07-dc4a31 call dc5750 call e3651a call e36618 140->150 146->137 153 dc4b08-dc4b0e 148->153 152 dc4a70-dc4a76 149->152 150->139 156 dc4a78-dc4a7b 152->156 157 dc4a96-dc4a98 152->157 158 dc4b2e-dc4b30 153->158 159 dc4b10-dc4b13 153->159 162 dc4a7d-dc4a85 156->162 163 dc4a92-dc4a94 156->163 164 dc4a9b-dc4a9d 157->164 168 dc4b33-dc4b35 158->168 165 dc4b2a-dc4b2c 159->165 166 dc4b15-dc4b1d 159->166 162->157 171 dc4a87-dc4a90 162->171 163->164 172 dc4c03 164->172 173 dc4aa3-dc4aaa call ca9e50 164->173 165->168 166->158 174 dc4b1f-dc4b28 166->174 168->172 176 dc4b3b-dc4b44 call ca9e50 168->176 171->152 171->163 180 dc4c05-dc4c27 call d8c9e0 172->180 187 dc4c28-dc4c2d call ca9b10 173->187 189 dc4ab0-dc4ace 173->189 174->153 174->165 176->187 188 dc4b4a-dc4b66 176->188 191 dc4c32-dc4c3f call cb2970 187->191 195 dc4b68-dc4b71 call ca9390 188->195 196 dc4b73-dc4b7a call ca99c0 188->196 197 dc4adb-dc4ae2 call ca99c0 189->197 198 dc4ad0-dc4ad9 call ca9390 189->198 207 dc4b7f-dc4b91 call da1c00 195->207 196->207 205 dc4ae7-dc4afc call da1c00 197->205 198->205 212 dc4b94-dc4ba9 205->212 207->212 213 dc4bab-dc4bae 212->213 214 dc4bb3-dc4bbc 212->214 213->214 215 dc4bbe 214->215 216 dc4bff-dc4c01 214->216 217 dc4bc0-dc4bc2 215->217 216->180 217->191 218 dc4bc4-dc4bc6 217->218 218->191 219 dc4bc8-dc4bda call cae780 218->219 219->172 222 dc4bdc-dc4bdf 219->222 222->191 223 dc4be1-dc4bf3 call cae780 222->223 223->172 226 dc4bf5-dc4bf8 223->226 226->216 227 dc4bfa-dc4bfd 226->227 227->217
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00DC49DC
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                          • Part of subcall function 00CB2970: RaiseException.KERNEL32(?,?,00000000,00000000,00E35A3C,C000008C,00000001,?,00E35A6D,00000000,?,00CA91C7,00000000,28CB4BA0,00000001,?), ref: 00CB297C
                                        • __Init_thread_footer.LIBCMT ref: 00DC4A2C
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AllocConditionExceptionHeapRaiseVariableWake
                                        • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$shfolder.dll
                                        • API String ID: 4172833244-3044903971
                                        • Opcode ID: f22c9cedc8c58b843063d501b790730d903c642d0b312442140053d7974de68a
                                        • Instruction ID: cb205efb03f9ff01ac6c3324f3249333a8b2c3f9af39da59d55bab2e1c695764
                                        • Opcode Fuzzy Hash: f22c9cedc8c58b843063d501b790730d903c642d0b312442140053d7974de68a
                                        • Instruction Fuzzy Hash: F27136719002079BDB10EBA8C966FBAB7B1EF21314F18456CE866E7291E771DD01C772
                                        Function 00DDF7B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1178 ddf7b0-ddf7b7 1179 ddf7be-ddf7d5 LoadLibraryW 1178->1179 1180 ddf7b9-ddf7bb 1178->1180 1181 ddf7ed-ddf7ef 1179->1181 1182 ddf7d7-ddf7e7 1179->1182 1183 ddf7f7-ddf849 GetProcAddress * 4 1181->1183 1184 ddf7f1-ddf7f4 1181->1184 1182->1181
                                        APIs
                                        • LoadLibraryW.KERNEL32(?,?,00DC181B,?,?,?,?,?), ref: 00DDF7C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: ,($EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                        • API String ID: 1029625771-1556212548
                                        • Opcode ID: 06068f7b0e11064fbe7a978787c95db839f5991e30fd709c74186c6084faeed2
                                        • Instruction ID: db02f1eefcbf7762a0c3639b0c5d4689d4ef75b2b567c8df1570247f6a5a5867
                                        • Opcode Fuzzy Hash: 06068f7b0e11064fbe7a978787c95db839f5991e30fd709c74186c6084faeed2
                                        • Instruction Fuzzy Hash: E9014C7AD08619ABCB14EB28EC088467BB1FB25722700813BED1297372D6348819EF90
                                        Function 00DB64D0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 495COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1207 db64d0-db650c call ca9e50 1210 db664f-db670e call ca9b10 call db64d0 call dda240 1207->1210 1211 db6512-db654a call dcce80 1207->1211 1226 db6710-db6719 1210->1226 1219 db654c-db654f 1211->1219 1220 db6554-db6583 GetTickCount call e35347 call e36dd0 call ca9e50 1211->1220 1219->1220 1220->1210 1234 db6589-db6610 call e5cce0 call ca8e30 call dcce80 call dccfc0 call ca9650 1220->1234 1226->1226 1228 db671b-db6740 call ca7070 1226->1228 1235 db67a9-db67c6 call ca6540 1228->1235 1236 db6742-db6756 call e36662 1228->1236 1285 db661a-db662f 1234->1285 1286 db6612-db6615 1234->1286 1244 db67c8-db67cf 1235->1244 1245 db67d1-db67d3 1235->1245 1236->1235 1242 db6758-db67a6 call ca7070 call e3651a call e36618 1236->1242 1242->1235 1248 db67d6-db67e4 1244->1248 1245->1248 1251 db67e6-db67eb 1248->1251 1252 db6865-db68af call e36199 1248->1252 1253 db67f0-db680e 1251->1253 1262 db68b3-db68bc 1252->1262 1257 db6810-db6816 1253->1257 1258 db6854-db685d 1253->1258 1263 db683a-db683c 1257->1263 1264 db6818-db681e 1257->1264 1258->1253 1267 db685f 1258->1267 1262->1262 1268 db68be-db6908 call ca7070 1262->1268 1271 db684f 1263->1271 1272 db683e-db6845 1263->1272 1269 db6832 1264->1269 1270 db6820-db6823 1264->1270 1267->1252 1282 db6910-db6919 1268->1282 1277 db6834 1269->1277 1276 db6825-db6830 1270->1276 1270->1277 1271->1258 1272->1271 1278 db6847-db684c 1272->1278 1276->1269 1276->1270 1277->1263 1278->1271 1282->1282 1284 db691b-db69ea call ca7070 call ca6540 * 4 call ca77d0 * 2 1282->1284 1303 db6a48-db6a57 1284->1303 1304 db69ec-db6a00 1284->1304 1287 db6639-db664c 1285->1287 1288 db6631-db6634 1285->1288 1286->1285 1288->1287 1305 db6a99-db6ad6 call ca77d0 * 3 1303->1305 1306 db6a59-db6a96 call ca77d0 * 4 call e36168 1303->1306 1307 db6a42 1304->1307 1308 db6a02-db6a3f call ca77d0 * 4 call e36168 1304->1308 1327 db6ad8-db6ada 1305->1327 1328 db6adf-db6b1e GetCurrentProcess OpenProcessToken 1305->1328 1306->1305 1307->1303 1308->1307 1331 db6b93-db6bb1 1327->1331 1340 db6b5f 1328->1340 1341 db6b20-db6b4a GetTokenInformation 1328->1341 1336 db6bbb-db6bd6 call e3615a 1331->1336 1337 db6bb3-db6bb6 1331->1337 1337->1336 1346 db6b64-db6b80 1340->1346 1341->1340 1345 db6b4c-db6b5d 1341->1345 1345->1346 1346->1331 1347 db6b82-db6b89 CloseHandle 1346->1347 1347->1331
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • GetTickCount.KERNEL32 ref: 00DB6554
                                        • __Xtime_get_ticks.LIBCPMT ref: 00DB655C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB65A6
                                        • __Init_thread_footer.LIBCMT ref: 00DB67A1
                                        • GetCurrentProcess.KERNEL32 ref: 00DB6B06
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00DB6B16
                                        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00DB6B42
                                        • CloseHandle.KERNEL32(00000000), ref: 00DB6B83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                        • String ID: \/:*?"<>|
                                        • API String ID: 3363527671-3830478854
                                        • Opcode ID: be7a350864282cf02b25325b68422cc7eb7384c8321a495b751f41571a05dff1
                                        • Instruction ID: e736de5a13f17702e0363cdb457fb5e57eddf361f99a3f5e4ac2eab346277f4c
                                        • Opcode Fuzzy Hash: be7a350864282cf02b25325b68422cc7eb7384c8321a495b751f41571a05dff1
                                        • Instruction Fuzzy Hash: 4522AE70900219DFDB10DF68CD55BEEBBB4FF15308F144298E809AB282DBB49A44DFA1
                                        Function 00E35A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1579 e35a9f-e35aaa 1580 e35ab9-e35ad0 LoadLibraryExA 1579->1580 1581 e35aac-e35ab8 DecodePointer 1579->1581 1582 e35ad2-e35ae7 call e35b4f 1580->1582 1583 e35b4a 1580->1583 1582->1583 1587 e35ae9-e35afe call e35b4f 1582->1587 1584 e35b4c-e35b4e 1583->1584 1587->1583 1590 e35b00-e35b15 call e35b4f 1587->1590 1590->1583 1593 e35b17-e35b2c call e35b4f 1590->1593 1593->1583 1596 e35b2e-e35b48 DecodePointer 1593->1596 1596->1584
                                        APIs
                                        • DecodePointer.KERNEL32(?,?,?,00E35DE5,00F44C90,?,?,?,00D000E6,?,28CB4BA0,?,?,?,00D481B7), ref: 00E35AB1
                                        • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00E35DE5,00F44C90,?,?,?,00D000E6,?,28CB4BA0,?,?), ref: 00E35AC6
                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D481B7), ref: 00E35B42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: DecodePointer$LibraryLoad
                                        • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                        • API String ID: 1423960858-1745123996
                                        • Opcode ID: 5b1be7f1d79399e198da10ee352b99b8c501348a3933b861a49ed84102001ba1
                                        • Instruction ID: 11c079eb74c5ebdc20fe1f26161fd3a14466197fdc140b69b2eec148cce97449
                                        • Opcode Fuzzy Hash: 5b1be7f1d79399e198da10ee352b99b8c501348a3933b861a49ed84102001ba1
                                        • Instruction Fuzzy Hash: 3601F972642B04BFCB21A7209D4BFEBBF995F1274AF081050FD0677392EB91D908D196
                                        Function 00DE0BE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1597 de0be0-de0c1f call da29d0 1600 de0c25-de0c41 SHGetFolderPathW 1597->1600 1601 de0d93-de0d9b call de0e20 1597->1601 1602 de0c4d-de0c5c 1600->1602 1603 de0c43-de0c4b 1600->1603 1610 de0d9f 1601->1610 1605 de0c5e 1602->1605 1606 de0c72-de0c83 call d87f40 1602->1606 1603->1602 1603->1603 1608 de0c60-de0c68 1605->1608 1614 de0ca7-de0d5e call e38750 GetTempPathW call e38750 GetTempFileNameW call de0e20 Wow64DisableWow64FsRedirection CopyFileW 1606->1614 1615 de0c85 1606->1615 1608->1608 1611 de0c6a-de0c6c 1608->1611 1613 de0da1-de0dbb call e3615a 1610->1613 1611->1601 1611->1606 1626 de0d68-de0d76 1614->1626 1627 de0d60-de0d63 call de0e20 1614->1627 1617 de0c90-de0c9c 1615->1617 1617->1601 1620 de0ca2-de0ca5 1617->1620 1620->1614 1620->1617 1626->1610 1629 de0d78-de0d88 Wow64RevertWow64FsRedirection 1626->1629 1627->1626 1629->1613 1630 de0d8a-de0d91 1629->1630 1630->1613
                                        APIs
                                          • Part of subcall function 00DA29D0: __Init_thread_footer.LIBCMT ref: 00DA2AA2
                                        • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,28CB4BA0,00000000,00000000), ref: 00DE0C34
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00DE0CC9
                                        • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00DE0CFA
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00DE0D2D
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00DE0D4F
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00DE0D7E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
                                        • String ID: shim_clone
                                        • API String ID: 4264308349-3944563459
                                        • Opcode ID: be1a82056a4e65085a4d3aa0b7bd7eca64567d4d8d2f065baa8ac580ad7523ca
                                        • Instruction ID: 4eb461fbbd32df3508fe9e096b7ad13eb3c5e454577493773341a0612bc5b9cb
                                        • Opcode Fuzzy Hash: be1a82056a4e65085a4d3aa0b7bd7eca64567d4d8d2f065baa8ac580ad7523ca
                                        • Instruction Fuzzy Hash: 7C512930A402589EDB20EF65CC45BAEBBF9EF44700F1441A9F409A72C1DBB09E84CBA0
                                        Function 00DC2810 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 224fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1643 dc2810-dc284d 1644 dc284f-dc2859 call ca97c0 1643->1644 1645 dc285b-dc2867 call dcc990 1643->1645 1644->1645 1650 dc286d-dc2878 1645->1650 1651 dc2952-dc2954 1645->1651 1652 dc28a8-dc28af 1650->1652 1653 dc287a-dc2892 call da44f0 1650->1653 1654 dc2956 1651->1654 1655 dc2973-dc2977 1651->1655 1659 dc2939-dc294f 1652->1659 1660 dc28b5-dc28bc call ca9e50 1652->1660 1668 dc2894 1653->1668 1669 dc2897-dc28a2 1653->1669 1661 dc295c-dc2969 call da4920 1654->1661 1662 dc2958-dc295a 1654->1662 1657 dc297d-dc297f 1655->1657 1658 dc2a8f-dc2aa2 1655->1658 1664 dc2982-dc2989 call ca9e50 1657->1664 1673 dc2aa5-dc2aaf call ca9b10 1660->1673 1674 dc28c2-dc28e9 call cba950 1660->1674 1667 dc296e-dc2971 1661->1667 1662->1655 1662->1661 1664->1673 1675 dc298f-dc29fc call ca8e30 CreateFileW call d9f300 1664->1675 1667->1657 1668->1669 1669->1651 1669->1652 1684 dc2909-dc292f call dd74c0 1674->1684 1685 dc28eb-dc28ed 1674->1685 1695 dc29fe 1675->1695 1696 dc2a1a-dc2a25 1675->1696 1684->1659 1694 dc2931-dc2934 1684->1694 1687 dc28f0-dc28f9 1685->1687 1687->1687 1690 dc28fb-dc2904 call cba950 1687->1690 1690->1684 1694->1659 1698 dc2a08-dc2a18 1695->1698 1699 dc2a00-dc2a06 1695->1699 1697 dc2a28-dc2a4f SetFilePointer SetEndOfFile 1696->1697 1700 dc2a5f-dc2a74 1697->1700 1701 dc2a51-dc2a58 CloseHandle 1697->1701 1698->1697 1699->1696 1699->1698 1702 dc2a7e-dc2a89 1700->1702 1703 dc2a76-dc2a79 1700->1703 1701->1700 1702->1658 1702->1664 1703->1702
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00DC29D1
                                        • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00DC2A30
                                        • SetEndOfFile.KERNEL32(?), ref: 00DC2A39
                                        • CloseHandle.KERNEL32(?), ref: 00DC2A52
                                        Strings
                                        • Not enough disk space to extract file:, xrefs: 00DC28DB
                                        • %sholder%d.aiph, xrefs: 00DC29AD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointer
                                        • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                        • API String ID: 22866420-929304071
                                        • Opcode ID: 6e5e759cdcbc0f3d7db4803a71cca3ab962b0ad4b1738e680fb44de04a1fd941
                                        • Instruction ID: 249db76b75d3970c4c6e0a3ec039e7855b88daac1efa93dca49db8457f7c1bc5
                                        • Opcode Fuzzy Hash: 6e5e759cdcbc0f3d7db4803a71cca3ab962b0ad4b1738e680fb44de04a1fd941
                                        • Instruction Fuzzy Hash: B2818F71A0020A9FDB10DF68CC45BAEB7A5EF49714F18462DF925E7391EB319D01CBA0
                                        Function 00DE1080 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 208COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1704 de1080-de10d0 call ca9650 1707 de10d2-de10dd call ca97c0 1704->1707 1708 de10e0-de10f2 GetFileVersionInfoSizeW 1704->1708 1707->1708 1710 de10f8-de1103 call dc2c10 1708->1710 1711 de1244 1708->1711 1719 de110d-de111a 1710->1719 1720 de1105-de1108 1710->1720 1712 de1246-de125b 1711->1712 1715 de125d-de1260 1712->1715 1716 de1265-de128f call e36a15 1712->1716 1715->1716 1721 de111c-de1127 call ca97c0 1719->1721 1722 de112a-de113b GetFileVersionInfoW 1719->1722 1720->1711 1721->1722 1722->1711 1725 de1141-de114a call ca9e50 1722->1725 1729 de1290-de12a3 call ca9b10 call de12c0 1725->1729 1730 de1150-de1175 VerQueryValueW 1725->1730 1737 de12a8-de12ad 1729->1737 1735 de1189-de118e 1730->1735 1736 de1177-de117b 1730->1736 1739 de1193-de11b2 call ca8e30 1735->1739 1736->1735 1738 de117d-de1187 1736->1738 1740 de12af-de12b7 call e36168 1737->1740 1741 de12ba-de12bd 1737->1741 1738->1739 1745 de11b4-de11bf call ca97c0 1739->1745 1746 de11c2-de11d4 1739->1746 1740->1741 1745->1746 1751 de1229-de123a 1746->1751 1752 de11d6-de11da 1746->1752 1751->1711 1753 de123c-de123f 1751->1753 1752->1751 1754 de11dc-de11e1 1752->1754 1753->1711 1755 de11e7-de11ef 1754->1755 1756 de11e3-de11e5 1754->1756 1758 de11f0-de11f9 1755->1758 1757 de1200-de121b call ca99c0 1756->1757 1762 de121d-de1220 1757->1762 1763 de1225-de1227 1757->1763 1758->1758 1759 de11fb-de11fe 1758->1759 1759->1757 1762->1763 1763->1712
                                        APIs
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,28CB4BA0,28CB4BA0,?,00F44C50,?,?,00DC3989,?,28CB4BA0,?,?,?,00000000,00EA10D5), ref: 00DE10E5
                                        • GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,00F44C50,?,?,00DC3989,?,28CB4BA0,?,?,?,00000000), ref: 00DE1133
                                        • VerQueryValueW.KERNELBASE(?,\VarFileInfo\Translation,00DC3989,?,?,00F44C50,?,?,00DC3989,?,28CB4BA0,?,?,?,00000000,00EA10D5), ref: 00DE116D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FileInfoVersion$QuerySizeValue
                                        • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                        • API String ID: 2179348866-2149928195
                                        • Opcode ID: d4d92bd9e5cb1651a9ee6452e82defcc113ba479dfea9f886341aeeedc34da2c
                                        • Instruction ID: 90c20756fad00a44b2468f5d0dacd9019690ca56763f75449ec7e263c4616407
                                        • Opcode Fuzzy Hash: d4d92bd9e5cb1651a9ee6452e82defcc113ba479dfea9f886341aeeedc34da2c
                                        • Instruction Fuzzy Hash: 0F71B375A0124A9FDB14EFA9CC46AAEB7F9FF05314F188169E911E7291D7309D00CBA0
                                        Function 00DDF2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1764 ddf2f0-ddf33b call dc2c10 1767 ddf33d-ddf342 1764->1767 1768 ddf347-ddf355 1764->1768 1769 ddf4f1-ddf51b call e36a15 1767->1769 1770 ddf360-ddf381 1768->1770 1772 ddf38b-ddf3a2 SetFilePointer 1770->1772 1773 ddf383-ddf389 1770->1773 1775 ddf3a4-ddf3ac GetLastError 1772->1775 1776 ddf3b2-ddf3c7 ReadFile 1772->1776 1773->1772 1775->1776 1777 ddf4ec 1775->1777 1776->1777 1778 ddf3cd-ddf3d4 1776->1778 1777->1769 1778->1777 1779 ddf3da-ddf3eb 1778->1779 1779->1770 1780 ddf3f1-ddf3fd 1779->1780 1781 ddf400-ddf404 1780->1781 1782 ddf406-ddf40f 1781->1782 1783 ddf411-ddf415 1781->1783 1782->1781 1782->1783 1784 ddf438-ddf43a 1783->1784 1785 ddf417-ddf41d 1783->1785 1787 ddf43d-ddf43f 1784->1787 1785->1784 1786 ddf41f-ddf422 1785->1786 1788 ddf434-ddf436 1786->1788 1789 ddf424-ddf42a 1786->1789 1790 ddf454-ddf456 1787->1790 1791 ddf441-ddf444 1787->1791 1788->1787 1789->1784 1794 ddf42c-ddf432 1789->1794 1792 ddf458-ddf461 1790->1792 1793 ddf466-ddf48c SetFilePointer 1790->1793 1791->1780 1795 ddf446-ddf44f 1791->1795 1792->1770 1793->1777 1796 ddf48e-ddf4a3 ReadFile 1793->1796 1794->1784 1794->1788 1795->1770 1796->1777 1797 ddf4a5-ddf4a9 1796->1797 1797->1777 1798 ddf4ab-ddf4b5 1797->1798 1799 ddf4cf-ddf4d4 1798->1799 1800 ddf4b7-ddf4bd 1798->1800 1799->1769 1800->1799 1801 ddf4bf-ddf4c7 1800->1801 1801->1799 1802 ddf4c9-ddf4cd 1801->1802 1802->1799 1803 ddf4d6-ddf4ea 1802->1803 1803->1769
                                        APIs
                                        • SetFilePointer.KERNEL32(?,-00000400,?,00000002,00000400,28CB4BA0,?,?,?,?,?), ref: 00DDF396
                                        • GetLastError.KERNEL32(?,?,?,?), ref: 00DDF3A4
                                        • ReadFile.KERNEL32(?,00000000,00000400,000000FF,00000000,?,?,?,?), ref: 00DDF3BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$ErrorLastPointerRead
                                        • String ID: ADVINSTSFX
                                        • API String ID: 64821003-4038163286
                                        • Opcode ID: 03bcfedd92a5bc073cafa1034ad10d8791d99e7d52ea01b35efa419528bdba9f
                                        • Instruction ID: 2a99b6209dc356ed9c244d1a480ebad74a9b2d4b31a3164a10f170bea8891366
                                        • Opcode Fuzzy Hash: 03bcfedd92a5bc073cafa1034ad10d8791d99e7d52ea01b35efa419528bdba9f
                                        • Instruction Fuzzy Hash: DA61A171A002099BDB10CFA8C985BAFBBB9FF45324F294266E516A7381D734DD46CB70
                                        Function 00CB27B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00CB2850
                                        • GetWindowLongW.USER32(?,000000FC), ref: 00CB2865
                                        • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00CB287B
                                        • GetWindowLongW.USER32(?,000000FC), ref: 00CB2895
                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 00CB28A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$CallProc
                                        • String ID: $
                                        • API String ID: 513923721-3993045852
                                        • Opcode ID: d88a83f0b23b1ace31faffd6e91b06cdee0463148d637a32fb999e1b2d73b755
                                        • Instruction ID: 4406caa3763b4ac25baa94ab08fb367aa951def651fd3585d314db4ec2f1432c
                                        • Opcode Fuzzy Hash: d88a83f0b23b1ace31faffd6e91b06cdee0463148d637a32fb999e1b2d73b755
                                        • Instruction Fuzzy Hash: 35411272508700AFC720DF19D884A5BBBF5FF99720F504A1DF9A6836A0D772E9448F51
                                        Function 00D8DDA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,28CB4BA0,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00D8DDE3
                                        • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00D8DE0C
                                        • RegCreateKeyExW.KERNEL32(?,00CB7229,00000000,00000000,00000000,?,00000000,00000000,?,28CB4BA0,?,?,?,00000000,?,Function_001BDD00), ref: 00D8DE59
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00D8DE6C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressCloseCreateHandleModuleProc
                                        • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                        • API String ID: 1765684683-2994018265
                                        • Opcode ID: 4224e47394831791f49411056e05967b2582f7dd487e9210dc70f99322053047
                                        • Instruction ID: 14d1543c214b05033f4fcc199ba74d1d63cf05a638bbac52da056e9968fad4ee
                                        • Opcode Fuzzy Hash: 4224e47394831791f49411056e05967b2582f7dd487e9210dc70f99322053047
                                        • Instruction Fuzzy Hash: 2B31B472640209AFEB259F45DC45FABB7A9FB54B50F14412AF905EB2C0E771A800C7A0
                                        Function 00D6D900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,28CB4BA0,?,?,?,?,?,Function_001BDD00,000000FF,?,00D9EE1C,?,?,000000FF), ref: 00D6D943
                                        • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D6D96C
                                        • RegOpenKeyExW.KERNEL32(?,28CB4BA0,00000000,?,00000000,28CB4BA0,?,?,?,?,?,Function_001BDD00,000000FF,?,00D9EE1C,?), ref: 00D6D9A5
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BDD00,000000FF,?,00D9EE1C,?,?,000000FF), ref: 00D6D9B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressCloseHandleModuleOpenProc
                                        • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                        • API String ID: 823179699-3913318428
                                        • Opcode ID: 807aa7a8d00bb085607755a4c97369de23c8b8a50dac662d7f81250fd01e5007
                                        • Instruction ID: ce351339e27a7021085c71e33d40115ad540cb5364abf47a14d9bab713fa587e
                                        • Opcode Fuzzy Hash: 807aa7a8d00bb085607755a4c97369de23c8b8a50dac662d7f81250fd01e5007
                                        • Instruction Fuzzy Hash: 8B21A372B04209EFEB158F55EC45B6BBBB9FB45750F04852BF815E7290E771A800CB60
                                        Function 00DBD210 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000002), ref: 00DBD230
                                        • GetWindowRect.USER32(00000000,?), ref: 00DBD246
                                        • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00DBCFF7,?,00000000), ref: 00DBD25F
                                        • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00DBCFF7,?), ref: 00DBD26A
                                        • GetDlgItem.USER32(?,000003E9), ref: 00DBD27C
                                        • GetWindowRect.USER32(00000000,?), ref: 00DBD292
                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 00DBD2D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Item$InvalidateShow
                                        • String ID:
                                        • API String ID: 2147159307-0
                                        • Opcode ID: 2dcbd4b9b82546852634c31fbc2a0c03402e90269d091c972b4f125c9a914cb8
                                        • Instruction ID: 0431257f830eeb783f8493ac1fb5e9dffeccd9f389910514f37759e5345164ba
                                        • Opcode Fuzzy Hash: 2dcbd4b9b82546852634c31fbc2a0c03402e90269d091c972b4f125c9a914cb8
                                        • Instruction Fuzzy Hash: 6F217A74614304AFE300DF34DC49B6ABBE9EF89304F108619F859AA2A1E770E945CB62
                                        Function 00DC0FF0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNEL32(?,?,?,00000000,28CB4BA0,?,?,00000002,?,?,?,?,?,?,00000000,00EA0932), ref: 00DC1047
                                        • GetLastError.KERNEL32(?,00000002), ref: 00DC12D9
                                        • GetLastError.KERNEL32(?,00000002), ref: 00DC1383
                                        • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00EA0932,000000FF,?,00DBFF4A,00000010), ref: 00DC1056
                                          • Part of subcall function 00DA2230: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,28CB4BA0,00000008,00000000), ref: 00DA227B
                                          • Part of subcall function 00DA2230: GetLastError.KERNEL32 ref: 00DA2285
                                        • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00DC1118
                                        • ReadFile.KERNEL32(?,28CB4BA0,00000000,00000000,00000000,00000001,?,00000002), ref: 00DC1195
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$File$Read$FormatMessagePointer
                                        • String ID:
                                        • API String ID: 3903527278-0
                                        • Opcode ID: 91f4c976733624ef17da0a500b737c7e3b2638b2a0f699d7549b82957a3873e8
                                        • Instruction ID: 9924fb971d6be2d49e13fc4cbec760514e07963402a5a4b179d30c9448e703ee
                                        • Opcode Fuzzy Hash: 91f4c976733624ef17da0a500b737c7e3b2638b2a0f699d7549b82957a3873e8
                                        • Instruction Fuzzy Hash: 9FD19475D0021ADFDB00DFA8C885BAEF7B5FF45314F188269E815AB392DB749905CBA0
                                        Function 00DE0F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DE0BE0: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,28CB4BA0,00000000,00000000), ref: 00DE0C34
                                          • Part of subcall function 00DE0BE0: GetTempPathW.KERNEL32(00000104,?), ref: 00DE0CC9
                                          • Part of subcall function 00DE0BE0: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00DE0CFA
                                          • Part of subcall function 00DE0BE0: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00DE0D2D
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,28CB4BA0,00000000,?,?,00000000,00EA70A5,000000FF,Shlwapi.dll,00DE0F26,?,?,00000010), ref: 00DE0FBD
                                        • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 00DE0FE9
                                        • GetLastError.KERNEL32(?,00000010), ref: 00DE102E
                                        • DeleteFileW.KERNEL32(?), ref: 00DE1041
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
                                        • String ID: Shlwapi.dll
                                        • API String ID: 1841109139-1687636465
                                        • Opcode ID: 3a470e834994dfe22badc07db438672d0d1227a4abc99bfa0933bece00c7570b
                                        • Instruction ID: 0f7179be64dd13cec7d91f265a4d317f7cf5919ab32a27e6976bbd1640718c47
                                        • Opcode Fuzzy Hash: 3a470e834994dfe22badc07db438672d0d1227a4abc99bfa0933bece00c7570b
                                        • Instruction Fuzzy Hash: 33316575A002499BDB21DFA5C944BEFBBB8FF05350F14411AE815B3280D7359A45CB71
                                        Function 00DE0810 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,28CB4BA0,?,?,00000000,?,?,?,?,00EA6FED,000000FF,?,00DC1C3D), ref: 00DE0850
                                        • CreateThread.KERNEL32(00000000,00000000,00DE0BD0,?,00000000,?), ref: 00DE0886
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00DE098F
                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 00DE099A
                                        • CloseHandle.KERNEL32(00000000), ref: 00DE09BA
                                          • Part of subcall function 00CB2970: RaiseException.KERNEL32(?,?,00000000,00000000,00E35A3C,C000008C,00000001,?,00E35A6D,00000000,?,00CA91C7,00000000,28CB4BA0,00000001,?), ref: 00CB297C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
                                        • String ID:
                                        • API String ID: 3595790897-0
                                        • Opcode ID: c5b2bfb03ea229f603c5a0fee3821fa65a5da7127745da3deac5eb824cf8cfd2
                                        • Instruction ID: b3895a4f13dfaffcffc26888b89cc1ec4bef613409890dcaaba0f6773de8a5a1
                                        • Opcode Fuzzy Hash: c5b2bfb03ea229f603c5a0fee3821fa65a5da7127745da3deac5eb824cf8cfd2
                                        • Instruction Fuzzy Hash: 24517A74A007099FDB10DF69C884BAEBBF4FF48710F284659E956A7392D770A844CFA0
                                        Function 00DA45A0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • PathIsUNCW.SHLWAPI(?,?), ref: 00DA4736
                                        • _wcschr.LIBVCRUNTIME ref: 00DA4752
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$HeapPathProcess_wcschr
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 660126660-3019864461
                                        • Opcode ID: 91733d61667421faecd3f3f6e2b8cb2bf5967dd6f0705db428712c4843eb32d7
                                        • Instruction ID: 9eeefe0f8d9e8d3192d5d0a05ef24ccc30a9cdd14371b888fa59704368960938
                                        • Opcode Fuzzy Hash: 91733d61667421faecd3f3f6e2b8cb2bf5967dd6f0705db428712c4843eb32d7
                                        • Instruction Fuzzy Hash: DDC19271A016499FDB00DBA8CC45BAEF7F9FF86314F188269E415E72D1DBB49904CBA0
                                        Function 00DBDCC0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,28CB4BA0,?,00000010,?), ref: 00DBDF8A
                                          • Part of subcall function 00DCEAB0: GetCurrentProcess.KERNEL32 ref: 00DCEAF8
                                          • Part of subcall function 00DCEAB0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00DCEB05
                                          • Part of subcall function 00DCEAB0: GetLastError.KERNEL32 ref: 00DCEB0F
                                          • Part of subcall function 00DCEAB0: CloseHandle.KERNEL32(00000000), ref: 00DCEBF0
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                        • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                        • API String ID: 699919280-3538578949
                                        • Opcode ID: d6d358bfe781c3546c8ba00280b32875e8ade89a050ac3c36ad8d98a8d56a3cd
                                        • Instruction ID: 99b815cef16ad73b6b04008bcb55a53193a7b01ff0c1b50a78302867fbae6693
                                        • Opcode Fuzzy Hash: d6d358bfe781c3546c8ba00280b32875e8ade89a050ac3c36ad8d98a8d56a3cd
                                        • Instruction Fuzzy Hash: 0FC1C230A01646DFDB10DF68C885BEEF7B5EF45314F148268E456AB292EB70DD05CBA1
                                        Function 00DDC240 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 229filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ConnectNamedPipe.KERNEL32(?,00000000,28CB4BA0,?,000000FF,?,00000000,00EA62A6,000000FF,?,00DDC45A,000000FF,?,00000001), ref: 00DDC27A
                                        • GetLastError.KERNEL32(?,00DDC45A,000000FF,?,00000001), ref: 00DDC284
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,28CB4BA0,?,000000FF,?,00000000,00EA62A6,000000FF,?,00DDC45A,000000FF,?), ref: 00DDC2C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
                                        • String ID: \\.\pipe\ToServer
                                        • API String ID: 2973225359-63420281
                                        • Opcode ID: ffbc6eceeece3ed928e3090371fc4cb91e28a641b39e546d27d021611509014a
                                        • Instruction ID: 0f88b679f26ef530a78716fa72309494ea4b0169ce69611a203fa6cc09f17a75
                                        • Opcode Fuzzy Hash: ffbc6eceeece3ed928e3090371fc4cb91e28a641b39e546d27d021611509014a
                                        • Instruction Fuzzy Hash: F271D371604209EFDB14DF58D805BAEB7B9FF45724F14862EF8259B380DB75A900DBA0
                                        Function 00DB6200 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,28CB4BA0,?,00000010,?,00DB9550,?), ref: 00DB6266
                                        • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00DB62AF
                                        • ReadFile.KERNEL32(00000000,28CB4BA0,?,?,00000000,00000078,?), ref: 00DB62ED
                                        • CloseHandle.KERNEL32(00000000), ref: 00DB6339
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerRead
                                        • String ID:
                                        • API String ID: 4133201480-0
                                        • Opcode ID: f01d08169383b9f43136e6c314f0cf41f67e638935ffa3a7b06246b150c32441
                                        • Instruction ID: baf1bd3ad2163a3957a8e19cab2110c82a6a4b2273e5b8960b2919f6bb9cdc2a
                                        • Opcode Fuzzy Hash: f01d08169383b9f43136e6c314f0cf41f67e638935ffa3a7b06246b150c32441
                                        • Instruction Fuzzy Hash: CF419D70900609EBDB10DF98CD89BEEB7B9EF45724F188259E412B72D1D7749D04CB60
                                        Function 00DE12C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000001,?,28CB4BA0,?,?,00000000,00E5D670,000000FF,?,00DE12A8,00000000,80004005,?,00F44C50,?,?), ref: 00DE12F7
                                        • GetExitCodeThread.KERNEL32(00000001,80004005,?,?,00000000,00E5D670,000000FF,?,00DE12A8,00000000), ref: 00DE1311
                                        • TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,00E5D670,000000FF,?,00DE12A8,00000000), ref: 00DE1329
                                        • CloseHandle.KERNEL32(00000001,?,?,00000000,00E5D670,000000FF,?,00DE12A8,00000000,80004005,?,00F44C50,?,?,00DC3989), ref: 00DE1332
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
                                        • String ID:
                                        • API String ID: 3774109050-0
                                        • Opcode ID: 19ba66868cb481cbf8ddb3d40f297e3e4ce7f72003625509653233a880514c6f
                                        • Instruction ID: a824537643d4dba8be2bb019ead1b2768e560b95ab42393ff3380335628ae3c1
                                        • Opcode Fuzzy Hash: 19ba66868cb481cbf8ddb3d40f297e3e4ce7f72003625509653233a880514c6f
                                        • Instruction Fuzzy Hash: AA01B575504745EFD7209F55CD05BA7B7FDFB04720F00472DE866A2AA0DB70A804CB50
                                        Function 00DBCFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00DBC783,00000000), ref: 00DBCFA0
                                        • DestroyWindow.USER32(?), ref: 00DBD057
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: DestroyErrorLastWindow
                                        • String ID: (0
                                        • API String ID: 1182162058-3012264354
                                        • Opcode ID: 2ae16935b32fd3d10e27845292b1a3e9995290e156aaacab06a4df04762be8f4
                                        • Instruction ID: 294cf2e882c5c121096d73e48518e648f16aba23795e21602dada6ae9da6b30e
                                        • Opcode Fuzzy Hash: 2ae16935b32fd3d10e27845292b1a3e9995290e156aaacab06a4df04762be8f4
                                        • Instruction Fuzzy Hash: 032127716001098BEB20AF18EC027EA77A4EB55320F040266FC05C7390DB76EC61DBF1
                                        Function 00E4EF42 Relevance: 4.7, APIs: 3, Instructions: 202COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __freea.LIBCMT ref: 00E4F0F1
                                          • Part of subcall function 00E4DC17: RtlAllocateHeap.NTDLL(00000000,00000000,00E4D0E1,?,00E4EE85,?,00000000,?,00E3F625,00000000,00E4D0E1,?,?,?,?,00E4CEDB), ref: 00E4DC49
                                        • __freea.LIBCMT ref: 00E4F106
                                        • __freea.LIBCMT ref: 00E4F116
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: __freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 2243444508-0
                                        • Opcode ID: e92e016b0fe966bee3bb9347e6fb1da827a22895826301500af8a86724c6e1f5
                                        • Instruction ID: 09110dd2b06dbd6303c15c7fa24cf087b6871a011dc98ec07c02a7d857c0cc4b
                                        • Opcode Fuzzy Hash: e92e016b0fe966bee3bb9347e6fb1da827a22895826301500af8a86724c6e1f5
                                        • Instruction Fuzzy Hash: 2E51C272601216AFEB249F64EC81EBB7AA9EB44758F151138FC08F7242EB70DD148760
                                        Function 00DC0B10 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNEL32(?,?,?,00000000,28CB4BA0,?,?), ref: 00DC0B77
                                        • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00DC0C84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$PointerRead
                                        • String ID:
                                        • API String ID: 3154509469-0
                                        • Opcode ID: 2a20e061c6e2e273d869e1021af16b26e99064ae3ce0653db4427ea3736a78a7
                                        • Instruction ID: 9540f49b46717e617f37514b2c698ee0c334edc83d6cc498fe7715fc089486f3
                                        • Opcode Fuzzy Hash: 2a20e061c6e2e273d869e1021af16b26e99064ae3ce0653db4427ea3736a78a7
                                        • Instruction Fuzzy Hash: BB616F71D00609DFDB14DFA8D945B9DFBB4FF09720F14826AE825A7390DB75A904CBA0
                                        Function 00DBE0A0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,28CB4BA0,?,?,?,80004005,?,00000000), ref: 00DBE13E
                                        • GetLastError.KERNEL32(?,?,?,80004005,?,00000000), ref: 00DBE176
                                        • GetLastError.KERNEL32(?,?,?,?,80004005,?,00000000), ref: 00DBE20F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateFile
                                        • String ID:
                                        • API String ID: 1722934493-0
                                        • Opcode ID: 7290f00bdbd8acc3f95c1a1313a8b7a5557866d43b5dc6bd57a22a34f57ae8c6
                                        • Instruction ID: dddc8545a50a82790dbd46d1cd2281fa03564d435a4c637d5b8e87a57a6c40ea
                                        • Opcode Fuzzy Hash: 7290f00bdbd8acc3f95c1a1313a8b7a5557866d43b5dc6bd57a22a34f57ae8c6
                                        • Instruction Fuzzy Hash: B351E271A00A05DFDB20DF69CC41BEAF7B5FF45320F148669E92697390EB71A905CBA0
                                        Function 00DA4920 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,28CB4BA0,?,?,7622E010,00000000,00E9AAC5,000000FF,?,00DE32A7,00000000,.part,00000005), ref: 00DA496B
                                        • CreateDirectoryW.KERNEL32(000000FF,00000000,?,?,00ED2A4C,00000001,?), ref: 00DA4A2A
                                        • GetLastError.KERNEL32 ref: 00DA4A38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLastPath
                                        • String ID:
                                        • API String ID: 953296794-0
                                        • Opcode ID: d9bfa0bf39118844b43e2706d28b30de7dd9d97932113bbfd9dc016d731b074c
                                        • Instruction ID: a17a99aa8af89d49a0fe6519a997c468a0fb76892e8d85fc5c53991702d7b8a1
                                        • Opcode Fuzzy Hash: d9bfa0bf39118844b43e2706d28b30de7dd9d97932113bbfd9dc016d731b074c
                                        • Instruction Fuzzy Hash: AD619E31E002099FDB10DFA8C886BAEFBF4EF56324F248259E415A72D1DB75A905CB70
                                        Function 00E4C63C Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,00E4C636,?,00E3AD12,?,?,28CB4BA0,00E3AD12,?), ref: 00E4C64D
                                        • TerminateProcess.KERNEL32(00000000,?,00E4C636,?,00E3AD12,?,?,28CB4BA0,00E3AD12,?), ref: 00E4C654
                                        • ExitProcess.KERNEL32 ref: 00E4C666
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 850b51503323ec033171a6129a65bf5a1470d2df7c031be65aafc3b92937bbf5
                                        • Instruction ID: 8fd82f923482837d5e354218d9026726c4faeea9e3bcb2baeb7ec754b25f9961
                                        • Opcode Fuzzy Hash: 850b51503323ec033171a6129a65bf5a1470d2df7c031be65aafc3b92937bbf5
                                        • Instruction Fuzzy Hash: 73D09E31002504AFCF412F65ED0D85E3F69EF44745B25B150B90676231CF719956DA94
                                        Function 00DB6660 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 312COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DB64D0: GetTickCount.KERNEL32 ref: 00DB6554
                                          • Part of subcall function 00DB64D0: __Xtime_get_ticks.LIBCPMT ref: 00DB655C
                                          • Part of subcall function 00DB64D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB65A6
                                          • Part of subcall function 00DDA240: GetUserNameW.ADVAPI32(00000000,?), ref: 00DDA2CE
                                          • Part of subcall function 00DDA240: GetLastError.KERNEL32 ref: 00DDA2D4
                                          • Part of subcall function 00DDA240: GetUserNameW.ADVAPI32(00000000,?), ref: 00DDA31C
                                          • Part of subcall function 00DDA240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00DDA352
                                          • Part of subcall function 00DDA240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00DDA39C
                                        • __Init_thread_footer.LIBCMT ref: 00DB67A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                        • String ID: \/:*?"<>|
                                        • API String ID: 2099558200-3830478854
                                        • Opcode ID: 11d0888ae680b18e0fbda6d6a8b46849c55672e4e99b105c78e1c1e83b2c423b
                                        • Instruction ID: 3ad8db15cfc2cbb73e0c8526e9ff5ba67a825bf39c72827d4802c67606c6be82
                                        • Opcode Fuzzy Hash: 11d0888ae680b18e0fbda6d6a8b46849c55672e4e99b105c78e1c1e83b2c423b
                                        • Instruction Fuzzy Hash: F7D1B074D00258DFDB14DF64C855BEDBBB1BF16308F184298D409AB282DBB45E48DFA1
                                        Function 00DA4C60 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,28CB4BA0), ref: 00DA4E00
                                          • Part of subcall function 00DA4EC0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00DA4ECD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                        • String ID: USERPROFILE
                                        • API String ID: 1777821646-2419442777
                                        • Opcode ID: 68306f99df2ae3edfbefefd7c51a78897889d336621fb2b4d7492a94761c1bb4
                                        • Instruction ID: e294781d6962b0f5bf352a51f8b0f6e14b5828a179c17fbc7f193d5493ee3b07
                                        • Opcode Fuzzy Hash: 68306f99df2ae3edfbefefd7c51a78897889d336621fb2b4d7492a94761c1bb4
                                        • Instruction Fuzzy Hash: 7561C271A006099FDB14DF68C859BAEB7B4FF85324F14866DF819DB391DB709A00CBA1
                                        Function 00D04BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00D04CC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID: $
                                        • API String ID: 1378638983-3993045852
                                        • Opcode ID: d8ab8f68778b34d4fb10e8a2065ae419fa2af44faf3d5cc693f16890870ebad9
                                        • Instruction ID: e45baf26f37d34c01254978ee1c0c6c9b3f99738f47ef5ee95a6fbd82c005860
                                        • Opcode Fuzzy Hash: d8ab8f68778b34d4fb10e8a2065ae419fa2af44faf3d5cc693f16890870ebad9
                                        • Instruction Fuzzy Hash: 0331BCB1104340DFDB149F09C884B1ABBF0BF88710F08455DFA998B2A5D376D954CBA1
                                        Function 00E5327C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E52DAC: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00E52DD7
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00E530C3,?,00000000,?,?,?), ref: 00E532DD
                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E530C3,?,00000000,?,?,?), ref: 00E5331F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID:
                                        • API String ID: 546120528-0
                                        • Opcode ID: bbe52cf0f81e5e0d167d0fcfb28607c88de513e396b38947bbe9dd536c3d2357
                                        • Instruction ID: a8e32ab6a69b41ea748752b2dcba617e21ae44e34c6a2f950693d92d4da23d0e
                                        • Opcode Fuzzy Hash: bbe52cf0f81e5e0d167d0fcfb28607c88de513e396b38947bbe9dd536c3d2357
                                        • Instruction Fuzzy Hash: E2516970A003048FDB21CF75C8406AEFBF5EF41345F14986ED8A6A7252DB749A0DCB50
                                        Function 00DE18E0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 00DE1931
                                        • EndDialog.USER32(00000000,00000001), ref: 00DE1940
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: DialogWindow
                                        • String ID:
                                        • API String ID: 2634769047-0
                                        • Opcode ID: 4e79cb10a0507fac7c57838b9bdf52547af6c1df71fdece194b3ad8bf77049ba
                                        • Instruction ID: 3717a76a98dea7190b62013fe7007c16e9c2bd96e11b364e0b69c65712309dde
                                        • Opcode Fuzzy Hash: 4e79cb10a0507fac7c57838b9bdf52547af6c1df71fdece194b3ad8bf77049ba
                                        • Instruction Fuzzy Hash: 63518B34A01B85DFD711CF69C948B4AFBF4FF49310F1882ADD455AB2A1D770AA04CBA1
                                        Function 00DDF6D0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000), ref: 00DDF735
                                        • CloseHandle.KERNEL32(?), ref: 00DDF789
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CloseFreeHandleLibrary
                                        • String ID:
                                        • API String ID: 10933145-0
                                        • Opcode ID: ed49bb67792d712aeaa1f79496747eadcb0b9f30093f99965f0e1d4dc2d6430e
                                        • Instruction ID: 7581cf8aaacdca959ca5fc26f700b51a489b01be266cb6a20702559be502d250
                                        • Opcode Fuzzy Hash: ed49bb67792d712aeaa1f79496747eadcb0b9f30093f99965f0e1d4dc2d6430e
                                        • Instruction Fuzzy Hash: 05216075A08A09AFD304DF19DC48B96B7F8FB05714F04422AE825D73A1EB78D904DB90
                                        Function 00DA0F40 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DA2350: LoadLibraryW.KERNEL32(ComCtl32.dll,28CB4BA0,00000000,?,00000000), ref: 00DA238E
                                          • Part of subcall function 00DA2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00DA23B1
                                          • Part of subcall function 00DA2350: FreeLibrary.KERNEL32(00000000), ref: 00DA242F
                                        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00DA0F84
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DA0F8F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: LibraryMessageSend$AddressFreeLoadProc
                                        • String ID:
                                        • API String ID: 3032493519-0
                                        • Opcode ID: 883f28fedbb253709906240877af6a480a042fd44364a536c84efbb7c72073c3
                                        • Instruction ID: fe5a76f8cf9b5a81287f03d15574156500138e5e295b29da53e1403d3b84f87a
                                        • Opcode Fuzzy Hash: 883f28fedbb253709906240877af6a480a042fd44364a536c84efbb7c72073c3
                                        • Instruction Fuzzy Hash: 5CF030327812183BFA60215A5C47F67B64DD786B64F14426AFB98AB6C2ECC77C0102E8
                                        Function 00E50308 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LCMapStringEx.KERNEL32(?,00E4F030,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E5033C
                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00E4F030,?,?,00000000,?,00000000), ref: 00E5035A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: String
                                        • String ID:
                                        • API String ID: 2568140703-0
                                        • Opcode ID: 66f5e7f7c2ac2cee786e8a2a0d0025698baaf626af0ee417952728fe6c6c29eb
                                        • Instruction ID: 24dbf634918f952c617197d4b59a035649cbfb86c5f1d1b983874a70026ef3aa
                                        • Opcode Fuzzy Hash: 66f5e7f7c2ac2cee786e8a2a0d0025698baaf626af0ee417952728fe6c6c29eb
                                        • Instruction Fuzzy Hash: F5F0643650051ABBCF126F91DC09EDE3F6ABB487A1F058520FE1825130CA32D871AB94
                                        Function 00E4DBDD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,00E5221D,?,00000000,?,?,00E524BE,?,00000007,?,?,00E52B18,?,?), ref: 00E4DBF3
                                        • GetLastError.KERNEL32(?,?,00E5221D,?,00000000,?,?,00E524BE,?,00000007,?,?,00E52B18,?,?), ref: 00E4DBFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 485612231-0
                                        • Opcode ID: 0b8a1d2e72f00ef2ec49191ee4cef075ceff7e9b4b59c6f7de0f6ac214446964
                                        • Instruction ID: c88b2d85194ddeb57bda64dfbeb25cddc9f9c3ff7cb2037592d4467ab32f0fab
                                        • Opcode Fuzzy Hash: 0b8a1d2e72f00ef2ec49191ee4cef075ceff7e9b4b59c6f7de0f6ac214446964
                                        • Instruction Fuzzy Hash: F1E08631104214AFDB113FA5BD0D79A7BA9AB00795F045024F609AA161DA709884CB90
                                        Function 00DC3E40 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00DC4020,?), ref: 00DC3E8B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: EnumLanguagesResource
                                        • String ID:
                                        • API String ID: 4141015960-0
                                        • Opcode ID: 9f15ae25ba12c374f2a1156d683ab265f42d154c78276f1ae08096d955b352c7
                                        • Instruction ID: 65ef0ecc4c237268f94c41857657944ce932063ec882f0c4d7d749a994ee12db
                                        • Opcode Fuzzy Hash: 9f15ae25ba12c374f2a1156d683ab265f42d154c78276f1ae08096d955b352c7
                                        • Instruction Fuzzy Hash: C1616C71A0160A9FDB14DF68C885F9ABBF4FF08304F14466DE914AB681E771EE45CBA0
                                        Function 00E52E80 Relevance: 1.6, APIs: 1, Instructions: 147COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(E8458D00,?,00E530CF,00E530C3,00000000), ref: 00E52EB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID:
                                        • API String ID: 1807457897-0
                                        • Opcode ID: 2d7327990828a1b7c90a5feca65e2dd0668a1188d4c912088b0a3088ed46c628
                                        • Instruction ID: ddb42d4ab09e067b4adf88b528f60eed804394d976a5c562a4062ad903113afc
                                        • Opcode Fuzzy Hash: 2d7327990828a1b7c90a5feca65e2dd0668a1188d4c912088b0a3088ed46c628
                                        • Instruction Fuzzy Hash: 73516E716042489ADB218A24DC84AF67BB8EB56304F2419EDE99AF7182D3319D4ADF30
                                        Function 00DC2AB0 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,28CB4BA0), ref: 00DC2ADB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 026ea5e1cde5f0ac7e21d8bbc756ec4c0d71f900b049cbbaaf1a478ba817fc66
                                        • Instruction ID: 6baa3f810d7f83ab1b1f2083fbb7d3dbdb4a82636ef17c114af1583db71ca1e7
                                        • Opcode Fuzzy Hash: 026ea5e1cde5f0ac7e21d8bbc756ec4c0d71f900b049cbbaaf1a478ba817fc66
                                        • Instruction Fuzzy Hash: E041F071900616EFDB10DF68C985FAAFBB4FB04710F0482A9E914EB296D771AD00CBB0
                                        Function 00DA2890 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DA2B00: __Init_thread_footer.LIBCMT ref: 00DA2B76
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • __Init_thread_footer.LIBCMT ref: 00DA2970
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                        • String ID:
                                        • API String ID: 984842325-0
                                        • Opcode ID: 989e86fa2e2b699bd93c4ac89728e6ff0ccdafa4a0a0afdcc66fab90fe1401a0
                                        • Instruction ID: f39de31bda94be6adca2dca4ec099073556415e9b42791ad4ca544f86e6becda
                                        • Opcode Fuzzy Hash: 989e86fa2e2b699bd93c4ac89728e6ff0ccdafa4a0a0afdcc66fab90fe1401a0
                                        • Instruction Fuzzy Hash: F531F0B49806489BD710DF08EC86B66B7E1F723B14F114229EC11CB7D0D7B6A804EFA6
                                        Function 00DDF850 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00DC1B50,?,00000000,00000000,?,?), ref: 00DDF86D
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                          • Part of subcall function 00DDF940: WaitForSingleObject.KERNEL32(?,000000FF,28CB4BA0,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00DDF974
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AllocCreateFileHeapObjectSingleWait
                                        • String ID:
                                        • API String ID: 2723504993-0
                                        • Opcode ID: d361c16da8aa54dcde422a7e2be8279beeb1b2f05fdd275fce0b9b8a69ecd013
                                        • Instruction ID: 5cb945503e0fdabe5bc191e10766e55a2b07060c859e990492d3dbe3fd8c5393
                                        • Opcode Fuzzy Hash: d361c16da8aa54dcde422a7e2be8279beeb1b2f05fdd275fce0b9b8a69ecd013
                                        • Instruction Fuzzy Hash: 7D311974604B019FD324DF28D898B1AB7E0FF88304F24896EE59BD7360D731A950CB65
                                        Function 00E4EE70 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4DC17: RtlAllocateHeap.NTDLL(00000000,00000000,00E4D0E1,?,00E4EE85,?,00000000,?,00E3F625,00000000,00E4D0E1,?,?,?,?,00E4CEDB), ref: 00E4DC49
                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,?,00E4D0E1,00000000,?,00E3F625,00000000,00E4D0E1,?,?,?,?,00E4CEDB,?,?), ref: 00E4EECD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 5a1c6b1d024484c18be2d3f77300f84734435e5c2d3e5f414d5efe155b499d58
                                        • Instruction ID: ff56f79b4c998adeb51e5559c758cfa2f9a7984f16d7f04ad850f6aa86c54bdc
                                        • Opcode Fuzzy Hash: 5a1c6b1d024484c18be2d3f77300f84734435e5c2d3e5f414d5efe155b499d58
                                        • Instruction Fuzzy Hash: E5F09632505615AADB213F26BC01FAF3BD9AF917B0F152129F928BA3A1DF70D84095A1
                                        Function 00D87FE0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • __Init_thread_footer.LIBCMT ref: 00D88052
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                        • String ID:
                                        • API String ID: 2296764815-0
                                        • Opcode ID: 6d7a283f952ad4baa6bfd7766ff1d6d163399575b2cac00b009d7b7e0233c508
                                        • Instruction ID: 5065f951fb15e575ce35beef6fa70fd03bae3d1bd486f290f49a5a57acb11b5e
                                        • Opcode Fuzzy Hash: 6d7a283f952ad4baa6bfd7766ff1d6d163399575b2cac00b009d7b7e0233c508
                                        • Instruction Fuzzy Hash: 2201D4B1904744EBDB14DB68D946B49B7A0E746B20F104679E816D33E1DB35A904E722
                                        Function 00DA2B00 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                          • Part of subcall function 00DA2BA0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00DA2C0E
                                          • Part of subcall function 00DA2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00DA2C55
                                          • Part of subcall function 00DA2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00DA2C74
                                          • Part of subcall function 00DA2BA0: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00DA2CA3
                                          • Part of subcall function 00DA2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00DA2D18
                                        • __Init_thread_footer.LIBCMT ref: 00DA2B76
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
                                        • String ID:
                                        • API String ID: 3563064969-0
                                        • Opcode ID: 92b6173444d0506daca2dc111703d142a49543422383a52492ae25915052b831
                                        • Instruction ID: cffb505d524453abf8421bfcb947a02dda95ea99c8894ee6845b6f680b52a5aa
                                        • Opcode Fuzzy Hash: 92b6173444d0506daca2dc111703d142a49543422383a52492ae25915052b831
                                        • Instruction Fuzzy Hash: 8001A2B1A40604EFCB10DF6CD946B197BA4EB06B20F144269ED25D77C5D734A90096A3
                                        Function 00E4DC17 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00E4D0E1,?,00E4EE85,?,00000000,?,00E3F625,00000000,00E4D0E1,?,?,?,?,00E4CEDB), ref: 00E4DC49
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: bf36728ef3f54d311c8372da6d8950ac388c0acbfab71460938bede6c4ca5c7e
                                        • Instruction ID: 7d71f4d55e49cf4c7bdb50c156084471b3357f7750b79ae8ab0a64943e578ff9
                                        • Opcode Fuzzy Hash: bf36728ef3f54d311c8372da6d8950ac388c0acbfab71460938bede6c4ca5c7e
                                        • Instruction Fuzzy Hash: 3FE0E5216086205BD7213E66BD49B5BB68C9B813A0F142110BC01FA191DBD0CC00C1A0
                                        Function 00E4D049 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: df4d15faea5114f62cdcd307508976fa15da06f1b63f39339f3c72eca88d2a66
                                        • Instruction ID: 55dcde645a39ac70ffd90b93702dd01ab82f4d142984216f374afbd9e0ea092f
                                        • Opcode Fuzzy Hash: df4d15faea5114f62cdcd307508976fa15da06f1b63f39339f3c72eca88d2a66
                                        • Instruction Fuzzy Hash: 82E09AB6C0120EAADB40DFE4C456BEFBBF8EB08310F509426A245F7141EA785744CBA1
                                        Function 00CA8750 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: b82ae4e8cb293e48ab7d55f084c465b42f464f9d74854547e23e8087f946355d
                                        • Instruction ID: 23b70b63f35d21e10ff295af0c3c2fafc3af9d3b4ffee86dfc594c99c49b1dbe
                                        • Opcode Fuzzy Hash: b82ae4e8cb293e48ab7d55f084c465b42f464f9d74854547e23e8087f946355d
                                        • Instruction Fuzzy Hash: 6EC08C302007114BD7306B18BA0878332DC5B04704F004419B419D3200CB70DC08C654

                                        Non-executed Functions

                                        Function 00CA2F40 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                        • API String ID: 0-2910470256
                                        • Opcode ID: 3984b806bff4083597aaeb15eecdfe6e6c060fde7e7f0f2f9fef8865601ac6c5
                                        • Instruction ID: a6c839af26cede5050aca2b291db32af13b36cc975bea67bf3c4a75f1519aca5
                                        • Opcode Fuzzy Hash: 3984b806bff4083597aaeb15eecdfe6e6c060fde7e7f0f2f9fef8865601ac6c5
                                        • Instruction Fuzzy Hash: 4133C520E853C9EAD700EBB89A1A71D3D619B53718F5452ACE5523B2E3CFB90B4CB351
                                        Function 00CC41B0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 961memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 00CC420A
                                        • VariantClear.OLEAUT32(?), ref: 00CC423C
                                        • VariantClear.OLEAUT32(?), ref: 00CC435F
                                        • VariantClear.OLEAUT32(?), ref: 00CC438E
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC4395
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC43E8
                                        • VariantClear.OLEAUT32(?), ref: 00CC4476
                                        • VariantClear.OLEAUT32(?), ref: 00CC44A8
                                        • VariantClear.OLEAUT32(?), ref: 00CC4609
                                        • VariantClear.OLEAUT32(?), ref: 00CC463C
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC4647
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC468A
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC4845
                                          • Part of subcall function 00CC5120: VariantClear.OLEAUT32(?), ref: 00CC5129
                                        • VariantClear.OLEAUT32(?), ref: 00CC47FB
                                        • VariantClear.OLEAUT32(?), ref: 00CC4837
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC4869
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                        • API String ID: 1305860026-3153392536
                                        • Opcode ID: 8a0598ae10cb577ba90f9a4d2d4c810a04ec0757102d330a571658e51dccdaaf
                                        • Instruction ID: 483ed12b5c13583250a7625cf989b85abf30c6ca2759509d3c550597038d0ff1
                                        • Opcode Fuzzy Hash: 8a0598ae10cb577ba90f9a4d2d4c810a04ec0757102d330a571658e51dccdaaf
                                        • Instruction Fuzzy Hash: 10926770D00219DFDB24CFA4CC94BDEBBB4BF49314F108299E459A7281EB74AA85DF94
                                        Function 00DD77C0 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00F46078,C0000000,00000003,00000000,00000004,00000080,00000000,28CB4BA0,00F46054,00F4606C,?), ref: 00DD7837
                                        • GetLastError.KERNEL32 ref: 00DD7854
                                        • OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00DD78CF
                                        • OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00DD79CB
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00DD7A3C
                                        • WriteFile.KERNEL32(00000000,00F45920,00000000,00000000,00000000,?,0000001C), ref: 00DD7A6C
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00EC58A8,00000002), ref: 00DD7B17
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00DD7B20
                                        • FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00DD7A71
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        • OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 00DD7C12
                                        • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 00DD7C98
                                        • FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00DD7CA3
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00EC58A8,00000002,?,?,CPU: ,00000005), ref: 00DD7D17
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00DD7D20
                                        • WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00EC58A8,00000002), ref: 00DD7DA5
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00DD7DAE
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
                                        • String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
                                        • API String ID: 4051163352-1312762833
                                        • Opcode ID: 79e61e8533d81e0c22e3810747ec3896c06b4161b563e97fb2bcaca62f6a0e06
                                        • Instruction ID: c737292248b5ed97c2a0dc00a3aebd52246cff7cd3d0b6c87fdf7a54b965f3fd
                                        • Opcode Fuzzy Hash: 79e61e8533d81e0c22e3810747ec3896c06b4161b563e97fb2bcaca62f6a0e06
                                        • Instruction Fuzzy Hash: F5128E70A016069FDB10DF68CD49B6EBBB5FF45314F1482A9E815AB3A2EB30DD05CB60
                                        Function 00CC35A0 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 00CC35FA
                                        • VariantClear.OLEAUT32(?), ref: 00CC362C
                                        • VariantClear.OLEAUT32(?), ref: 00CC3726
                                        • VariantClear.OLEAUT32(?), ref: 00CC3755
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC375C
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC37A3
                                        • VariantClear.OLEAUT32(?), ref: 00CC3827
                                        • VariantClear.OLEAUT32(?), ref: 00CC3859
                                        • VariantClear.OLEAUT32(?), ref: 00CC3959
                                        • VariantClear.OLEAUT32(?), ref: 00CC398C
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC3997
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC39DD
                                        • VariantClear.OLEAUT32(?), ref: 00CC3A5A
                                        • VariantClear.OLEAUT32(?), ref: 00CC3A8C
                                        • VariantClear.OLEAUT32(?), ref: 00CC3BAC
                                        • VariantClear.OLEAUT32(?), ref: 00CC3BDB
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC3BE2
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC3C35
                                        • VariantClear.OLEAUT32(?), ref: 00CC3CBA
                                        • VariantClear.OLEAUT32(?), ref: 00CC3CEC
                                        • VariantClear.OLEAUT32(?), ref: 00CC3DDD
                                        • VariantClear.OLEAUT32(?), ref: 00CC3E0A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID:
                                        • API String ID: 1305860026-0
                                        • Opcode ID: 5d8d87770e4aeeb5c2e48f3086fb57cadb170a3a83a4b1d6b2cb31a2facec4d7
                                        • Instruction ID: f94cd6c7f71fd9dec22f4101c8a724e317faae46e19bcf13c6bc0e8f49021540
                                        • Opcode Fuzzy Hash: 5d8d87770e4aeeb5c2e48f3086fb57cadb170a3a83a4b1d6b2cb31a2facec4d7
                                        • Instruction Fuzzy Hash: F4429D71900249DFCB00DFA8D849BEEBBB4FF09314F14826DE415E7291E778AA45DBA1
                                        Function 00CAF190 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 374memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CAF5F0: EnterCriticalSection.KERNEL32(00F46250,28CB4BA0,00000000,?,?,?,?,?,?,00CAEE50,00E5F68D,000000FF), ref: 00CAF62D
                                          • Part of subcall function 00CAF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 00CAF6A8
                                          • Part of subcall function 00CAF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 00CAF74E
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CAF233
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CAF264
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00CAF33B
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00CAF34B
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CAF356
                                        • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00CAF364
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00CAF372
                                        • SetWindowTextW.USER32(?,00EC337C), ref: 00CAF411
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00CAF448
                                        • GlobalLock.KERNEL32(00000000), ref: 00CAF456
                                        • GlobalUnlock.KERNEL32(?), ref: 00CAF47A
                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CAF501
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CAF516
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00CAF55D
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CAF585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                        • String ID: L4$~4
                                        • API String ID: 4180125975-2895323252
                                        • Opcode ID: c871493ad06b169ec1a3b59f5c682bf4325c20712e00d65f070cd9c278481287
                                        • Instruction ID: 251cd432da611c8a8f2c700d891ce94103e8bf897a927b04b033aa688d29dcdf
                                        • Opcode Fuzzy Hash: c871493ad06b169ec1a3b59f5c682bf4325c20712e00d65f070cd9c278481287
                                        • Instruction Fuzzy Hash: 3FD1A07190020AEFDB11DFE4CC48BAFBBB8EF46718F14416CE911A7290D7759A06DBA1
                                        Function 00CB8CD0 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 520windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00CB8D83
                                        • ShowWindow.USER32(00000000,?), ref: 00CB8DA2
                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CB8DB0
                                        • GetWindowRect.USER32(00000000,?), ref: 00CB8DC7
                                        • ShowWindow.USER32(00000000,?), ref: 00CB8DE8
                                        • SetWindowLongW.USER32(?,000000EB,?), ref: 00CB8DFF
                                          • Part of subcall function 00CB2970: RaiseException.KERNEL32(?,?,00000000,00000000,00E35A3C,C000008C,00000001,?,00E35A6D,00000000,?,00CA91C7,00000000,28CB4BA0,00000001,?), ref: 00CB297C
                                        • ShowWindow.USER32(?,?), ref: 00CB8F43
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00CB8F79
                                        • ShowWindow.USER32(?,?), ref: 00CB8F96
                                        • GetWindowRect.USER32(?,?), ref: 00CB8FBB
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00CB90F8
                                        • GetWindowRect.USER32(?,?), ref: 00CB91B5
                                        • GetWindowRect.USER32(?,?), ref: 00CB9207
                                        • SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 00CB9243
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$LongRectShow$MessageSend$ExceptionRaise
                                        • String ID: L/
                                        • API String ID: 1022490566-3611498470
                                        • Opcode ID: 0cbfb0c5d96b19cd29cf52251011f33fb8396080edd85ae066431474b1c54b0a
                                        • Instruction ID: 7dbcc8789a1bb0ddd0ead7cf6e561712248a9c6a035584fb85898d2d314df0c6
                                        • Opcode Fuzzy Hash: 0cbfb0c5d96b19cd29cf52251011f33fb8396080edd85ae066431474b1c54b0a
                                        • Instruction Fuzzy Hash: F512AB71904605AFDB25CF68C884BAEBBF9FF99304F00491DF996A7260DB30E949CB51
                                        Function 00CAEBE0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 293nativememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00CAECCB
                                        • GetWindowLongW.USER32(00000004,000000EC), ref: 00CAECDB
                                        • SetWindowLongW.USER32(00000004,000000EC,00000000), ref: 00CAECE6
                                        • NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 00CAECF4
                                        • GetWindowLongW.USER32(00000004,000000EB), ref: 00CAED02
                                        • SetWindowTextW.USER32(00000004,00EC337C), ref: 00CAEDA1
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00CAEDD8
                                        • GlobalLock.KERNEL32(00000000), ref: 00CAEDE6
                                        • GlobalUnlock.KERNEL32(?), ref: 00CAEE0A
                                        • SetWindowLongW.USER32(00000004,000000EB,00000000), ref: 00CAEE6F
                                        • NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 00CAEEBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                        • String ID: L4$~4
                                        • API String ID: 3555041256-2895323252
                                        • Opcode ID: a623b8324735e3c8d8f0f5f72ecfb25f4b8a708d932b6fb436c0fad2f1bd4ce1
                                        • Instruction ID: 8b6d4c0f2c1fd74f7a100eae35728252fd1ab9b4296106f732ed466d8803a0c7
                                        • Opcode Fuzzy Hash: a623b8324735e3c8d8f0f5f72ecfb25f4b8a708d932b6fb436c0fad2f1bd4ce1
                                        • Instruction Fuzzy Hash: F3A1C371901206EFDB10DFA4CC48BAFBBB9EF46318F144618F925A7291DB359E04CBA1
                                        Function 00DAC0B0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00DAC452
                                        • FindClose.KERNEL32(00000000), ref: 00DAC480
                                        • FindClose.KERNEL32(00000000), ref: 00DAC509
                                        Strings
                                        • An acceptable version was found., xrefs: 00DAC8CF
                                        • No acceptable version found., xrefs: 00DAC8F9
                                        • Not selected for install., xrefs: 00DAC900
                                        • No acceptable version found. It must be installed from package., xrefs: 00DAC8D6
                                        • No acceptable version found. It is already downloaded and it will be installed., xrefs: 00DAC8F2
                                        • No acceptable version found. It must be downloaded., xrefs: 00DAC8DD
                                        • No acceptable version found. Operating System not supported., xrefs: 00DAC8EB
                                        • No acceptable version found. It must be downloaded manually from a site., xrefs: 00DAC8E4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                        • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                        • API String ID: 544434140-749633484
                                        • Opcode ID: 728a412a940a0d096a9444bccbd1ec542fe1338eac04c19deed0fea3a2618e05
                                        • Instruction ID: fee0c329af61aa045f3bda10e3084662d35c1bb08a443bdc5bc64199938a0ef8
                                        • Opcode Fuzzy Hash: 728a412a940a0d096a9444bccbd1ec542fe1338eac04c19deed0fea3a2618e05
                                        • Instruction Fuzzy Hash: ABF1A23090060ACFDB10DF68C8487AEFBF1EF46324F188699D4599B392EB34D945DBA1
                                        Function 00CFFA40 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 253windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00CFFC1B
                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00CFFC2B
                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 00CFFC40
                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00CFFC51
                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00CFFC64
                                        • GetWindowRect.USER32(?,?), ref: 00CFFC92
                                          • Part of subcall function 00D012B0: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D0130F
                                          • Part of subcall function 00D012B0: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00CFFDEC,00000000,28CB4BA0,?,?), ref: 00D01328
                                          • Part of subcall function 00CB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00CB0DE6
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00CFFCF4
                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00CFFD04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateLongRect
                                        • String ID: ,
                                        • API String ID: 1954517558-3772416878
                                        • Opcode ID: 6e4b684ecdb21f2e564cf5f4113f02cb5f4446cf44cda17c14ce6ea1ee1d2aeb
                                        • Instruction ID: e216107e5fcc9435c9ee400ded95543c3bb71e180a20e582b2f6713010a9e4be
                                        • Opcode Fuzzy Hash: 6e4b684ecdb21f2e564cf5f4113f02cb5f4446cf44cda17c14ce6ea1ee1d2aeb
                                        • Instruction Fuzzy Hash: 54A10971A002199FDB14CFA9CC85BAEBBF9FF48300F50462EE916EB291D774A905DB50
                                        Function 00CC6070 Relevance: 12.8, APIs: 6, Strings: 1, Instructions: 512windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00CC6143
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • __Init_thread_footer.LIBCMT ref: 00CC610F
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00CC643F
                                        • SendMessageW.USER32(?,0000102B,?,?), ref: 00CC64CF
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 00CC6555
                                        • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00CC6695
                                          • Part of subcall function 00CAC3F0: __floor_pentium4.LIBCMT ref: 00CAC40D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__floor_pentium4
                                        • String ID: AiFeatIco
                                        • API String ID: 4294328693-859831556
                                        • Opcode ID: 586b9a702679d15f15030c1d19216fcc7861462b2ba2e7e848a83d9db5440dbc
                                        • Instruction ID: fc2bbe1e219c3237bfce80cfb31408116f60bef04ff36b026a50f55492f1648e
                                        • Opcode Fuzzy Hash: 586b9a702679d15f15030c1d19216fcc7861462b2ba2e7e848a83d9db5440dbc
                                        • Instruction Fuzzy Hash: 5822E071900249DFDF14DF68C989BEDBBB1FF59304F184169E815AF292DB70AA40DBA0
                                        Function 00D82A50 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 313windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00D82C80
                                        • SendMessageW.USER32(?,00000443,00000000), ref: 00D82CEA
                                        • MulDiv.KERNEL32(?,00000000), ref: 00D82D21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow
                                        • String ID: ;3$NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                        • API String ID: 701072176-1447288369
                                        • Opcode ID: 07d0841ff5a5bbbc8503f0da2a7e02d3964839bbdd16fc99834480bfb6c2cdb3
                                        • Instruction ID: fe867c6d830314e7ef7a29071ea982d4adcf154bf3c0b670a78df55579f6fd3f
                                        • Opcode Fuzzy Hash: 07d0841ff5a5bbbc8503f0da2a7e02d3964839bbdd16fc99834480bfb6c2cdb3
                                        • Instruction Fuzzy Hash: 22C1AB71A00709AFEB14CF64CC55BEAB7F1FB49304F008299E556AB2D1DB746A49CFA0
                                        Function 00DCA620 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 388COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • _wcschr.LIBVCRUNTIME ref: 00DCA6D9
                                        • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00DCA82E
                                        • GetDriveTypeW.KERNEL32(?), ref: 00DCA84A
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00DCAA37
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00DCAAC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Wow64$DriveInit_thread_footerRedirection$DisableHeapLogicalProcessRevertStringsType_wcschr
                                        • String ID: ]%!
                                        • API String ID: 2638324580-1069524040
                                        • Opcode ID: 9c9a4021ffe8afb68ea9132e394762f20f2c564533454e9ab7c528e447ab578a
                                        • Instruction ID: 57e4657c4846c0ff8163b1337cf714e917ad0111edbe88b45ab75a6e8ea4b93f
                                        • Opcode Fuzzy Hash: 9c9a4021ffe8afb68ea9132e394762f20f2c564533454e9ab7c528e447ab578a
                                        • Instruction Fuzzy Hash: 76F1BF7090065ADFDB24DB6CCC84BADB7B5EF04314F1482E9E45AA7291DB709E84CFA1
                                        Function 00E53B80 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • GetACP.KERNEL32(?,?,?,?,?,?,00E493AE,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00E53C41
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E493AE,?,?,?,00000055,?,-00000050,?,?), ref: 00E53C6C
                                        • _wcschr.LIBVCRUNTIME ref: 00E53D00
                                        • _wcschr.LIBVCRUNTIME ref: 00E53D0E
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00E53DCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                        • String ID: utf8
                                        • API String ID: 4147378913-905460609
                                        • Opcode ID: 49ca41e53579b250ddda467130e7747fa7fc9f130a5a0464e5bd0015c11b4df5
                                        • Instruction ID: d754a8befe1dc42347a9c251dae2f8ccd405b84b8c38cf18ad29112a8f0eff75
                                        • Opcode Fuzzy Hash: 49ca41e53579b250ddda467130e7747fa7fc9f130a5a0464e5bd0015c11b4df5
                                        • Instruction Fuzzy Hash: 0571D571A00305AAD725AB79DC46BA7B3F8EF44786F146829FD05FB181EA70DE48C760
                                        Function 00E58B95 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 4fdc05f9a8ed91792a6cc349f3e939f205af458d7d64a2451dc343951562eef8
                                        • Instruction ID: 04fceb6170c214a91a5421abe6952e6bfa41afabf3e64cf3f5a3d18e49a00775
                                        • Opcode Fuzzy Hash: 4fdc05f9a8ed91792a6cc349f3e939f205af458d7d64a2451dc343951562eef8
                                        • Instruction Fuzzy Hash: 50D22871E08228CBDB65CE24DD407EAB7B5EB44306F1459EAD80DB7241DB78AE898F41
                                        Function 00DDFB20 Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,28CB4BA0,?,00000000,00000000), ref: 00DDFBF1
                                        • FindNextFileW.KERNEL32(?,00000000), ref: 00DDFC0C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FileFind$FirstNext
                                        • String ID:
                                        • API String ID: 1690352074-0
                                        • Opcode ID: 6e7c5d364aa89e454e1a87edebc0050ebf04fc2184ec3365c3e725300f5b17e5
                                        • Instruction ID: b3916149b34ed11d68764660d82d9d215c65b2a98236a75c5c13d05060efc34e
                                        • Opcode Fuzzy Hash: 6e7c5d364aa89e454e1a87edebc0050ebf04fc2184ec3365c3e725300f5b17e5
                                        • Instruction Fuzzy Hash: A0717F71900289DFDB10DFA9CD48BDEBBB8FF05314F188169E815AB291DB749E04CB60
                                        Function 00DA3A50 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 321fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00DA3BA8
                                        • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00DA3C45
                                        • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00DA3C6B
                                        • FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00DA3CB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess
                                        • String ID: P3
                                        • API String ID: 3625725927-1755088194
                                        • Opcode ID: 979e6695cf85bab62ec00b376fe004be8665e40a5edcf96be77eb0100df85677
                                        • Instruction ID: e04cbc91bd816e0a28ae2723c6fcc252b56e11cd1f64f51d7cbb820870d1a3bc
                                        • Opcode Fuzzy Hash: 979e6695cf85bab62ec00b376fe004be8665e40a5edcf96be77eb0100df85677
                                        • Instruction Fuzzy Hash: 24A1D471A002459FDB14DF68CC49BAEB7F6FF41324F14862AF815E7380E7B59A048BA0
                                        Function 00D00BAA Relevance: 9.1, APIs: 6, Instructions: 70nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(?,00000000), ref: 00D00B67
                                        • ShowWindow.USER32(?,00000005), ref: 00D00B93
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00D00BC5
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D00BE3
                                        • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?), ref: 00D00BF6
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D00C0D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$Show$NtdllProc_
                                        • String ID:
                                        • API String ID: 3227303085-0
                                        • Opcode ID: 83a37b26ee23205f4816aaeda3f245dae212e15f4a32dc5391fa480a26cfa5bd
                                        • Instruction ID: 001b113d784f612514b26f8d7bb3eee27701ea270abcd37ca25e8add1790f02b
                                        • Opcode Fuzzy Hash: 83a37b26ee23205f4816aaeda3f245dae212e15f4a32dc5391fa480a26cfa5bd
                                        • Instruction Fuzzy Hash: 9C212A35604219EFDB15DF58D845B69BBB1FF49321F210269E816A73F1CB366810DB50
                                        Function 00E35CA1 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000C,00E35BBD,00000000,?,00E35D55,00000000,?,?,00CB0B74,?), ref: 00E35CA3
                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,00CB0B74,?), ref: 00E35CCA
                                        • HeapAlloc.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35CD1
                                        • InitializeSListHead.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35CDE
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00CB0B74,?), ref: 00E35CF3
                                        • HeapFree.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35CFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                        • String ID:
                                        • API String ID: 1475849761-0
                                        • Opcode ID: cdf391e92e832e8ddabee89e24f5fece719cd67a355f686169b2a28394344c39
                                        • Instruction ID: 51130a1cbdf1b7818921f000c4e974a0277e9de1f3aa532b06875b5e98ed8476
                                        • Opcode Fuzzy Hash: cdf391e92e832e8ddabee89e24f5fece719cd67a355f686169b2a28394344c39
                                        • Instruction Fuzzy Hash: A2F08C36601A019FE710AF2AAD4CB077BACBB98756F044528EA42E3360DF70D808DA60
                                        Function 00E5430F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00E5462D,00000002,00000000,?,?,?,00E5462D,?,00000000), ref: 00E543A8
                                        • GetLocaleInfoW.KERNEL32(?,20001004,00E5462D,00000002,00000000,?,?,?,00E5462D,?,00000000), ref: 00E543D1
                                        • GetACP.KERNEL32(?,?,00E5462D,?,00000000), ref: 00E543E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: cc1adf7b567bdc816d47f930970a3c444a956ec3924689d242faa3ada9f20871
                                        • Instruction ID: d2ee803b44aaa1f0eef47d649b1403cafabbf7bb6dc71ec0f4d908e64f2a0468
                                        • Opcode Fuzzy Hash: cc1adf7b567bdc816d47f930970a3c444a956ec3924689d242faa3ada9f20871
                                        • Instruction Fuzzy Hash: 7221E2B2601100AAD7249F54C901ADB73AAAB54B5EB566C34ED0AF72A0E732DD88C340
                                        Function 00E544E4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00E545F0
                                        • IsValidCodePage.KERNEL32(00000000), ref: 00E54639
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00E54648
                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00E54690
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00E546AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                        • String ID:
                                        • API String ID: 415426439-0
                                        • Opcode ID: cae22bec5c96c948524104fce20371f4f30e8faf749cdb4702cd714cafd1115f
                                        • Instruction ID: 9727d321b1cc7c032c2c8ef97aa0c950401d20cfe3415cd4f1fb6657188b566a
                                        • Opcode Fuzzy Hash: cae22bec5c96c948524104fce20371f4f30e8faf749cdb4702cd714cafd1115f
                                        • Instruction Fuzzy Hash: 9A5190B2900205AFDF11DFA9DC45ABA73B8BF0570AF045929F914F71D0EBB09A48CB61
                                        Function 00CBC4F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(00000003,000000FC), ref: 00CBC546
                                        • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00CBC558
                                        • DeleteCriticalSection.KERNEL32(?,28CB4BA0,?,?,?,?,00E619C4,000000FF), ref: 00CBC583
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: LongWindow$CriticalDeleteSection
                                        • String ID: PV
                                        • API String ID: 1978754570-1684308595
                                        • Opcode ID: a5c83916ef7bc1593750b49150a37dba6e6fa9329c1367f2dde667b906b376f5
                                        • Instruction ID: 9e8bb4896ae20735e1070e61743ebfa64f6bb22e7d90a17f974095121b774f79
                                        • Opcode Fuzzy Hash: a5c83916ef7bc1593750b49150a37dba6e6fa9329c1367f2dde667b906b376f5
                                        • Instruction Fuzzy Hash: D731CF75A00646ABCB20CF24CD49B9ABFE8BF16320F144259E824A3691D771EA14EB90
                                        Function 00E4DD6A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: _strrchr
                                        • String ID:
                                        • API String ID: 3213747228-0
                                        • Opcode ID: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
                                        • Instruction ID: 1e0aae6b834404d0babbcca9933d10fb2c638eb6e2ec2da5ff2b037902e57d04
                                        • Opcode Fuzzy Hash: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
                                        • Instruction Fuzzy Hash: 9DB13332E082459FDB258F28DC81BFEBBE5EF59314F14916AE815BB341D2749D05CBA0
                                        Function 00DCB3D0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c1967bd4a28651f341092d337d346ee5eb31740c1c862b71413ca9ca0dfb048
                                        • Instruction ID: f4d55f8aa5083417cdec6ba306b60ec3f107ebf6c54ceadf38f5d036aa09e75c
                                        • Opcode Fuzzy Hash: 0c1967bd4a28651f341092d337d346ee5eb31740c1c862b71413ca9ca0dfb048
                                        • Instruction Fuzzy Hash: 85819171901219DFDB50DF68CC4AB99B7B4EF45324F1882DDE818AB292DB709E44CFA1
                                        Function 00D3AB40 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceW.KERNEL32(00000000,?,00000017,28CB4BA0,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00D3AB88
                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00D3AB9B
                                        • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00D3ABAA
                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00D3ABBA
                                          • Part of subcall function 00DA1480: MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,28CB4BA0,00000000,00000000), ref: 00DA14D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Resource$ByteCharFindLoadLockMultiSizeofWide
                                        • String ID:
                                        • API String ID: 203124936-0
                                        • Opcode ID: 2a55d9aa97e1f75f80e0779d198ac43154c53dc6f4f748a789bea57cc3885b5c
                                        • Instruction ID: 4ec67243ee10f5d74faa5f032665c9891da0b949db2dd2f35388b852a5600fb4
                                        • Opcode Fuzzy Hash: 2a55d9aa97e1f75f80e0779d198ac43154c53dc6f4f748a789bea57cc3885b5c
                                        • Instruction Fuzzy Hash: 1C312275E04705ABDB209F78DD05BABB7F8EB08750F044729E855A73C0EB70A908C7A1
                                        Function 00D00CE3 Relevance: 6.1, APIs: 4, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00D00D3E
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D00D5C
                                        • NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00D00D6E
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D00D80
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$NtdllProc_
                                        • String ID:
                                        • API String ID: 3674618424-0
                                        • Opcode ID: c534947c39755f5e871b054a64d97a37af4bf07caf66f7f3ca0087bdabc18838
                                        • Instruction ID: 2672f1eba5f23f7859481e342591e94088ecca1151b565b6953bc5c3a35a228b
                                        • Opcode Fuzzy Hash: c534947c39755f5e871b054a64d97a37af4bf07caf66f7f3ca0087bdabc18838
                                        • Instruction Fuzzy Hash: E2319A70A04258AFDB11CF68DD85B59BFF1EF46320F14429AE815AB3E1CBB1AD14DB60
                                        Function 00D00C22 Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00D00C3C
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D00C5A
                                        • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?), ref: 00D00C70
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D00C87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$NtdllProc_
                                        • String ID:
                                        • API String ID: 3674618424-0
                                        • Opcode ID: 04ed81c86da28fc78512d2e72d77a282805a613318e13c5fe1d3e92dc774f385
                                        • Instruction ID: eb2e52f73de3ccccf6c5ea62dd934a6a61c17319d578e94ba9cb513811282304
                                        • Opcode Fuzzy Hash: 04ed81c86da28fc78512d2e72d77a282805a613318e13c5fe1d3e92dc774f385
                                        • Instruction Fuzzy Hash: FB112A76A04258AFDB21DF58DC44B9DBBF1FB49320F21032AF965A33E0CB7129109B40
                                        Function 00E1D550 Relevance: 5.5, Strings: 4, Instructions: 529COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yxxx$yxxx$yxxx$yxxx
                                        • API String ID: 0-3504637693
                                        • Opcode ID: d8c38588a5664d3a7b5e5e221eb86b82cd2eb28c5ad7f616112e8fe8546425d3
                                        • Instruction ID: 821ff3a7fc93d1bc6d6d2c9d3d94573982e5bf4fef1e5434b8748014fde0de11
                                        • Opcode Fuzzy Hash: d8c38588a5664d3a7b5e5e221eb86b82cd2eb28c5ad7f616112e8fe8546425d3
                                        • Instruction Fuzzy Hash: 5B0295B1A045099FCB18DF68CD81AEEBBF5EF88300F148629E915EB395D770E941CB90
                                        Function 00DCB7D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00DCB88C
                                        • FindClose.KERNEL32(00000000), ref: 00DCB9D7
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Find$AllocCloseFileFirstHeap
                                        • String ID: %d.%d.%d.%d
                                        • API String ID: 2507753907-3491811756
                                        • Opcode ID: 88cec16abd676d39b38137b277f4bca664e8973d966e8d6e6ff4d293d9f69c92
                                        • Instruction ID: a767967a62e0d278643be3e54d7adaf5e52a5d9163f830c985e74ceb80b8e159
                                        • Opcode Fuzzy Hash: 88cec16abd676d39b38137b277f4bca664e8973d966e8d6e6ff4d293d9f69c92
                                        • Instruction Fuzzy Hash: 39617D70905219DFDF20DF28CC4AB9DBBB4EF05314F14829AE859AB291DB719E84CF90
                                        Function 00CBE290 Relevance: 5.3, Strings: 4, Instructions: 346COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                        • API String ID: 0-932585912
                                        • Opcode ID: 1600019a96ff17dc760268912b478de038c3a8aa0599a6ffb9a120e4cdea0688
                                        • Instruction ID: 488e809670bde5b24ea9489cf939077ddf557d51d298eab3a6bef3a821d99e09
                                        • Opcode Fuzzy Hash: 1600019a96ff17dc760268912b478de038c3a8aa0599a6ffb9a120e4cdea0688
                                        • Instruction Fuzzy Hash: 87D16E70D00218DFDB04CFA9CD45BEEBBF1BF45304F108269E455AB286D778AA09DBA1
                                        Function 00E53F93 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E53FE7
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E54031
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E540F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: InfoLocale$ErrorLast
                                        • String ID:
                                        • API String ID: 661929714-0
                                        • Opcode ID: 4c802cf5e2b9c8180e4b3b953e1e5fe0bc405bab702ba487b2a20b9a50399ef6
                                        • Instruction ID: 9abf589041ee1e01eb056a07f692cbabb3c18777b3fc443797ee6c71aeaf4a48
                                        • Opcode Fuzzy Hash: 4c802cf5e2b9c8180e4b3b953e1e5fe0bc405bab702ba487b2a20b9a50399ef6
                                        • Instruction Fuzzy Hash: 1B61F0B19115179FDB289F28CD82BBAB3A8EF1430AF105579EE05E62C0E734D9C9DB10
                                        Function 00D13FC0 Relevance: 4.7, Strings: 3, Instructions: 907COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: &$</a>$<a>
                                        • API String ID: 1385522511-4150034113
                                        • Opcode ID: a2f3549a360f626ce2e01d45a013d1fd73628a542c3af8f4a33bf69df2b266ea
                                        • Instruction ID: 415cc3710204902a600b53c116337d1fb8de6044c01ff61d6af5b448d7ef8f09
                                        • Opcode Fuzzy Hash: a2f3549a360f626ce2e01d45a013d1fd73628a542c3af8f4a33bf69df2b266ea
                                        • Instruction Fuzzy Hash: FE924370D012A9DFDB20DBA8CD44BDDBBB4AF14304F1481DAE10AB7292DB745A89DF61
                                        Function 00CB8890 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000004), ref: 00CB88DE
                                        • GetWindowLongW.USER32(00000004,000000FC), ref: 00CB88F7
                                        • SetWindowLongW.USER32(00000004,000000FC,?), ref: 00CB8909
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: 890d4b2c9816816f13239ec9dd872e6870180cf3a2fe336020c2e394df1917b0
                                        • Instruction ID: 6d4eb554fb23f51997146e76c989781dc2be3957259aae01adc3ebf0d2e29b29
                                        • Opcode Fuzzy Hash: 890d4b2c9816816f13239ec9dd872e6870180cf3a2fe336020c2e394df1917b0
                                        • Instruction Fuzzy Hash: 64419FB0A01A46EFDB10CF64D908B5AFBF8FF05310F044258E424A7A90DB76F914CB91
                                        Function 00E3AD13 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E3AE0B
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E3AE15
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E3AE22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: adde3e4d45515d6eab8b65b28b78044f58cc91f74ce220515f2fb7b528ad6991
                                        • Instruction ID: 262982cfb76f6eef3f64b313487081f7dcc8c1b76a59b5a703591a758b86987a
                                        • Opcode Fuzzy Hash: adde3e4d45515d6eab8b65b28b78044f58cc91f74ce220515f2fb7b528ad6991
                                        • Instruction Fuzzy Hash: 1A31B3759012189BCB21DF65D98978DBBF8AF08310F5051EAE40CA72A0EB709B85CF45
                                        Function 00CB1670 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000FC), ref: 00CB1689
                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 00CB1697
                                        • DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,00EC383C), ref: 00CB16C3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$Destroy
                                        • String ID:
                                        • API String ID: 3055081903-0
                                        • Opcode ID: d8ab0436d5d3325c1ccd00a092107cb2400802b8f250a7579423c1588c8b8583
                                        • Instruction ID: 4801779192579e0a1246aa890051310d2af2e07c1a9732fa8c2466d863c51b63
                                        • Opcode Fuzzy Hash: d8ab0436d5d3325c1ccd00a092107cb2400802b8f250a7579423c1588c8b8583
                                        • Instruction Fuzzy Hash: 15F01D35004A119BD7609F28ED08B827BE4BB05721F084B1DECBA929F0C720E840DB00
                                        Function 00CC7630 Relevance: 3.3, APIs: 2, Instructions: 252windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00CC774D
                                        • SendMessageW.USER32(?,0000102B,0000009B,?), ref: 00CC7932
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: faca47407deffde6c8a6557a59e9e2682728ca0a35af1d1120f61f292470d663
                                        • Instruction ID: c613ab40f9443192da2092f57ffb5250c399e9671757204a163034f44d68fbc7
                                        • Opcode Fuzzy Hash: faca47407deffde6c8a6557a59e9e2682728ca0a35af1d1120f61f292470d663
                                        • Instruction Fuzzy Hash: 19A1E371A04646AFDB18CF24C999FA9FBF5FB15300F14826EE469DB291D734EA01CB90
                                        Function 00DBE3A0 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,28CB4BA0,00000000,?,00000000), ref: 00DBE48E
                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 00DBE4D9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: ebeb1daeac1b6302ab7d506f2fa4d0339ecc1d4d5940a89ea73a8d84242606f2
                                        • Instruction ID: 0417756c74b8236b34083adf4173fb6d34475557e5478afe499dafb4d113c5a4
                                        • Opcode Fuzzy Hash: ebeb1daeac1b6302ab7d506f2fa4d0339ecc1d4d5940a89ea73a8d84242606f2
                                        • Instruction Fuzzy Hash: 7D51A07190060ACFEB20DF68C849BEEBBF4FF44318F144559E816AB381D774AA05CBA1
                                        Function 00DA2230 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,28CB4BA0,00000008,00000000), ref: 00DA227B
                                        • GetLastError.KERNEL32 ref: 00DA2285
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 605fd3818730f5be01d18dd18d9ff43bd7136fd092922dd3b8d10befdbecdbb8
                                        • Instruction ID: 103f44e39b80fb700193abb2632ac1f789ef30ac33dd2aabded25aa2370bb771
                                        • Opcode Fuzzy Hash: 605fd3818730f5be01d18dd18d9ff43bd7136fd092922dd3b8d10befdbecdbb8
                                        • Instruction Fuzzy Hash: 2C319371A002099FEB10DF9DDC45BAEBBF8FB45714F14062EE518E7380DBB5990487A5
                                        Function 00D00010 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(00000000,000000FC), ref: 00D0007F
                                        • SetWindowLongW.USER32(00000000,000000FC,?), ref: 00D0008D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID:
                                        • API String ID: 1378638983-0
                                        • Opcode ID: 4c0e4b120bce5220d1285b346e0348233678fb5c84d3ddc6549f80370bc9fda4
                                        • Instruction ID: f64488fd89dbcc2c35c46cb67fff307596aac3ac653ec3abac6bee26b8dac391
                                        • Opcode Fuzzy Hash: 4c0e4b120bce5220d1285b346e0348233678fb5c84d3ddc6549f80370bc9fda4
                                        • Instruction Fuzzy Hash: 43315971900649EFCB10DF69C944B9AFFF4FB05320F148269E828A77E1D776A950CBA0
                                        Function 00DCE610 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,28CB4BA0,?,00000000,00000000,00000000,00EA351D,000000FF), ref: 00DCE678
                                        • FindClose.KERNEL32(00000000,?,28CB4BA0,?,00000000,00000000,00000000,00EA351D,000000FF), ref: 00DCE6C2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: afcc94fe5db4a41c055846e15638866f1d3802986e694c9829615536dd0d7d50
                                        • Instruction ID: 92b2cd68bfbdb4cc2e802a4efbb9657cb10f879999a7cf1806848b55dc176ff9
                                        • Opcode Fuzzy Hash: afcc94fe5db4a41c055846e15638866f1d3802986e694c9829615536dd0d7d50
                                        • Instruction Fuzzy Hash: 4921B5719005499FD710DF68CD49B9EF7B8FF84324F14472AE825A72D0EB705A08CB94
                                        Function 014DF770 Relevance: 2.5, Strings: 1, Instructions: 1216COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2281368116.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_14dc000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1:"
                                        • API String ID: 0-706857256
                                        • Opcode ID: 849ef93d9a8d943deec08a6f79db78c569d26bdb1412f1ec2073612e53243cb1
                                        • Instruction ID: 0a98f66774be4fbeb0d6995570409a6d65077d7ff3382483e7eacb6cd405dfcf
                                        • Opcode Fuzzy Hash: 849ef93d9a8d943deec08a6f79db78c569d26bdb1412f1ec2073612e53243cb1
                                        • Instruction Fuzzy Hash: CA81FC2104E3C15FCB538B388CBA2E67FB1AE1722471E85DBD4C5CF5A3D229494AC766
                                        Function 01502CB4 Relevance: 1.9, Instructions: 1913COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2282022156.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_14fe000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d54d4f64106bbd4af412d79bd89e1fc8e9d7aff1c0fd408eb15ac30d121a7fa9
                                        • Instruction ID: ec159b06d1a6af7f816f8280885a7ecb844ccea858e7270c386c84baae565c67
                                        • Opcode Fuzzy Hash: d54d4f64106bbd4af412d79bd89e1fc8e9d7aff1c0fd408eb15ac30d121a7fa9
                                        • Instruction Fuzzy Hash: B0622D6548E3C25FD3138BB49CB66917FB0AE17224B0E86DBC4C0CF0A3D25D599AD722
                                        Function 00CD52F0 Relevance: 1.9, Strings: 1, Instructions: 617COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2
                                        • API String ID: 0-450215437
                                        • Opcode ID: 9224ce1e8ea6783e56bcc8d9305f100afd1e42487b73ca6c7525b8f706237646
                                        • Instruction ID: e9979b1c0bba3425471d6dd685eadaca562a11fd0ccea3b97a2aa53331728ae3
                                        • Opcode Fuzzy Hash: 9224ce1e8ea6783e56bcc8d9305f100afd1e42487b73ca6c7525b8f706237646
                                        • Instruction Fuzzy Hash: 0B32D1B1A047518BCB10DF26D98056BB7E5AF94308F44493EF5CBC7281EA34EA48D7A3
                                        Function 00E541E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E5423A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 9f426e8ded2311318b2249fc5f124ecd9781286b23e2fb6feb971f708a677b87
                                        • Instruction ID: 9ffa615d91de8afdb2b678fa1822691980603cbee7f3ac737e7005a32257b79b
                                        • Opcode Fuzzy Hash: 9f426e8ded2311318b2249fc5f124ecd9781286b23e2fb6feb971f708a677b87
                                        • Instruction Fuzzy Hash: 332107B6500216ABDB289F25DC42ABB77ECEF44309F102479FD05E6291EB74DC85C710
                                        Function 00E53E6D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • EnumSystemLocalesW.KERNEL32(00E53F93,00000001,00000000,?,-00000050,?,00E545C4,00000000,?,?,?,00000055,?), ref: 00E53EDF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: 561a7aab89b09754b5382f3e89789e861aec7050c0a76b85b0f193958232a6e9
                                        • Instruction ID: fdc22aa264ccc254b487ff240fc9e2ca3ac27e764d7af00eb5fede21f340937a
                                        • Opcode Fuzzy Hash: 561a7aab89b09754b5382f3e89789e861aec7050c0a76b85b0f193958232a6e9
                                        • Instruction Fuzzy Hash: 0A1129376047019FDB189F39C8956BABBE2FF80359B14482DE94797A40E7716906C740
                                        Function 00E54415 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E541AF,00000000,00000000,?), ref: 00E54441
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 58ba5ea545e7f0ddaf2f7290a0a444a3302683a972313dd3198bb37a1b6cd68f
                                        • Instruction ID: 1c8dcc13f8d11cf88c744a345eefc8dc7cb8dd8892e21437386c5467cd4f7c06
                                        • Opcode Fuzzy Hash: 58ba5ea545e7f0ddaf2f7290a0a444a3302683a972313dd3198bb37a1b6cd68f
                                        • Instruction Fuzzy Hash: 20F0F972A501117BDB2856258C057FA7768EB4075DF154824ED65B31C0EB34FF87C6A0
                                        Function 00E53D7B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00E53DCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID: utf8
                                        • API String ID: 3736152602-905460609
                                        • Opcode ID: 8e3d06adba8a32b94d5311dc10427f444b859bc49cfcf9bf7883ebc2308fb430
                                        • Instruction ID: 3cda3027a5de33eba360fa55da54d36782b248b224cc67d7f5462c825e5b807a
                                        • Opcode Fuzzy Hash: 8e3d06adba8a32b94d5311dc10427f444b859bc49cfcf9bf7883ebc2308fb430
                                        • Instruction Fuzzy Hash: E4F0C832A11105ABC728AB38DC4AABA77ECDF49355F105179FA06E7281EA74AD05C750
                                        Function 00E53F08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • EnumSystemLocalesW.KERNEL32(00E541E6,00000001,?,?,-00000050,?,00E54588,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00E53F52
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: e95d15bc744e22709699fda0ad8f340a6016a6e441542b78997ef6195a1cf0c5
                                        • Instruction ID: aec7327605e5cd38038e69d8355935e52ee64131257766f2ae357b1dc1d34e22
                                        • Opcode Fuzzy Hash: e95d15bc744e22709699fda0ad8f340a6016a6e441542b78997ef6195a1cf0c5
                                        • Instruction Fuzzy Hash: 0AF046367043046FCB245F399C81ABA7BE4FF807ADF14482CFD059B680D6B19D46C620
                                        Function 00E4FC09 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4A89A: EnterCriticalSection.KERNEL32(-00F45108,?,00E4CE16,00CA9F56,00F39668,0000000C,00E4D0E1,?), ref: 00E4A8A9
                                        • EnumSystemLocalesW.KERNEL32(00E4FBFC,00000001,00F397A8,0000000C,00E5002B,00000000), ref: 00E4FC41
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 4b321e0d2a7394a0caadac52dcd3bc6317f7856fa852380119c55d5fc5baed97
                                        • Instruction ID: 4a8c36b0cfeb50e1983003720cbae2c32cd768031d8bd190d03ef3f140d13eed
                                        • Opcode Fuzzy Hash: 4b321e0d2a7394a0caadac52dcd3bc6317f7856fa852380119c55d5fc5baed97
                                        • Instruction Fuzzy Hash: E3F04F76A40204DFD714EFA8E842B9D77F0FB05B21F10412AF814EB2A1CBB54941DB51
                                        Function 00E53E22 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D836: GetLastError.KERNEL32(?,00000008,00E4F453), ref: 00E4D83A
                                          • Part of subcall function 00E4D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00E4D8DC
                                        • EnumSystemLocalesW.KERNEL32(00E53D7B,00000001,?,?,?,00E545E6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00E53E59
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: eee627fb1223ab54c9508b35c76a64817941a132debcc9180a9859a95a817091
                                        • Instruction ID: 3ecd4764bd386c3dec8f24d736dd044dd55e68d780d170350885ab222dbbf9eb
                                        • Opcode Fuzzy Hash: eee627fb1223ab54c9508b35c76a64817941a132debcc9180a9859a95a817091
                                        • Instruction Fuzzy Hash: B1F0553630030557CB049F3AE84666ABFE4EFC1795F0A0059EE099B260CA329947C750
                                        Function 00CC15F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00CBFD16,?,?,?,?,?,?,?,?,00CBFB78,?,?), ref: 00CC1640
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: NtdllProc_Window
                                        • String ID:
                                        • API String ID: 4255912815-0
                                        • Opcode ID: 4efef1c4628d8ccc081117132e09dad8fc5797023e4b5c73bbd3448bc401b0f1
                                        • Instruction ID: 77c595e95b04ba91f26bfbbd8653723f0538635886b69e0c46c2562fbefdf5cb
                                        • Opcode Fuzzy Hash: 4efef1c4628d8ccc081117132e09dad8fc5797023e4b5c73bbd3448bc401b0f1
                                        • Instruction Fuzzy Hash: A5F05874004185DEE3008F16C898F69BBAAFB47346F4C45F9F9A8C5462C239CE54DF10
                                        Function 00E50186 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00E49F14,?,20001004,00000000,00000002,?,?,00E49516), ref: 00E501BA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 5f2ee7ccbcb212d6c748c03ebcbf530c090671f95c766ac297bf20264cf5b39a
                                        • Instruction ID: 6bf866f76819e2276ece56e448377ee32390b8530a566fa62c7be2bfc2dc830a
                                        • Opcode Fuzzy Hash: 5f2ee7ccbcb212d6c748c03ebcbf530c090671f95c766ac297bf20264cf5b39a
                                        • Instruction Fuzzy Hash: 07E04F31502528BBCF122F61ED05AAE7F69FF44751F004420FD0575221CB319925EAD5
                                        Function 00CF6EE0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1
                                        • API String ID: 0-2212294583
                                        • Opcode ID: fc03b5945b5a1a3d7cf7bc1e17a0a4e5b3a3900ccba4da89e4f82882fc274d2a
                                        • Instruction ID: c14db5ee89120ec81b464d5d916df66176b06e6a44959b22067f2f66289153c3
                                        • Opcode Fuzzy Hash: fc03b5945b5a1a3d7cf7bc1e17a0a4e5b3a3900ccba4da89e4f82882fc274d2a
                                        • Instruction Fuzzy Hash: 69D115B050578AEFE709CF64C55878AFBF4BF05308F24824DD4686B281D3BAA618CBD1
                                        Function 00D47F20 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {
                                        • API String ID: 0-2739055043
                                        • Opcode ID: f03d65f404e731966419f7e63bd55b602a31335508d8e129144a7d87bbed746d
                                        • Instruction ID: dade65e8b60ca65defdb3af5ba7d3c087a7ad744ad9e5f65e1389d3eea55cc4e
                                        • Opcode Fuzzy Hash: f03d65f404e731966419f7e63bd55b602a31335508d8e129144a7d87bbed746d
                                        • Instruction Fuzzy Hash: F941D6B0905749EED704CF69C50978AFBF0BB09318F10869DD458AB781D3BAA619CBD1
                                        Function 00CB8720 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `V
                                        • API String ID: 0-3309648629
                                        • Opcode ID: 337a8fdfd13b0a57bd1754ff134a16b5ef27fbc7dd6ff537bf8c5f5a697d9461
                                        • Instruction ID: c87b76adccd6fcc2aaba160459dd0f546177d4220c9b9352432da65330ad1320
                                        • Opcode Fuzzy Hash: 337a8fdfd13b0a57bd1754ff134a16b5ef27fbc7dd6ff537bf8c5f5a697d9461
                                        • Instruction Fuzzy Hash: 1731EDB1405B84CEE321CF29C658747BFF0BB15728F108A4DD4A25BB91C3BAB648CB91
                                        Function 00D7B7A0 Relevance: .5, Instructions: 513COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9260779f8dff2f6dc8266571569031f2b41d8e95c0008389178d65e09e244fb0
                                        • Instruction ID: e0e249a76c0034c24141002b3d52a7caedbbcffba978dba5db974e0a9eebc532
                                        • Opcode Fuzzy Hash: 9260779f8dff2f6dc8266571569031f2b41d8e95c0008389178d65e09e244fb0
                                        • Instruction Fuzzy Hash: 6802CB75A002159FDB18DF6CC885BAEB7F5EB55320F14822EE815E7351E730AD04CBA1
                                        Function 00E3E64C Relevance: .4, Instructions: 388COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 733b094125585bc0793c6c5b651e6eb080b77c9130cd350b5d2f838ca270ba6e
                                        • Instruction ID: e2ff559ca8f1def0f19d057402dc64d6db0f6e4bc1fc5fa6102f333614959334
                                        • Opcode Fuzzy Hash: 733b094125585bc0793c6c5b651e6eb080b77c9130cd350b5d2f838ca270ba6e
                                        • Instruction Fuzzy Hash: 44E1AC74A006058FCB28CF68C489AAABBF1FF84318F24665AD456BB3D1D730ED46CB51
                                        Function 00E3E2BE Relevance: .3, Instructions: 344COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c9c4a220dff9b2185c4e70b9d8119cd7217065a0fca14faf9274004294fe8d9
                                        • Instruction ID: 3abcd1e545fec44c399f47f27366a8adea51280583166803fdc212282ac39ab8
                                        • Opcode Fuzzy Hash: 2c9c4a220dff9b2185c4e70b9d8119cd7217065a0fca14faf9274004294fe8d9
                                        • Instruction Fuzzy Hash: 82C1AC70A00646CFCB28CE68C4996BEBFE1AF49318F246619D496B73D2D730ED46CB51
                                        Function 00E53631 Relevance: .3, Instructions: 327COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                        • String ID:
                                        • API String ID: 3471368781-0
                                        • Opcode ID: 2fa58192a7dba19555285f769416028f05130d256c481943225ae521d67ce810
                                        • Instruction ID: e0715c44a884cdad4db6a18c2ad2dbb49e1a17fb1e835046ed9374859ee65f6b
                                        • Opcode Fuzzy Hash: 2fa58192a7dba19555285f769416028f05130d256c481943225ae521d67ce810
                                        • Instruction Fuzzy Hash: AAB119B55007059BCB3C9B34CC92AB7B3E8EF44349F545D2DED42E6680E675EA89C710
                                        Function 00CAF7C0 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ead7c49b448a36af15fa716e57910e1b158605891ec7f9adf4b5c285f2761c3b
                                        • Instruction ID: d40093d3473a658145caf16556431b110de69c63796aa55e1890a4c527ec97dc
                                        • Opcode Fuzzy Hash: ead7c49b448a36af15fa716e57910e1b158605891ec7f9adf4b5c285f2761c3b
                                        • Instruction Fuzzy Hash: 0171E9B0805B48DFE761CF64C95478ABFF0BB05314F108A5EC4A9AB391D3B96648DF91
                                        Function 00CB2250 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83120eec94942e9b07a4b47218a8444c20105e18acb263035035a1b6957ec27d
                                        • Instruction ID: a17ae209f2b960e55d0d5f18e9bb08efef2422f28c946ed6c277d26fe43eae31
                                        • Opcode Fuzzy Hash: 83120eec94942e9b07a4b47218a8444c20105e18acb263035035a1b6957ec27d
                                        • Instruction Fuzzy Hash: 792149B0804788CFD710CF68C944B8ABBF4FB59324F1186AED455AB791D3B9AA44CF90
                                        Function 00CB1C90 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fda12f4d97ff8a3888650f930cf56f6d97be51ff550bdcc37c8f4762b511024d
                                        • Instruction ID: b1be72d0f22846fddd2e30e85c1effc55db4a4a464c656e0732c11bee955e56a
                                        • Opcode Fuzzy Hash: fda12f4d97ff8a3888650f930cf56f6d97be51ff550bdcc37c8f4762b511024d
                                        • Instruction Fuzzy Hash: 07213BB1804788DFD710CF68C944B8ABBF4FB19324F1186AED455AB791D3B9AA44CB90
                                        Function 00CCD320 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3591a4a5c516805fc9e275369bb7ba2eeb5ac6486c907da7c5f2eab5997ca75
                                        • Instruction ID: d64f22920e069ddc32ffc70b5a0e8cad878cb504418e6ad6f0afa035d5e3d2f6
                                        • Opcode Fuzzy Hash: a3591a4a5c516805fc9e275369bb7ba2eeb5ac6486c907da7c5f2eab5997ca75
                                        • Instruction Fuzzy Hash: 8811E9B5904248DFCB44CF58D545B49BBF4FB09728F2082AEE8289B781D3769A06DF80
                                        Function 00E5783E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                        • Instruction ID: 42cde96dd789bb51df9dc89188f1e500604ded28c3956af039e79b4ee2e53333
                                        • Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
                                        • Instruction Fuzzy Hash: 7EE08C32A19238EBCB18DB99E908D8AF3ECEB45F01B1104AAF901E3200C270DE04C7D0
                                        Function 00E4C66D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
                                        • Instruction ID: a3baab3a56ea4e79c75b608014ff4867232d233d64a08c86d9767faba1763be3
                                        • Opcode Fuzzy Hash: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
                                        • Instruction Fuzzy Hash: 6FC08C7440390057CE298924A2713A43394A3A1B86FA238CCC8421BA42C51E9C8AD7A0
                                        Function 00D8A2B0 Relevance: 56.2, APIs: 7, Strings: 25, Instructions: 238libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • GetModuleHandleW.KERNEL32(kernel32,28CB4BA0,?,?,00000000), ref: 00D8A3B3
                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00D8A3FB
                                        • __Init_thread_footer.LIBCMT ref: 00D8A40E
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00D8A456
                                        • __Init_thread_footer.LIBCMT ref: 00D8A469
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D8A4B1
                                        • __Init_thread_footer.LIBCMT ref: 00D8A4C4
                                          • Part of subcall function 00D61FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D61FF1
                                          • Part of subcall function 00D61FB0: _wcschr.LIBVCRUNTIME ref: 00D620AF
                                        Strings
                                        • 0|, xrefs: 00D8A500
                                        • SetSearchPathMode, xrefs: 00D8A3F5
                                        • SetDllDirectory, xrefs: 00D8A450
                                        • P*, xrefs: 00D8A582
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00D8A327, 00D8A32F
                                        • kernel32.dll, xrefs: 00D8A60D
                                        • |, xrefs: 00D8A55A
                                        • ~, xrefs: 00D8A653
                                        • l~, xrefs: 00D8A630
                                        • d}, xrefs: 00D8A5A0
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00D8A340, 00D8A34F
                                        • x|, xrefs: 00D8A4F6
                                        • T~, xrefs: 00D8A5E3
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00D8A322
                                        • @|, xrefs: 00D8A50A
                                        • H}, xrefs: 00D8A596
                                        • $~, xrefs: 00D8A61B
                                        • 0}, xrefs: 00D8A550
                                        • 0|, xrefs: 00D8A5F8
                                        • T|, xrefs: 00D8A4EC
                                        • kernel32, xrefs: 00D8A3AE
                                        • SetDefaultDllDirectories, xrefs: 00D8A4AB
                                        • x}, xrefs: 00D8A56E
                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00D8A347
                                        • <~, xrefs: 00D8A5DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
                                        • String ID: $~$0|$0|$0}$<~$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@|$H}$P*$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$T|$T~$d}$kernel32$kernel32.dll$l~$x|$x}$|$~
                                        • API String ID: 1258094593-3981691408
                                        • Opcode ID: ada768fc68f85c8e598de941aff628cbb24e45baa4b56a1e1fab0d1a276d65c2
                                        • Instruction ID: 55b22702a877290b296455d39960fd14d69f3cf5466ad81f2df08358e66d8ca4
                                        • Opcode Fuzzy Hash: ada768fc68f85c8e598de941aff628cbb24e45baa4b56a1e1fab0d1a276d65c2
                                        • Instruction Fuzzy Hash: 5BA1C1B09042189FDB20DF58C84A79EBBB0FF82714F50519AE858BB381E7B0594ACF61
                                        Function 00DE2F90 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 487timefilememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00DE2FA9
                                        • LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00DE2FB9
                                        • GetLastError.KERNEL32(?,00000000), ref: 00DE2FF7
                                        • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 00DE3036
                                        • GetLastError.KERNEL32(?,00000000), ref: 00DE3050
                                        • LocalFree.KERNEL32(?,?,00000000), ref: 00DE3061
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,28CB4BA0,7622F530,?,?), ref: 00DE3100
                                        • GetLastError.KERNEL32 ref: 00DE311E
                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00DE314B
                                        • GetLastError.KERNEL32 ref: 00DE3155
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DE31DA
                                        • GetLastError.KERNEL32 ref: 00DE31E4
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DE321C
                                        • SystemTimeToFileTime.KERNEL32(00000000,00EC341C), ref: 00DE323D
                                        • CompareFileTime.KERNEL32(00EC341C,?), ref: 00DE324F
                                        • PathFileExistsW.SHLWAPI(?,00000005), ref: 00DE32EC
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,00000001,S-1-1-0,10000000,00000001), ref: 00DE3387
                                        • GetLastError.KERNEL32 ref: 00DE3397
                                        • CloseHandle.KERNEL32(00000000), ref: 00DE339F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FileTime$ErrorLast$Local$FreeSystem$Create$AllocCloseCompareExistsHandlePath
                                        • String ID: .part$S-1-1-0$S-1-5-18
                                        • API String ID: 1123205858-2727065896
                                        • Opcode ID: 1f0e35830f35f01852aa041fcb7ae45b7be15391053ff6eacc7d67368c938374
                                        • Instruction ID: b55637b6e916d33b433a0c13f78b98dcf82958c0af90be453b403b9b3d2153f0
                                        • Opcode Fuzzy Hash: 1f0e35830f35f01852aa041fcb7ae45b7be15391053ff6eacc7d67368c938374
                                        • Instruction Fuzzy Hash: 6A129F706007859FDB21EF6ACD49BAABBF4FF44304F18451DE546A76A0DB70EA44CB60
                                        Function 00DD4B10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON
                                        Download Yara Rule
                                        Strings
                                        • powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00DD4C6F
                                        • Unable to retrieve PowerShell output from file: , xrefs: 00DD4E6F
                                        • ps1, xrefs: 00DD4BB6, 00DD4BC8, 00DD4BD2
                                        • txt, xrefs: 00DD4BE3
                                        • Unable to retrieve exit code from process., xrefs: 00DD4E92
                                        • Unable to create process: , xrefs: 00DD4D15
                                        • Unable to get a temp file for script output, temp path: , xrefs: 00DD4C1F
                                        • Unable to find file , xrefs: 00DD4B43
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
                                        • API String ID: 0-4129021124
                                        • Opcode ID: ed5d05abea2006eae1e011b9dc717c80f080ae555acfc88768b4114b4ebc6919
                                        • Instruction ID: 9db45eee992381bb0163432cdcccb611184c5beff315197768b1789e479d840c
                                        • Opcode Fuzzy Hash: ed5d05abea2006eae1e011b9dc717c80f080ae555acfc88768b4114b4ebc6919
                                        • Instruction Fuzzy Hash: 7FC18F7190164AAFDB10DFA8CD45BAEBBB5FF05314F14825AF414BB391DB74AA04CB60
                                        Function 00DADB40 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                        • OutputDebugStringW.KERNEL32(?,28CB4BA0,?,?,?,00E9C4C5,000000FF,?,00DE04CF,?,?,?,00000000), ref: 00DADCD8
                                        • GetActiveWindow.USER32 ref: 00DADC3A
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        Strings
                                        • MSINEWINSTANCE=1 , xrefs: 00DAE8E6
                                        • TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 , xrefs: 00DAE8FF
                                        • |3, xrefs: 00DAE992
                                        • AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00DAEB95
                                        • TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1, xrefs: 00DAE8B7
                                        • "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00DAE818
                                        • TRANSFORMS=:%s.mst MSINEWINSTANCE=1 , xrefs: 00DAE910
                                        • .mst, xrefs: 00DAE797, 00DAE7FE, 00DAECBE
                                        • REINSTALL=ALL REINSTALLMODE=vomus , xrefs: 00DAED93
                                        • "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00DAE7B2
                                        • |3, xrefs: 00DAEA9F
                                        • %s , xrefs: 00DAEA4C, 00DAED81
                                        • .msi, xrefs: 00DAE747, 00DAEC40
                                        • majorupgrade-content.mst, xrefs: 00DAE756, 00DAEC4F
                                        • "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00DAECDF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
                                        • String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$majorupgrade-content.mst$|3$|3
                                        • API String ID: 758407959-886929426
                                        • Opcode ID: ba2b45448e1e97ef854ea70b7f47d4ca40295225411dcf78c8c0396616388a22
                                        • Instruction ID: 4bde9693ca2bde835201b61c3e7b25c04a3ad1464ed82a5b02eeb0b030f42a06
                                        • Opcode Fuzzy Hash: ba2b45448e1e97ef854ea70b7f47d4ca40295225411dcf78c8c0396616388a22
                                        • Instruction Fuzzy Hash: A851C075A002059FDB14DB6CC8457AEBBF5EF4A320F18829DE816E7391DB319D00CBA1
                                        Function 00CB16D0 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 359stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$LongParentlstrcmp
                                        • String ID: #32770$L4
                                        • API String ID: 4031819654-2928383255
                                        • Opcode ID: 5df4e7ef8e9021da4d1e3812c6d24642ed9863232726bb527cadc067cc8d709d
                                        • Instruction ID: 256dd1635208023b0a8e595bb3fb132db8e3ae55a5d1b8fb54623c9cdf346636
                                        • Opcode Fuzzy Hash: 5df4e7ef8e9021da4d1e3812c6d24642ed9863232726bb527cadc067cc8d709d
                                        • Instruction Fuzzy Hash: 07E19E74A00219EFDB14CFA4C858BEEBBB5FF09710F588158E811B7290D735AE44DB60
                                        Function 00DA9E90 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 212COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000001F6), ref: 00DA9EDE
                                        • GetDlgItem.USER32(?,000001F8), ref: 00DA9EEB
                                        • GetDlgItem.USER32(?,000001F7), ref: 00DA9F38
                                        • SetWindowTextW.USER32(00000000,00000000), ref: 00DA9F47
                                        • ShowWindow.USER32(?,00000005), ref: 00DA9F67
                                          • Part of subcall function 00DA93B0: GetWindowLongW.USER32(?,000000F0), ref: 00DA93EF
                                          • Part of subcall function 00DA93B0: GetWindowLongW.USER32(?,000000F0), ref: 00DA9400
                                          • Part of subcall function 00DA93B0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DA9412
                                          • Part of subcall function 00DA93B0: GetWindowLongW.USER32(?,000000EC), ref: 00DA9425
                                          • Part of subcall function 00DA93B0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DA9434
                                          • Part of subcall function 00DA93B0: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00DA9448
                                          • Part of subcall function 00DA93B0: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DA9457
                                        • GetDlgItem.USER32(?,000001F7), ref: 00DA9F86
                                        • SetWindowTextW.USER32(00000000,00000000), ref: 00DA9F95
                                        • ShowWindow.USER32(?,00000000), ref: 00DA9FB5
                                        • ShowWindow.USER32(?,00000000), ref: 00DA9FBC
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00DAA005
                                        • GetDlgItem.USER32(00000000,00000000), ref: 00DAA039
                                        • IsWindow.USER32(00000000), ref: 00DAA043
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000616), ref: 00DAA090
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$ItemLong$Show$MessageSendText
                                        • String ID: Details <<$Details >>
                                        • API String ID: 1573988680-3763984547
                                        • Opcode ID: a4b27bcf7ce6340bb6a79edcb042ae175cb32b804547b186c0b69ef5d32794d2
                                        • Instruction ID: 3fc2b7b4fb597d7079d8dd3456933f9fcef30e4dfae18eb703082277b1192592
                                        • Opcode Fuzzy Hash: a4b27bcf7ce6340bb6a79edcb042ae175cb32b804547b186c0b69ef5d32794d2
                                        • Instruction Fuzzy Hash: D471BC71900208ABDB20DFA8DC56BAEFBF5EF59704F24861DF901B62A0D771A841DB60
                                        Function 00CD2860 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 404memorysynchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • CreateThread.KERNEL32(00000000,00000000,00CD29B0,00EC7458,00000000,?), ref: 00CD292A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CD2943
                                        • CloseHandle.KERNEL32(00000000), ref: 00CD2959
                                        • CoInitializeEx.COMBASE(00000000,00000000), ref: 00CD2A09
                                        • GetProcessHeap.KERNEL32(?,00000000), ref: 00CD2B0B
                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 00CD2B11
                                        • GetProcessHeap.KERNEL32(?,00000000), ref: 00CD2B90
                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 00CD2B96
                                        • CoUninitialize.COMBASE ref: 00CD2CEA
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00CD2D6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
                                        • String ID: $t$Xt$|3$|3
                                        • API String ID: 1779960141-1773862339
                                        • Opcode ID: 9455241e11ec095866739ea50d9cdd01eab9fea611ad013314aa6ee46a360a55
                                        • Instruction ID: 5b359672b924b8feab13e382e5f9522872543c6421c0ef7a060bf6961d69cff1
                                        • Opcode Fuzzy Hash: 9455241e11ec095866739ea50d9cdd01eab9fea611ad013314aa6ee46a360a55
                                        • Instruction Fuzzy Hash: 05F17B70D00248DFDB10DFA8C945BAEBBF8FF54304F20815AE915AB391DB749A49DBA1
                                        Function 00DE2A10 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 390libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(Advapi32.dll,28CB4BA0,00000000,00000000), ref: 00DE2AA1
                                        • GetLastError.KERNEL32 ref: 00DE2ACF
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                        • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00DE2AE5
                                        • FreeLibrary.KERNEL32(00000000), ref: 00DE2AFE
                                        • GetLastError.KERNEL32 ref: 00DE2B0B
                                        • GetLastError.KERNEL32 ref: 00DE2CF9
                                        • GetLastError.KERNEL32 ref: 00DE2D5E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Library$AddressAllocFreeHeapLoadProc
                                        • String ID: ,($Advapi32.dll$ConvertStringSidToSidW
                                        • API String ID: 1560807876-1024809297
                                        • Opcode ID: a51636e404bec7900a62fe29d958cfbb915f6ff39f1264a150030cc82d17287f
                                        • Instruction ID: 7d3eee948012a28a8dd33ef46efc58fdb6d10dc68c84ab9e89ad4251de213759
                                        • Opcode Fuzzy Hash: a51636e404bec7900a62fe29d958cfbb915f6ff39f1264a150030cc82d17287f
                                        • Instruction Fuzzy Hash: C2F17CB1C01259EFDB00EFA5C9457EEBBB8FF14314F248219E915B7280D770AA59CBA1
                                        Function 00CDD6E0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 246libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,28CB4BA0,?,?,00000000,?,?,?,?,?,?,28CB4BA0,00E68E95,000000FF), ref: 00CDD74D
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CDD753
                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,28CB4BA0,00E68E95,000000FF,?,00CF45FA,00ECB84C,28CB4BA0,28CB4BA0), ref: 00CDD783
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CDD789
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$|3
                                        • API String ID: 2574300362-3126793432
                                        • Opcode ID: 975111a0be7e4b409ba059e15c3e15b95853ca9a04b40151a8be55aa7069cc9e
                                        • Instruction ID: a007b8ddfe74c34d1c413c91065e2f9d67c15f42bd093cc39d027f3581cd2212
                                        • Opcode Fuzzy Hash: 975111a0be7e4b409ba059e15c3e15b95853ca9a04b40151a8be55aa7069cc9e
                                        • Instruction Fuzzy Hash: 92A18A71D00209EFDF15EFA8C895BAEBBF4EF08310F14412AE622B7291DB719A45DB51
                                        Function 00CD3400 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 222libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,28CB4BA0,?,?,?,?,?,?,?,28CB4BA0,00E664A5,000000FF,?,00CD371A,00EC74D0), ref: 00CD3467
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CD346D
                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,28CB4BA0,00E664A5,000000FF,?,00CD371A,00EC74D0,28CB4BA0,28CB4BA0), ref: 00CD349E
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CD34A4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$|3
                                        • API String ID: 2574300362-3126793432
                                        • Opcode ID: 263ffe338dfba13beecb19c6a8743dd164778c8c55d4cb03f598dfd0c66a169e
                                        • Instruction ID: c1ea4db548ab4e4032c52efe6c4a2b5bb5b64195e9ebe4e8e078a263537e084b
                                        • Opcode Fuzzy Hash: 263ffe338dfba13beecb19c6a8743dd164778c8c55d4cb03f598dfd0c66a169e
                                        • Instruction Fuzzy Hash: 3A818C70900248EFDB15DFA8D995BEEBBB4FF08310F14412AEA21B7391DB749A05CB61
                                        Function 00DD74C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00F46054,28CB4BA0,?,00000010), ref: 00DD74FC
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        • EnterCriticalSection.KERNEL32(00000010,28CB4BA0,?,00000010), ref: 00DD7509
                                        • WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00DD753B
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00DD7544
                                        • WriteFile.KERNEL32(00000000,00DC3C07,6054B9EC,00EA500D,00000000,00EC334C,00000001,?,?,000000FF,00000000), ref: 00DD75C6
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00DD75CF
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00DD7605
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00DD760E
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,00EC58A8,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 00DD766F
                                        • FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00DD7678
                                        • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00DD76A8
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushWrite$CriticalSection$AllocEnterFindHeapInitializeLeaveResource
                                        • String ID: 4w$L3
                                        • API String ID: 3436934177-2921611606
                                        • Opcode ID: 4b5a59e0669f41d8e2576cd4553bfaabec50715190036a096ce2abf029cdb331
                                        • Instruction ID: 20a6f009f76d2d2a264433777f807ac118302265e271d0715d8a689d83853273
                                        • Opcode Fuzzy Hash: 4b5a59e0669f41d8e2576cd4553bfaabec50715190036a096ce2abf029cdb331
                                        • Instruction Fuzzy Hash: 5361C031905645EFDB00DF68CD49BAABBB8FF05314F148259F805A73A1EB31A918DBA0
                                        Function 00CFA430 Relevance: 21.2, APIs: 14, Instructions: 243COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00CFA49E
                                        • SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00CFA4CC
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00CFA4E1
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00CFA518
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CFA545
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00CFA559
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00CFA57B
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CFA592
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00CFA5A6
                                        • GetWindowRect.USER32(?,?), ref: 00CFA5F6
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00CFA61C
                                        • GetWindowRect.USER32(?,?), ref: 00CFA66A
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,?), ref: 00CFA6A0
                                        • SetWindowTextW.USER32(?,?), ref: 00CFA6E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$Rect$Text
                                        • String ID:
                                        • API String ID: 445026432-0
                                        • Opcode ID: 7a22adfb16b284e6a47742d1d12a3b002ae5bb3c1e24dc47204946b617948ab2
                                        • Instruction ID: 7cee46dc08302fe33f9d9f354a2aa54bb08a1dc0f13efeb55f389fdee02991e5
                                        • Opcode Fuzzy Hash: 7a22adfb16b284e6a47742d1d12a3b002ae5bb3c1e24dc47204946b617948ab2
                                        • Instruction Fuzzy Hash: F0917F75A00609AFDB04DFA8DC45BEDBBB5FF58310F204229F926E72A4DB35A910DB50
                                        Function 00DA8440 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 223threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00F4611C,28CB4BA0,?,?,00000000,?,?,?,?,?,00000000,00E9B407,000000FF), ref: 00DA84B3
                                        • EnterCriticalSection.KERNEL32(?,28CB4BA0,?,?,00000000,?,?,?,?,?,00000000,00E9B407,000000FF), ref: 00DA84C5
                                        • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00E9B407,000000FF), ref: 00DA84D2
                                        • GetCurrentThread.KERNEL32 ref: 00DA84DD
                                        • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,00000000,?,00EC337C,00000000,?,?,?,?,?,00000000,00E9B407,000000FF), ref: 00DA86BE
                                        • LeaveCriticalSection.KERNEL32(?,00EC337C,00000000,?,?,?,?,?,00000000,00E9B407,000000FF), ref: 00DA879A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
                                        • String ID: *** Stack Trace (x86) ***$ 4w$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix] ${t
                                        • API String ID: 3051236879-3716644935
                                        • Opcode ID: 77a40d81d3256100f3aeabc19b322749bc1512727d11633b80f4228476da668d
                                        • Instruction ID: 2a06d39a7e84e0859aee12eeb695b2e4d5affce1a9031493b59e999beb16b4d8
                                        • Opcode Fuzzy Hash: 77a40d81d3256100f3aeabc19b322749bc1512727d11633b80f4228476da668d
                                        • Instruction Fuzzy Hash: 94A17D719003889FEF25DFA4CD45BEE7BB8BF06308F044168E959AB281DB755B08DB61
                                        Function 00D059B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00D059F7
                                        • GetParent.USER32 ref: 00D05A0D
                                        • GetWindowRect.USER32(?,?), ref: 00D05A18
                                        • GetParent.USER32(?), ref: 00D05A20
                                        • GetWindow.USER32(?,00000004), ref: 00D05A52
                                        • GetWindowRect.USER32(?,?), ref: 00D05A60
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00D05A6D
                                        • MonitorFromWindow.USER32(?,00000002), ref: 00D05A85
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00D05A9F
                                        • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00D05B4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$LongMonitorParentRect$FromInfo
                                        • String ID: $/
                                        • API String ID: 1820395375-2114005866
                                        • Opcode ID: 543c4e5c94a80830af75a725a89e3b8d04cbcd3d6afb47dbd274845d050afb3e
                                        • Instruction ID: 5047c72aa6ec59bc291b18825abeeeaad4c175706f994b74250c7981b3fad136
                                        • Opcode Fuzzy Hash: 543c4e5c94a80830af75a725a89e3b8d04cbcd3d6afb47dbd274845d050afb3e
                                        • Instruction Fuzzy Hash: C6514E76E005199FDB10CBA8DD45B9EBBB9EB49710F254229EC15B3294DB30BD05CF50
                                        Function 00DA93B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DA93EF
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DA9400
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DA9412
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00DA9425
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DA9434
                                        • SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00DA9448
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DA9457
                                        • GetWindowRect.USER32(?,?), ref: 00DA9496
                                        • GetDlgItem.USER32(?,?), ref: 00DA94D2
                                        • IsWindow.USER32(00000000), ref: 00DA94DD
                                        • GetWindowRect.USER32(?,?), ref: 00DA94F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$MessageRectSend$Item
                                        • String ID: $/
                                        • API String ID: 661679956-2114005866
                                        • Opcode ID: 5c222c375744e481506f687a35e34be7deb4edba2f81cb39d436423b15c812b7
                                        • Instruction ID: a4735b784a95284fdaf01981d2201138eb7951c0c6c635cf398ab0d11b43fd2b
                                        • Opcode Fuzzy Hash: 5c222c375744e481506f687a35e34be7deb4edba2f81cb39d436423b15c812b7
                                        • Instruction Fuzzy Hash: 81419E355047059FD720DF68DC90B2BF7E4BF6A314F148A1DF9AAA22A1D770F8848B61
                                        Function 00DA9D00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DA2350: LoadLibraryW.KERNEL32(ComCtl32.dll,28CB4BA0,00000000,?,00000000), ref: 00DA238E
                                          • Part of subcall function 00DA2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00DA23B1
                                          • Part of subcall function 00DA2350: FreeLibrary.KERNEL32(00000000), ref: 00DA242F
                                        • GetDlgItem.USER32(?,000001F4), ref: 00DA9D41
                                        • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00DA9D52
                                        • MulDiv.KERNEL32(00000009,00000000), ref: 00DA9D6A
                                        • GetDlgItem.USER32(?,000001F6), ref: 00DA9DA4
                                        • IsWindow.USER32(00000000), ref: 00DA9DAD
                                        • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00DA9DC4
                                        • GetDlgItem.USER32(?,000001F8), ref: 00DA9DCE
                                        • GetWindowRect.USER32(?,?), ref: 00DA9DDF
                                        • GetWindowRect.USER32(?,?), ref: 00DA9DF2
                                        • GetWindowRect.USER32(00000000,?), ref: 00DA9E02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
                                        • String ID: ;3$Courier New
                                        • API String ID: 1717253393-2995846664
                                        • Opcode ID: 628127993f399d4e433f37f5292ec3a9cde6c4871c3431a7952c1c68f2535922
                                        • Instruction ID: a142462b6a486640d780ac065df32f3439a1d2cc59d5ceb2e1e5e28e24cabf03
                                        • Opcode Fuzzy Hash: 628127993f399d4e433f37f5292ec3a9cde6c4871c3431a7952c1c68f2535922
                                        • Instruction Fuzzy Hash: 9A41C771BC43087BEB149F258C52FAE77A9EF59B04F050519FB057A1D1DAB0B8408B64
                                        Function 00CAF5F0 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00F46250,28CB4BA0,00000000,?,?,?,?,?,?,00CAEE50,00E5F68D,000000FF), ref: 00CAF62D
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00CAF6A8
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00CAF74E
                                        • LeaveCriticalSection.KERNEL32(00F46250), ref: 00CAF7A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalCursorLoadSection$EnterLeave
                                        • String ID: 4w$0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST$f.$p.
                                        • API String ID: 3727441302-1818679655
                                        • Opcode ID: 4a923034f8968cb49a2105a538c5cdefcbc8a24b8fff4c4c7eebf12f0b9420db
                                        • Instruction ID: 1a8975a6d4ab02db24419f89fd1f521e7735d232788ac38fcca34f280ceff03f
                                        • Opcode Fuzzy Hash: 4a923034f8968cb49a2105a538c5cdefcbc8a24b8fff4c4c7eebf12f0b9420db
                                        • Instruction Fuzzy Hash: 8A5137B4C11319AFDB10DFE4D988BDEBFF8AB09718F10412AE804F7290DBB556059BA1
                                        Function 00DCEC20 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,28CB4BA0,?,?), ref: 00DCEC83
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 00DCEE19
                                        • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00DCEE75
                                        • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 00DCEEC5
                                        • RegCloseKey.ADVAPI32(?), ref: 00DCEF05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue$Close
                                        • String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                        • API String ID: 2529929805-1079072530
                                        • Opcode ID: f8786f31c08c4c99d37f3e8e8c1cc2ed08bfa7b5a0f1fad9df90774cf1b9bee5
                                        • Instruction ID: 0fc00bea1251ed8ad14048d68cb372d17d9a9c06da2eb83f2d452d7e1fadb813
                                        • Opcode Fuzzy Hash: f8786f31c08c4c99d37f3e8e8c1cc2ed08bfa7b5a0f1fad9df90774cf1b9bee5
                                        • Instruction Fuzzy Hash: 4902807090526A9BDB20DF68CC89BDDB7B4EF54304F1442E9E809A7291DB75AE84CF60
                                        Function 00DD81B0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 302libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,28CB4BA0,?,?,00F46054), ref: 00DD81F8
                                        • LoadLibraryW.KERNEL32(Shell32.dll,?,00F46054), ref: 00DD8207
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00DD821B
                                        • SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00DD829A
                                        • SHGetMalloc.SHELL32(?), ref: 00DD82D7
                                        • PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,?,00000000), ref: 00DD832A
                                        • CreateDirectoryW.KERNEL32(?,?,Everyone,10000000,00000000,?,00000000), ref: 00DD83B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Path$AddressCreateDirectoryExistsFileFolderFromLibraryListLoadLocationMallocProcSpecial
                                        • String ID: ADVINST_LOGS$Everyone$SHGetSpecialFolderPathW$Shell32.dll
                                        • API String ID: 1254244429-1733115844
                                        • Opcode ID: 6f0454d7b10696c84ebfaa78277ac0832f2f4ac464d2634a10e762f29fac73dd
                                        • Instruction ID: fe3785d651ba5b63bc21cd0ba326f36c22960479d47be6662d5f237f0dc2963b
                                        • Opcode Fuzzy Hash: 6f0454d7b10696c84ebfaa78277ac0832f2f4ac464d2634a10e762f29fac73dd
                                        • Instruction Fuzzy Hash: D9B1BB70D00609DFDB11DFA9C849BAEBBF4EF54310F28825AE415B73A0EB749A04DB60
                                        Function 00CCC7D0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,28CB4BA0), ref: 00CCC85C
                                          • Part of subcall function 00CB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00CB0DE6
                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00CCC95F
                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00CCC973
                                        • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00CCC988
                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00CCC99D
                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00CCC9B4
                                        • GetWindowRect.USER32(?,?), ref: 00CCC9E6
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00CCCA48
                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00CCCA58
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateLongRect
                                        • String ID: ,$tooltips_class32
                                        • API String ID: 1954517558-3856767331
                                        • Opcode ID: ce42b091aa18814f3b5b31d1a99b85090035526849e3933e11d68de1b931da30
                                        • Instruction ID: 65428758f225738e9d44b669da59e99994cc6ea4e85716801823ce8cca7fda22
                                        • Opcode Fuzzy Hash: ce42b091aa18814f3b5b31d1a99b85090035526849e3933e11d68de1b931da30
                                        • Instruction Fuzzy Hash: 26912D75A00308AFEB14CFA4DD95FAEBBF9FB08700F14452AF916EA291D774A904DB50
                                        Function 00DA9A60 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00DA9A94
                                        • EndDialog.USER32(?,00000000), ref: 00DA9B52
                                          • Part of subcall function 00DA9550: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00DA9582
                                          • Part of subcall function 00DA9550: GetWindowLongW.USER32(?,000000F0), ref: 00DA9588
                                          • Part of subcall function 00DA9550: GetDlgItem.USER32(?,?), ref: 00DA95FA
                                          • Part of subcall function 00DA9550: GetWindowRect.USER32(00000000,?), ref: 00DA9612
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Long$DialogItemMessageRectSend
                                        • String ID: L/$U2
                                        • API String ID: 188208873-3769047970
                                        • Opcode ID: 8cc31bbfda107241db22823e9e0b5252022f82763cc908f9c0960109e653f492
                                        • Instruction ID: 5be551eeacd3261ee67ddfd0ee3784c677bfc83d00ea5906ec3be3e89055bec9
                                        • Opcode Fuzzy Hash: 8cc31bbfda107241db22823e9e0b5252022f82763cc908f9c0960109e653f492
                                        • Instruction Fuzzy Hash: FD71B231A006099BDB14CF69CCA8BAEFBF4FB4A720F140619E812E76D0D774E940DB60
                                        Function 00DA5310 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00DA54AE
                                        • __Init_thread_footer.LIBCMT ref: 00DA5607
                                        • GetStdHandle.KERNEL32(000000F5,?,28CB4BA0,?,?), ref: 00DA568F
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00DA5696
                                        • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00DA56AA
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00DA56B1
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,00EC58A8,00000002,?,?), ref: 00DA5740
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00DA5747
                                        • IsWindow.USER32(00000000), ref: 00DA5960
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                        • String ID: Error
                                        • API String ID: 2811146417-2619118453
                                        • Opcode ID: 4f7204ce0fdc8a6ecaedced784530bd7434b3ee5f27dae4c29512b0b2c023f89
                                        • Instruction ID: 857479c9cd2119057ea804f3b73c79fa8a2f14ced30250289057585be9e22aed
                                        • Opcode Fuzzy Hash: 4f7204ce0fdc8a6ecaedced784530bd7434b3ee5f27dae4c29512b0b2c023f89
                                        • Instruction Fuzzy Hash: FE226A70D00708DFDB10CFA4D945B9EBBB0BF16318F244298E459B7291DBB5AA88CF61
                                        Function 00DCF880 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 296libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D61FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D61FF1
                                          • Part of subcall function 00D61FB0: _wcschr.LIBVCRUNTIME ref: 00D620AF
                                        • GetLastError.KERNEL32(28CB4BA0,?,?,?,000000FF,?,00DB4196,?,?), ref: 00DCF8ED
                                        • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00DCFA7A
                                        • GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00DCFADE
                                        • FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,00DB4196,?,?), ref: 00DCFBD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem_wcschr
                                        • String ID: ,($GetPackagePath$Kernel32.dll$neutral$x64$x86
                                        • API String ID: 3734293021-3125337207
                                        • Opcode ID: 9b6bd68a80eb0095d160a34c8d0f60fb052a19f0f5f8b1ed6f4d4efa4c42f8af
                                        • Instruction ID: e3478a9e9d590d86b81af6daceb85d2dca996721ac8dde6e2beee862d6c4ca28
                                        • Opcode Fuzzy Hash: 9b6bd68a80eb0095d160a34c8d0f60fb052a19f0f5f8b1ed6f4d4efa4c42f8af
                                        • Instruction Fuzzy Hash: E8C15C70A002069FDB04DFA8C995B9EFBB6FF49314F14826DE815AB391DB709D45CBA0
                                        Function 00DF2A80 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
                                        • API String ID: 0-2691827946
                                        • Opcode ID: 25be65ebf49e89e2c18ea8e3924b1de5b54ef688f00a28ffe5d1cbc302c76b95
                                        • Instruction ID: 0c032bf2373faccea9b642506a6417ebfa6b6e955e9292c3269c08264971a83a
                                        • Opcode Fuzzy Hash: 25be65ebf49e89e2c18ea8e3924b1de5b54ef688f00a28ffe5d1cbc302c76b95
                                        • Instruction Fuzzy Hash: DBB1ADB1A00349DFDB14CF48D845B6EBBF1FB91320F14826EE9299B390D7759A01CBA1
                                        Function 00DCD7C0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
                                        • API String ID: 2691759472-1956487666
                                        • Opcode ID: aa0fe4f7606be45dc5d4b06be54142be561a8fdb84152f2a70e4b6a686e3630f
                                        • Instruction ID: eff24362dd440d6a81fc920443ad1a8884b1ad1d71f048fb40ea2bbd1275d465
                                        • Opcode Fuzzy Hash: aa0fe4f7606be45dc5d4b06be54142be561a8fdb84152f2a70e4b6a686e3630f
                                        • Instruction Fuzzy Hash: 3541B0B6E40616AFDB105A64DC42F2AB7A9EF40721F18063EAC14B36D0EB71DC10DAB1
                                        Function 00CC3190 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantClear.OLEAUT32(?), ref: 00CC31EA
                                        • VariantClear.OLEAUT32(?), ref: 00CC321C
                                        • VariantClear.OLEAUT32(?), ref: 00CC3316
                                        • VariantClear.OLEAUT32(?), ref: 00CC3345
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CC334C
                                        • SysAllocString.OLEAUT32(00000000), ref: 00CC3393
                                        • VariantClear.OLEAUT32(?), ref: 00CC341A
                                        • VariantClear.OLEAUT32(?), ref: 00CC344C
                                        • VariantClear.OLEAUT32(?), ref: 00CC3527
                                        • VariantClear.OLEAUT32(?), ref: 00CC3556
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ClearVariant$String$AllocFree
                                        • String ID:
                                        • API String ID: 1305860026-0
                                        • Opcode ID: a8bd188c27aeddfdf8b08e27daeae7b1806dc45c9130506ae6bc6b95e14dce4f
                                        • Instruction ID: 4ddc8cc03965e2d53964ee6ce0e8d23711a7c719a28a982305a2f71514ceb1c0
                                        • Opcode Fuzzy Hash: a8bd188c27aeddfdf8b08e27daeae7b1806dc45c9130506ae6bc6b95e14dce4f
                                        • Instruction Fuzzy Hash: 42C19C71900249DFCB10DFA8D848BEEBBB4FF09314F148269E415E7391E778AA45DBA4
                                        Function 00DD2BC0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 343synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • ResetEvent.KERNEL32(?,?,?), ref: 00DD2C4A
                                        • SetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00DD2C83
                                        • ResetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00DD2E19
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000,?,?,?), ref: 00DD2E4B
                                        • ResetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000), ref: 00DD2F26
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00DD2F43
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00DD2F4A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Event$Reset$Init_thread_footerObjectSingleWait$HeapProcess
                                        • String ID: FTP Server
                                        • API String ID: 3860647947-688436434
                                        • Opcode ID: 84cab049a3b340e411b7fa553600ff38a21c7a85d7bc62257f6f5d453ef8a885
                                        • Instruction ID: b1e79d9416fff1c97b03c96bfb728446b709d45b3f2f5b2ec575dbbd17a73fd6
                                        • Opcode Fuzzy Hash: 84cab049a3b340e411b7fa553600ff38a21c7a85d7bc62257f6f5d453ef8a885
                                        • Instruction Fuzzy Hash: 0AD19030A01249DFDB00DF69C988BAEBBB5FF59314F18825AE814AB391D774DD05CBA0
                                        Function 00D89FD0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 232fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 00D8A069
                                        • CloseHandle.KERNEL32(00000000), ref: 00D8A090
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                          • Part of subcall function 00D8BC00: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,80070057,28CB4BA0,?,?,00000000,00E5D670,000000FF,?,00DD338D), ref: 00D8BC3D
                                          • Part of subcall function 00D8BC00: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 00D8BC6E
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?), ref: 00D8A105
                                        • CloseHandle.KERNEL32(00000000), ref: 00D8A157
                                          • Part of subcall function 00D8BA20: WideCharToMultiByte.KERNEL32(00000003,00000000,00DB3DCA,000000FF,00000000,00000000,00000000,00000000,?,?,?,00DB3DCA,?,?), ref: 00D8BA3C
                                          • Part of subcall function 00D8BA20: WideCharToMultiByte.KERNEL32(00000003,00000000,00DB3DCA,000000FF,?,-00000001,00000000,00000000,?,?,?,00DB3DCA,?,?), ref: 00D8BA73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
                                        • String ID: .bat$EXE$open$3
                                        • API String ID: 4275363648-2048902016
                                        • Opcode ID: c7b544bf0e04f915e16e85c930e0bff67bd0d2c670a502eb8a7ec532f053d7b9
                                        • Instruction ID: be83e588236dfc86fbf0d85e67ce639241606426c66c4d1ab9bcdcf53a166b32
                                        • Opcode Fuzzy Hash: c7b544bf0e04f915e16e85c930e0bff67bd0d2c670a502eb8a7ec532f053d7b9
                                        • Instruction Fuzzy Hash: 24A17970901649EFEB10DFA8CD48B9DFBB4FF45314F24829AE414AB2A1DB749909CF61
                                        Function 00CCB720 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 218windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000C5,?,00000000), ref: 00CCB771
                                        • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00CCB7D5
                                        • lstrcpynW.KERNEL32(?,?,00000020), ref: 00CCB847
                                        • MulDiv.KERNEL32(?,00000048,00000000), ref: 00CCB884
                                        • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00CCB8B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcpyn
                                        • String ID: ?$U2$t
                                        • API String ID: 3928028829-3597738165
                                        • Opcode ID: bb864a6dc84a6bcf693dda08b60f57ab2b36c7a51c88e91e6b17541ab9c466a3
                                        • Instruction ID: 34a1f1be628b0624d964d77403598509f96ab17413483dfb786d12e0bc987bee
                                        • Opcode Fuzzy Hash: bb864a6dc84a6bcf693dda08b60f57ab2b36c7a51c88e91e6b17541ab9c466a3
                                        • Instruction Fuzzy Hash: 3F916071604344AFE721DF64CC45F9BBBE8AF89300F044A2AF699E71A1DB74E944CB52
                                        Function 00DD4900 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,00DB4998), ref: 00DD49F3
                                        • WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 00DD4A37
                                        • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00DD4A54
                                        • CloseHandle.KERNEL32(00000000), ref: 00DD4A6E
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00DD4AAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
                                        • String ID: Unable to get temp file $Unable to save script file $ps1
                                        • API String ID: 2821137686-4253966538
                                        • Opcode ID: b2e0759cb04082aab776028730d6a937eea3f2f9ba2e03a2f44a00c1608fa659
                                        • Instruction ID: 9a375d84e260fad15192a1b6de5b6463ffcbc6ab1f7dc1cda29d24ed126a1f83
                                        • Opcode Fuzzy Hash: b2e0759cb04082aab776028730d6a937eea3f2f9ba2e03a2f44a00c1608fa659
                                        • Instruction Fuzzy Hash: 5551C670940609AFDB10DB68CD4ABAEBBB8EF05318F148259E510BB3D2D7749D04CBA4
                                        Function 00CB2500 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00F46250,28CB4BA0,00000000,00F4626C), ref: 00CB2573
                                        • LeaveCriticalSection.KERNEL32(00F46250), ref: 00CB25D7
                                        • LoadCursorW.USER32(00CA0000,?), ref: 00CB2630
                                        • LeaveCriticalSection.KERNEL32(00F46250), ref: 00CB26C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$CursorEnterLoad
                                        • String ID: 4w$ATL:%p$f.$p.
                                        • API String ID: 2080323225-1471878312
                                        • Opcode ID: cc0fb209c6ee089a5a38f0626d2c32dbbb49e67c813b277695f506e1aed53080
                                        • Instruction ID: 3ba275e7dcfabd1154e80173349f659180987b4ed10996041adc278d82c444e1
                                        • Opcode Fuzzy Hash: cc0fb209c6ee089a5a38f0626d2c32dbbb49e67c813b277695f506e1aed53080
                                        • Instruction Fuzzy Hash: 5A519C70904B449BDB20CF69C9457AAFBF4FF59314F00861DECA6A3690EB70BA84CB51
                                        Function 00DA9550 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00DA9582
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DA9588
                                        • GetDlgItem.USER32(?,?), ref: 00DA95FA
                                        • GetWindowRect.USER32(00000000,?), ref: 00DA9612
                                        • SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 00DA969F
                                        • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00DA96D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$ItemLongRect
                                        • String ID: $/$L/
                                        • API String ID: 3432912040-3308459630
                                        • Opcode ID: 7a251a9464cf26e56782774bca7fe015033a66f2ab1641c6ba7cf524ba49270e
                                        • Instruction ID: 978dc87a807d746d32132db7f161c86d9eb60f22262ff899a05b96bab31b423a
                                        • Opcode Fuzzy Hash: 7a251a9464cf26e56782774bca7fe015033a66f2ab1641c6ba7cf524ba49270e
                                        • Instruction Fuzzy Hash: F9518C34204304DFD724CF28C985B2ABBE1FF85718F184A1CF995AB2A5D771E844CB61
                                        Function 00DC3C80 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDefaultLangID.KERNEL32 ref: 00DC3CBE
                                        • GetUserDefaultLangID.KERNEL32 ref: 00DC3CCB
                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00DC3CDD
                                        • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00DC3CF1
                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00DC3D06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                        • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                        • API String ID: 667524283-3528650308
                                        • Opcode ID: 2018aeefa8bbd2e60600e5e48f594f16277845038e17fd0c32615d2c6f997162
                                        • Instruction ID: 0c1e06ac0acbd4c43872bb1e65c93a59a9eaf760ac34c045fe74d5f09ab8d9e7
                                        • Opcode Fuzzy Hash: 2018aeefa8bbd2e60600e5e48f594f16277845038e17fd0c32615d2c6f997162
                                        • Instruction Fuzzy Hash: 7D41C1706043029FC744EF28D850BBAB7E5EFA8345F55591EF886D7280EB318A44CB62
                                        Function 00E39810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00E39847
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00E3984F
                                        • _ValidateLocalCookies.LIBCMT ref: 00E398D8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00E39903
                                        • _ValidateLocalCookies.LIBCMT ref: 00E39958
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00E3996E
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00E39983
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                        • String ID: csm
                                        • API String ID: 1385549066-1018135373
                                        • Opcode ID: 3eec3cde57724ac08d3860034fa9ede670b5df65be3e3b5db26b2746871a8b22
                                        • Instruction ID: 1d66e1659be701d66f96cc42cd8301aba0b576b5c7432028c3e87653a16974ff
                                        • Opcode Fuzzy Hash: 3eec3cde57724ac08d3860034fa9ede670b5df65be3e3b5db26b2746871a8b22
                                        • Instruction Fuzzy Hash: CE41E734D002089BCF14EF68C889A9EBFF1AF85318F1490A5E8147B393C771D905CB91
                                        Function 00DD0260 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 454synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DD2140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00DD029A,?,28CB4BA0,?,?,?,000000FF,?), ref: 00DD2154
                                          • Part of subcall function 00DD2140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00DD029A,?,28CB4BA0,?,?,?,000000FF,?,00DCFC64), ref: 00DD2171
                                          • Part of subcall function 00DD2140: GetLastError.KERNEL32(?,28CB4BA0,?,?,?,000000FF,?,00DCFC64,?,?,00000000,00000000,28CB4BA0,?,?), ref: 00DD21D0
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • ResetEvent.KERNEL32(?,00000000,00EA38DD), ref: 00DD036A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00DD0389
                                        • WaitForSingleObject.KERNEL32(28CB4BA0,000000FF), ref: 00DD0390
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
                                        • String ID: GET$attachment$filename$h[
                                        • API String ID: 818129584-2595992338
                                        • Opcode ID: b23a87c4fc891a0744fe7c86beafd97256c4990b03d028d70b5231d61af1e59b
                                        • Instruction ID: cae0b0debd3abd49c8ed4aea9e769c17ab1c7ea2775f5b354460809d33d8c1c6
                                        • Opcode Fuzzy Hash: b23a87c4fc891a0744fe7c86beafd97256c4990b03d028d70b5231d61af1e59b
                                        • Instruction Fuzzy Hash: B2028E70901249EFDB10DFA8C945BAEBBF4FF55314F14816AE815AB391DB70AA04CFA1
                                        Function 00CB0E10 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(00EC37FC,00000000,00000001,00EC3E84,?), ref: 00CB0EE0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: :${$>
                                        • API String ID: 542301482-2061168328
                                        • Opcode ID: 991f2da531769128cde3c7f29505b17be93fa0327582506fce5054ef75909144
                                        • Instruction ID: 7ed0fba0af064b9cec3a16964c8f62a2b05b76c13ff6911e8f99b8313e420e94
                                        • Opcode Fuzzy Hash: 991f2da531769128cde3c7f29505b17be93fa0327582506fce5054ef75909144
                                        • Instruction Fuzzy Hash: 29619F74A002959BDF249FA89855BFEB7B4EB09714F244429FC51FB280D775DE80CB60
                                        Function 00CCDE90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00CCDEF7
                                        • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00CCDF1F
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CCDF37
                                        • SendMessageW.USER32(?,0000130A,00000000,?), ref: 00CCDF68
                                        • GetParent.USER32(?), ref: 00CCE044
                                        • SendMessageW.USER32(00000000,00000136,?,?), ref: 00CCE055
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$Parent
                                        • String ID: U2
                                        • API String ID: 1020955656-415264087
                                        • Opcode ID: 7277fee8e09c13333b4be3ba5d58b14057d824bff807ba446a1a084089e4f878
                                        • Instruction ID: 2ef53cc28fc2127a71f2f79f3774f87649f991274895c5e16c452136b1171183
                                        • Opcode Fuzzy Hash: 7277fee8e09c13333b4be3ba5d58b14057d824bff807ba446a1a084089e4f878
                                        • Instruction Fuzzy Hash: A2613476A10618AFDB119FE4DC09FAEBBB9FF59710F140119FA19BB2A0C7706A40DB50
                                        Function 00D82240 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00D822AB
                                        • GetParent.USER32(00000000), ref: 00D822FE
                                        • GetWindowRect.USER32(00000000), ref: 00D82301
                                        • GetParent.USER32(00000000), ref: 00D82310
                                          • Part of subcall function 00D3FCF0: GetWindowRect.USER32(?,?), ref: 00D3FD8B
                                          • Part of subcall function 00D3FCF0: GetWindowRect.USER32(?,?), ref: 00D3FDA3
                                        • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00D82400
                                        • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00D82413
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageRectSendWindow$Parent
                                        • String ID: $/
                                        • API String ID: 425339167-2114005866
                                        • Opcode ID: 08115280d2c6afb3940894f8bdaae65f2af8d6875209f03b21f9db0917d703ec
                                        • Instruction ID: c2c8bb7cef9077bb0b15a46730c2c497a9412fb07596dffa38c599b47d86e086
                                        • Opcode Fuzzy Hash: 08115280d2c6afb3940894f8bdaae65f2af8d6875209f03b21f9db0917d703ec
                                        • Instruction Fuzzy Hash: 7E512675D00648ABDB11DFA8CD45BDEBBF8AF5A710F144319E815B7291EB706A808B60
                                        Function 00CB6C00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00CB6CEF
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00CB6D43
                                        • CloseHandle.KERNEL32(00000000), ref: 00CB6D92
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00CB6DF6
                                        • CloseHandle.KERNEL32(00000000,?), ref: 00CB6E1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                        • String ID: aix$html
                                        • API String ID: 2030708724-2369804267
                                        • Opcode ID: e6377344ce738993b3708e689ec7a7d4149972dc160118f299355954e1799633
                                        • Instruction ID: d7effcccbf30875ba1da5101282da8de9d96588d4c17088caf1614b461ca7de9
                                        • Opcode Fuzzy Hash: e6377344ce738993b3708e689ec7a7d4149972dc160118f299355954e1799633
                                        • Instruction Fuzzy Hash: C3516EB0A00248EFDF10DFA4DD59B9EBBB4FB56308F10425DE401AB291D7F95A09DB62
                                        Function 00D82470 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00D82500
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        • GetProcAddress.KERNEL32(SetWindowTheme), ref: 00D8253D
                                        • __Init_thread_footer.LIBCMT ref: 00D82554
                                        • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00D8257F
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                          • Part of subcall function 00D61FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D61FF1
                                          • Part of subcall function 00D61FB0: _wcschr.LIBVCRUNTIME ref: 00D620AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
                                        • String ID: SetWindowTheme$UxTheme.dll$explorer
                                        • API String ID: 3852524043-3123591815
                                        • Opcode ID: 72b8a1ab1c33a64f4d78d2b0a779610af592e990f180129e25feed422250734f
                                        • Instruction ID: 1ae925c411b83b268ced2cbf7312aeb6ff20e84e1e69bbf73f73b3175920e689
                                        • Opcode Fuzzy Hash: 72b8a1ab1c33a64f4d78d2b0a779610af592e990f180129e25feed422250734f
                                        • Instruction Fuzzy Hash: 9E21E1B4A40308EBC720DF24ED06B59BBB4EB22720F184215FD24E73D4D770A901EBA2
                                        Function 00CB97E0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00CB980A
                                        • GetWindow.USER32(?,00000005), ref: 00CB9817
                                        • GetWindow.USER32(00000000,00000002), ref: 00CB9952
                                          • Part of subcall function 00CB9660: GetWindowRect.USER32(?,?), ref: 00CB968C
                                          • Part of subcall function 00CB9660: GetWindowRect.USER32(?,?), ref: 00CB969C
                                        • GetWindowRect.USER32(?,?), ref: 00CB98AB
                                        • GetWindowRect.USER32(00000000,?), ref: 00CB98BB
                                        • GetWindowRect.USER32(00000000,?), ref: 00CB98D5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID:
                                        • API String ID: 3200805268-0
                                        • Opcode ID: 0c6ec5a32dfc8b3e420c0bd8ad9041fcd5fa9406c62510e9666baa85b3efa07e
                                        • Instruction ID: 0de8658ad6a5a684a1c000b14bcddaae6572da7e08ee645796fe2c7fa5db3870
                                        • Opcode Fuzzy Hash: 0c6ec5a32dfc8b3e420c0bd8ad9041fcd5fa9406c62510e9666baa85b3efa07e
                                        • Instruction Fuzzy Hash: 6C41BF309087019BC721DF25C980AABF7F9FF96704F504A1DF29593661EB31E988CB12
                                        Function 00E35BAB Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00E35D55,00000000,?,?,00CB0B74,?), ref: 00E35BCF
                                        • HeapAlloc.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35BD6
                                          • Part of subcall function 00E35CA1: IsProcessorFeaturePresent.KERNEL32(0000000C,00E35BBD,00000000,?,00E35D55,00000000,?,?,00CB0B74,?), ref: 00E35CA3
                                        • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00E35D55,00000000,?,?,00CB0B74,?), ref: 00E35BE6
                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00CB0B74,?), ref: 00E35C0D
                                        • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,00CB0B74,?), ref: 00E35C21
                                        • InterlockedPopEntrySList.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35C34
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00CB0B74,?), ref: 00E35C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                        • String ID:
                                        • API String ID: 2460949444-0
                                        • Opcode ID: 32a0dd8fe9cee1b0e06e4c0194d4a0ae34b494e2bf00bb0fee3def99be43f8a4
                                        • Instruction ID: 468adaa091f25fa1494da3b0526fb4b60c8fdeeeedb6fac446acf314bba0ef02
                                        • Opcode Fuzzy Hash: 32a0dd8fe9cee1b0e06e4c0194d4a0ae34b494e2bf00bb0fee3def99be43f8a4
                                        • Instruction Fuzzy Hash: 1D119672601F15AFD7211B65AE8CF6BBA5CEB4478DF192522FA01F6350DE20DC04D670
                                        Function 00DE6EA0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 371COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • _wcschr.LIBVCRUNTIME ref: 00DE6F6B
                                        • _wcschr.LIBVCRUNTIME ref: 00DE701D
                                        • _wcschr.LIBVCRUNTIME ref: 00DE703C
                                          • Part of subcall function 00CA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00CB69F0,-00000010,?,00CBAA9D,*.*), ref: 00CA93B7
                                        • _wcschr.LIBVCRUNTIME ref: 00DE70E2
                                        • GetTickCount.KERNEL32 ref: 00DE728A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
                                        • String ID: 0123456789AaBbCcDdEeFf
                                        • API String ID: 2181188311-3822820098
                                        • Opcode ID: 4362c34c81e9f406d2e96b958b7f20b452d74259619f243d78a44eb88b630791
                                        • Instruction ID: 79fc12deeb563a0d5080ffe6e3cca9826017ce07cb1306239f22ca7c63465e10
                                        • Opcode Fuzzy Hash: 4362c34c81e9f406d2e96b958b7f20b452d74259619f243d78a44eb88b630791
                                        • Instruction Fuzzy Hash: 7DD11030A00A458FDB20EF69C888BAAB7F5FF44314F18865DE4659B381D734ED45CBA0
                                        Function 00CCF780 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 369windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CCF7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: ' AND `Control_`='$,n$AiTabPage$ControlEvent$`Dialog_`='
                                        • API String ID: 3850602802-3383718950
                                        • Opcode ID: 2db52c6f471561aa1e47eea0bdc1d0642c87953ec6e6f4ab0bfa4e77308b5e2e
                                        • Instruction ID: fbaef54e80e174223f2b406670c9ff40a62287794b6885d73a08762d907395fb
                                        • Opcode Fuzzy Hash: 2db52c6f471561aa1e47eea0bdc1d0642c87953ec6e6f4ab0bfa4e77308b5e2e
                                        • Instruction Fuzzy Hash: C1F15971900249DFDF14DF68C999BEE7BF1BF08308F140269ED15AB292D775AA05CBA0
                                        Function 00DA09E0 Relevance: 10.8, APIs: 7, Instructions: 300fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,28CB4BA0,?,00000000), ref: 00DA0A69
                                        • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000), ref: 00DA0AEC
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DA0B39
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00DA0B42
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DA0BA5
                                        • CloseHandle.KERNEL32(00000000), ref: 00DA0CF7
                                        • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00DA0D7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$Read$CloseCreateHandlePointerSize
                                        • String ID:
                                        • API String ID: 4181610692-0
                                        • Opcode ID: 62c5b6c0e71df1042fa76cb11bdc3402ae4166e8dd5a6238e658cc0805b8221b
                                        • Instruction ID: 70f8b201fa4b2aa9ba47abab7abab0bcf3bf4987fceded74caa30987022b7a71
                                        • Opcode Fuzzy Hash: 62c5b6c0e71df1042fa76cb11bdc3402ae4166e8dd5a6238e658cc0805b8221b
                                        • Instruction Fuzzy Hash: 4BC17D71E01308DFDB24CFA8C945BAEBBB5FF46314F248259E415BB281D770AA45CBA0
                                        Function 00CB4E50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00F46008,28CB4BA0,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00E604E5), ref: 00CB4EBA
                                        • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00E604E5), ref: 00CB4F3A
                                        • EnterCriticalSection.KERNEL32(00F46024,?,?,?,?,?,?,?,?,?,?,?,00000000,00E604E5,000000FF), ref: 00CB50F3
                                        • LeaveCriticalSection.KERNEL32(00F46024,?,?,?,?,?,?,?,?,?,?,00000000,00E604E5,000000FF), ref: 00CB5114
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Enter$FileLeaveModuleName
                                        • String ID: 4w
                                        • API String ID: 1807155316-3778465916
                                        • Opcode ID: e8e2e0ac08b4fb40314f42f1979c3e239eac38750da875d8298bed4b8cd49033
                                        • Instruction ID: 5bc3595ac93b8f07844a47b38a000edb8e85024340cd7051246a8bca53b3aadd
                                        • Opcode Fuzzy Hash: e8e2e0ac08b4fb40314f42f1979c3e239eac38750da875d8298bed4b8cd49033
                                        • Instruction Fuzzy Hash: 88B1C170A04649DFDB11DFA8D888BEEBBB4BF19314F144198E815EB391C775AE44CBA0
                                        Function 00CD4CC3 Relevance: 10.7, APIs: 7, Instructions: 185memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(?), ref: 00CD4D55
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CD4DCA
                                        • GetProcessHeap.KERNEL32(?,?), ref: 00CD4E30
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00CD4E36
                                        • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00CD4E66
                                        • HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CD4E6C
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CD4E84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Free$Heap$String$Process
                                        • String ID:
                                        • API String ID: 2680101141-0
                                        • Opcode ID: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
                                        • Instruction ID: a2609fa89aa62cbc9dc511cd40fc4119ff58a520fe5c3ca67dde7be216101941
                                        • Opcode Fuzzy Hash: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
                                        • Instruction Fuzzy Hash: 3E61B370D00259DFDF14DFA8C889BAFBBB4BF01310F14415AEA61A7392C7789A05CBA1
                                        Function 00D3FCF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00D3FD8B
                                        • GetWindowRect.USER32(?,?), ref: 00D3FDA3
                                        • GetWindowRect.USER32(?,?), ref: 00D3FE10
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00D3FE34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Long
                                        • String ID: $/$L/
                                        • API String ID: 3486571012-3308459630
                                        • Opcode ID: d51b0be7afb4ae31e0f0241d58e08e6db87145830eb14b6d51bca19bc74f86e8
                                        • Instruction ID: bf131a5faf557c7e2d6d3bcc226e24c2289397208460add1912de6eed996f719
                                        • Opcode Fuzzy Hash: d51b0be7afb4ae31e0f0241d58e08e6db87145830eb14b6d51bca19bc74f86e8
                                        • Instruction Fuzzy Hash: F5417E35A083099FC700CF15D884B6BB7E8FF9A714F05462EF945A7261DB30E945CB62
                                        Function 00DCE2C0 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64DisableWow64FsRedirection.KERNEL32(00000000,28CB4BA0,?,?), ref: 00DCE307
                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,28CB4BA0,00EA344D), ref: 00DCE37F
                                        • GetLastError.KERNEL32 ref: 00DCE390
                                        • WaitForSingleObject.KERNEL32(00EA344D,000000FF), ref: 00DCE3AC
                                        • GetExitCodeProcess.KERNEL32(00EA344D,00000000), ref: 00DCE3BD
                                        • CloseHandle.KERNEL32(00EA344D), ref: 00DCE3C7
                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00DCE3E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
                                        • String ID:
                                        • API String ID: 1153077990-0
                                        • Opcode ID: a872232e8b22fb00b55db9ebc7f9485dd82142b84118bf331fedd1609beb104c
                                        • Instruction ID: d3c6c9622ec0f1a7f5af038dfea01034ddcec9da647594eadc5fa0a47966f20a
                                        • Opcode Fuzzy Hash: a872232e8b22fb00b55db9ebc7f9485dd82142b84118bf331fedd1609beb104c
                                        • Instruction Fuzzy Hash: 19417B71E0438AABDB10CFA5CD04BAEBBF8AF49311F145659E824A7290DB749A44CB60
                                        Function 00CADB60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$Init
                                        • String ID: e
                                        • API String ID: 3740757921-2857170482
                                        • Opcode ID: 6f7a80a34d49aeede071c6762693744fd68ae6079aa6e47629b04393e7031d77
                                        • Instruction ID: dbf96f0396b30a61ddc173d4a3d15a602925d84195954309ab7c49a9b46033e0
                                        • Opcode Fuzzy Hash: 6f7a80a34d49aeede071c6762693744fd68ae6079aa6e47629b04393e7031d77
                                        • Instruction Fuzzy Hash: 3D313871D0424CEFDB05CFA8C944BDEBBF8EF49704F10859AE410A7290D7B5AA04CBA0
                                        Function 00DE0E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,00DC6881,00000000,28CB4BA0,?,00000010,00000000), ref: 00DE0EAB
                                        • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00DE0EC1
                                        • FreeLibrary.KERNEL32(00000000), ref: 00DE0EFA
                                        • FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,00DC6881,00000000,28CB4BA0,?,00000010,00000000), ref: 00DE0F16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Library$Free$AddressLoadProc
                                        • String ID: DllGetVersion$Shlwapi.dll
                                        • API String ID: 1386263645-2240825258
                                        • Opcode ID: b84e9ad1ef8d9efc6f635e5adce7334275b23e5c43dd0fb40ac73c1f2918a51c
                                        • Instruction ID: 4fb93a2b0baf13e900524bcc40509f3d67aa30cc0f84d9a00bdbe135c0ec4ed2
                                        • Opcode Fuzzy Hash: b84e9ad1ef8d9efc6f635e5adce7334275b23e5c43dd0fb40ac73c1f2918a51c
                                        • Instruction Fuzzy Hash: 7121C2726043019BD314AF2AEC4166BBBE4FFD9711F80066EF989D3341EB71D849C6A2
                                        Function 00E4FDD2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,00E4FEDF,00E4D0E1,0000000C,?,00000000,00000000,?,00E50109,00000021,FlsSetValue,00EBCF80,00EBCF88,?), ref: 00E4FE93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 3664257935-537541572
                                        • Opcode ID: 383114cae56eaaea4b115fcca4da5a6cd974e5fec618fff501d72d6c76d6c3ac
                                        • Instruction ID: dd977ec050dff2191072edde04c6f0dcf083beec1f3701e64a8ebbd1a2b81037
                                        • Opcode Fuzzy Hash: 383114cae56eaaea4b115fcca4da5a6cd974e5fec618fff501d72d6c76d6c3ac
                                        • Instruction Fuzzy Hash: 8721E735E01214ABD721AB61BC40A9B37999B41FB5F252230EA06B72A2DB30ED04C6E0
                                        Function 00D0E970 Relevance: 9.4, APIs: 4, Strings: 2, Instructions: 419memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00D0EB86
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00D0EB8C
                                          • Part of subcall function 00D10530: GetProcessHeap.KERNEL32(?,?,28CB4BA0,00000000,?,00000000), ref: 00D105EA
                                          • Part of subcall function 00D10530: HeapFree.KERNEL32(00000000,?,?,28CB4BA0,00000000,?,00000000), ref: 00D105F0
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D0ED97
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D0ED9D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3$|3
                                        • API String ID: 3859560861-2167544776
                                        • Opcode ID: c3b107803761cbb4fd72a20b5d44828047c01e6173d7c8142f881f24e34143ba
                                        • Instruction ID: 79678b19b9462fb43499a07c03a6db7d5e095ee1393399c4ea56e9b17b80015a
                                        • Opcode Fuzzy Hash: c3b107803761cbb4fd72a20b5d44828047c01e6173d7c8142f881f24e34143ba
                                        • Instruction Fuzzy Hash: 78F1AA70900249DFDB04DFA8C949BEEBBB4FF05314F24469DE415AB2D2DB75AA04CBA1
                                        Function 00D06CB0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 226memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D06ED0
                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00D06ED6
                                        • GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00D06F01
                                        • HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00D06F07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: _TEMP$|3
                                        • API String ID: 3859560861-63189381
                                        • Opcode ID: ef44893f3c9435c30633d4cf2731e214a5edc8e2edfac593c7744ba6ab30fcfb
                                        • Instruction ID: 33000004bf6c4e143fed4ebe277abf483eb370a77ed9656c319ad1c5f7d1e314
                                        • Opcode Fuzzy Hash: ef44893f3c9435c30633d4cf2731e214a5edc8e2edfac593c7744ba6ab30fcfb
                                        • Instruction Fuzzy Hash: 08919CB1E012499FDB14DFA8C984BEEBBF4EF44324F244269E505B72D1CB749A05CBA1
                                        Function 00D96080 Relevance: 9.1, APIs: 6, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00D960CA
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00D960EC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00D96114
                                        • __Getctype.LIBCPMT ref: 00D961E5
                                        • std::_Facet_Register.LIBCPMT ref: 00D96247
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00D96271
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 20cf884cc2c8b72b7984ad0ac9b4024d56122276236a505b57998dad0337a065
                                        • Instruction ID: 1f73873963b5f0b55330e6d39db20413826de8aeb0816061caedbede8a04125f
                                        • Opcode Fuzzy Hash: 20cf884cc2c8b72b7984ad0ac9b4024d56122276236a505b57998dad0337a065
                                        • Instruction Fuzzy Hash: 2B51BBB0900708CFDB10CF68C945BAABBF0EF15314F148299D845BB392EB71EA45DBA1
                                        Function 00CB9980 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 330COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00CB99D7
                                        • GetWindowRect.USER32(?,?), ref: 00CB9AB3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: RectWindow
                                        • String ID: $/$PV$U2
                                        • API String ID: 861336768-4111043451
                                        • Opcode ID: 6dbf75c5488d3492fadefa9f53280431499bea84cc6dffc455bb2e9cf9e5a336
                                        • Instruction ID: 4a9fb476cc5e3f5244dec183e8fd33106308e813dd4669049cea21b0218dceba
                                        • Opcode Fuzzy Hash: 6dbf75c5488d3492fadefa9f53280431499bea84cc6dffc455bb2e9cf9e5a336
                                        • Instruction Fuzzy Hash: 8DE13775D04718EFEB20CFA8C949B9EBBF8EF1A700F108259E919B7251D7706A80DB50
                                        Function 00E37D52 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00E37D49,00E37D15,?,?,00CD21FD,00DA0140,?,00000008), ref: 00E37D60
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E37D6E
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E37D87
                                        • SetLastError.KERNEL32(00000000,00E37D49,00E37D15,?,?,00CD21FD,00DA0140,?,00000008), ref: 00E37DD9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: ea3b28200a98d05d32fc5768a6a10e9e8d92743ebb18e4effcc30bb8d07719ab
                                        • Instruction ID: 334ed192d42ae8b21c79044c2457f4e42df7ec9c72882dc7a1c7368d81d6043f
                                        • Opcode Fuzzy Hash: ea3b28200a98d05d32fc5768a6a10e9e8d92743ebb18e4effcc30bb8d07719ab
                                        • Instruction Fuzzy Hash: 0601DEB220D2155EE63826747D8DB673EC5EF42378F242229F590711E0EF510C08EA41
                                        Function 00CBFFD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 292windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00CC0118
                                        • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00CC012D
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                          • Part of subcall function 00D82040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00CC0168,00000000,80004005), ref: 00D820AB
                                          • Part of subcall function 00D82040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D820DB
                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00CC025E
                                        • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00CC035A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocHeapWindow
                                        • String ID: |3
                                        • API String ID: 2851540245-1823295303
                                        • Opcode ID: 72a1de1e0a35e0a9f04962532de3d075bfbc09ebb6c22f86fad825580e843019
                                        • Instruction ID: ad34f3aae3a33e0948c50f206c932133c8cfaa4b25ba318fddc79cf5325ed5e1
                                        • Opcode Fuzzy Hash: 72a1de1e0a35e0a9f04962532de3d075bfbc09ebb6c22f86fad825580e843019
                                        • Instruction Fuzzy Hash: D9B17E71A00209DFDB14DFA8C985FEEFBB5FF48314F144219E425AB291DB75A944CBA0
                                        Function 00DB3CC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 288COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetShortPathNameW.KERNEL32(28CB4BA0,00000000,00000000), ref: 00DB3D1F
                                        • GetShortPathNameW.KERNEL32(?,?,?), ref: 00DB3D8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: NamePathShort
                                        • String ID: neutral$x64$x86
                                        • API String ID: 1295925010-1541741584
                                        • Opcode ID: e311cbbf2cfdb22e4cc32385b098c01e3082f3e1d468049a53be6b61f03a6f9a
                                        • Instruction ID: 92b6fb8dadbb60f8bcc2a973c834b6c1caf211892e65053df16061ce717f9739
                                        • Opcode Fuzzy Hash: e311cbbf2cfdb22e4cc32385b098c01e3082f3e1d468049a53be6b61f03a6f9a
                                        • Instruction Fuzzy Hash: B8B1B171A00209EFDB04DFA8C859BDEBFB4EF05324F14825DE415AB291DB75AA44CBE0
                                        Function 00DA9710 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 00DA99E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID: Close$Copy$Details >>$Send Error Report
                                        • API String ID: 4139908857-113472931
                                        • Opcode ID: a77f0121fe23e48fbdf552ea35fc86651d64c1cf5b60bc539876a8f236904cd1
                                        • Instruction ID: 84d806266942d546819efa29f3fd748de4cf90025bd1e40c613ac9cfbcf161a6
                                        • Opcode Fuzzy Hash: a77f0121fe23e48fbdf552ea35fc86651d64c1cf5b60bc539876a8f236904cd1
                                        • Instruction Fuzzy Hash: AC919F70A40305AFEB18DF64DC56FAAB7B5EF45704F004629F611BB2D0EBB0AA05CB61
                                        Function 00CA8890 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00CA8975
                                        • __Init_thread_footer.LIBCMT ref: 00CA89EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: </a>$<a href="$<a>
                                        • API String ID: 1385522511-4210067781
                                        • Opcode ID: 72d38e239fc7e6467226d17d504f3a12e7b73f1d0a17951964c2d224866baf07
                                        • Instruction ID: 43d139f613dab8ac569a8f59f62e51f7f1268a8f7ff50c807200a3a9c6fcae38
                                        • Opcode Fuzzy Hash: 72d38e239fc7e6467226d17d504f3a12e7b73f1d0a17951964c2d224866baf07
                                        • Instruction Fuzzy Hash: 5DA1B4B0A00705EFCB04DF68DC55BADB7B1FF86718F104219E821AB2D2DB74AA45DB61
                                        Function 00CC5E20 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                          • Part of subcall function 00D82040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00CC0168,00000000,80004005), ref: 00D820AB
                                          • Part of subcall function 00D82040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D820DB
                                        • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00CC5FDC
                                        • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00CC5FF3
                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 00CC604F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocHeapWindow
                                        • String ID: QuickSelectionList$|3
                                        • API String ID: 2851540245-1570561888
                                        • Opcode ID: 4b3240d18a45764a28f4d9941259e50492cf597d0151a67262cb113e5150b8dd
                                        • Instruction ID: 238b964ce1bd161be536ba51982a212704cb0e4cc772ccdca55242e687f0e172
                                        • Opcode Fuzzy Hash: 4b3240d18a45764a28f4d9941259e50492cf597d0151a67262cb113e5150b8dd
                                        • Instruction Fuzzy Hash: C981BC71A006099FCB14DF68C894FAEF7F4FF88328F14851DE965A7290DB71A944CBA0
                                        Function 00DA2450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 195COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?,?,28CB4BA0,00000000,?), ref: 00DA266C
                                        • SHGetMalloc.SHELL32(?), ref: 00DA2695
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$FolderHeapLocationMallocProcessSpecial
                                        • String ID: %s, %.2u %s %.4u %.2u:%.2u:%.2u GMT$C:\$C:\FAKE_DIR\
                                        • API String ID: 3216538967-785558474
                                        • Opcode ID: caf45619ed929eabb7cc02ca2c87bc7c4fc76bafc9d703640ef4ebcf23ce8260
                                        • Instruction ID: 3f34335dc6427e1b4615944fb26e85bf20ffea3370617218e35e87620711f226
                                        • Opcode Fuzzy Hash: caf45619ed929eabb7cc02ca2c87bc7c4fc76bafc9d703640ef4ebcf23ce8260
                                        • Instruction Fuzzy Hash: CC716DB1900208ABDB10DF99CC46BAEBBF9FB48B04F00451AF914BB382D7B49904DB94
                                        Function 00CCDC60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00CCDD5D
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00CCDD72
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00CCDD7A
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                          • Part of subcall function 00CCF780: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CCF7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$AllocCreateHeapWindow
                                        • String ID: SysTabControl32$TabHost
                                        • API String ID: 4294867080-2872506973
                                        • Opcode ID: 16085e7e12f50499fe545c54a3e380967bf0942629b085d678d8215c7fa26052
                                        • Instruction ID: 345d635ce5cc4fe4cf30e99f33235d04317280245dd142f959af1b22aef5da96
                                        • Opcode Fuzzy Hash: 16085e7e12f50499fe545c54a3e380967bf0942629b085d678d8215c7fa26052
                                        • Instruction Fuzzy Hash: 03518F35A006059FDB14DF68C885FAAFBF5FF89710F14426DE915A7391DB71A900CBA0
                                        Function 00CB6E60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,28CB4BA0), ref: 00CB6EF3
                                        • GetLastError.KERNEL32 ref: 00CB6F1C
                                        • RegCloseKey.ADVAPI32(?,00000000,00000000,?,00EC337C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00CB7065
                                        Strings
                                        • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00CB6EE8
                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00CB6F5C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CloseCreateErrorEventLast
                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                        • API String ID: 1713683948-2079760225
                                        • Opcode ID: 4b114523da24dd72cac3d78baead539f09b374e3656e4c48db6a63253abe5d2f
                                        • Instruction ID: efa363d51f56d55c8c4fcceb60b2f5bab4ae468c85b60ae5cf316fc5ee5a0696
                                        • Opcode Fuzzy Hash: 4b114523da24dd72cac3d78baead539f09b374e3656e4c48db6a63253abe5d2f
                                        • Instruction Fuzzy Hash: 8A618D70D05349EEDB11DF68C945BDEFBF4BF15304F108299E459A7282DBB46A08CBA1
                                        Function 00DC6820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
                                        • API String ID: 0-3551742416
                                        • Opcode ID: 765ef9512730eeb784064b704672412cb87fb5cc15ef047d9fb73c77686f2d52
                                        • Instruction ID: bde422eba04de9fbb69e3b3da71181f20f11cfd2045d51195766c209fae85781
                                        • Opcode Fuzzy Hash: 765ef9512730eeb784064b704672412cb87fb5cc15ef047d9fb73c77686f2d52
                                        • Instruction Fuzzy Hash: C921D132A0021AABCB149F68CC45FAAB3F8EB45724F5446AEE915E7390EB31DD45C750
                                        Function 00E3A78C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,00E3A84D,?,?,00000000,?,?,00E3A8FF,00000002,FlsGetValue,00EBA0D0,00EBA0D8), ref: 00E3A81C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: b47e4b2656b5db4a63a6749f218f14215760af157c7fe421bf2390720c94b337
                                        • Instruction ID: 9d74149ce498822e8e041659b468e617574b57c5e5935d18d1687058ef39b791
                                        • Opcode Fuzzy Hash: b47e4b2656b5db4a63a6749f218f14215760af157c7fe421bf2390720c94b337
                                        • Instruction Fuzzy Hash: F211A732A40625ABDF329B689C8CB5A3BA89F01774F191271E950B7280DB70ED45C6D2
                                        Function 00E4C68F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,28CB4BA0,?,?,00000000,00EB6426,000000FF,?,00E4C662,?,?,00E4C636,?), ref: 00E4C6C4
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E4C6D6
                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00EB6426,000000FF,?,00E4C662,?,?,00E4C636,?), ref: 00E4C6F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: b4f202d518fa43caa9cf21eecd9ed3a67828d3275a534281f1dcaa821c6b1631
                                        • Instruction ID: 5888d42bc55f3cec6736a80995ca3188a42e3936d91d7fd5414ec6a12ebac50f
                                        • Opcode Fuzzy Hash: b4f202d518fa43caa9cf21eecd9ed3a67828d3275a534281f1dcaa821c6b1631
                                        • Instruction Fuzzy Hash: 9401AD31904619EFDB119F55DD05BAFBBB8FB04B15F11962AF821B23E0DFB49904CA90
                                        Function 00DA79C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00DA7A1E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00DA7A25
                                        • __Init_thread_footer.LIBCMT ref: 00DA7A3C
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                        • String ID: Dbghelp.dll$SymFromAddr
                                        • API String ID: 3268644551-642441706
                                        • Opcode ID: 7cc852d09900d020ff288dbd1e81fe8f75a5a0066365f9190337915e51130ee2
                                        • Instruction ID: 5c3953d35ffdfc60639390f578a709600cf7b6b3f71d1efdefcb987a2b187efb
                                        • Opcode Fuzzy Hash: 7cc852d09900d020ff288dbd1e81fe8f75a5a0066365f9190337915e51130ee2
                                        • Instruction Fuzzy Hash: 5401B1B5A49704EFC710CF58ED46B197BA4E70AB30F104266E816E33D0C775A500DA12
                                        Function 00E366EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,00E36687,00000064), ref: 00E3670D
                                        • LeaveCriticalSection.KERNEL32(00F44CD8,?,?,00E36687,00000064,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E36717
                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00E36687,00000064,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E36728
                                        • EnterCriticalSection.KERNEL32(00F44CD8,?,00E36687,00000064,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3672F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID: 4w
                                        • API String ID: 3269011525-3778465916
                                        • Opcode ID: 6f60810e40783afcb3b340f68df65ab64978eda2c330b0e95c9667ae29d11a3a
                                        • Instruction ID: 6c42184ab805155f253979cc769ef5b83fd7b3ac34a7b813de4d79380f8e3c62
                                        • Opcode Fuzzy Hash: 6f60810e40783afcb3b340f68df65ab64978eda2c330b0e95c9667ae29d11a3a
                                        • Instruction Fuzzy Hash: 47E09235642524BBCA012B92EE89BDE3F2CEB05B51B090012FF0576270CE606824EBE5
                                        Function 00D0DE10 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 316memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?), ref: 00D0E08B
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00D0E091
                                        • GetProcessHeap.KERNEL32(?,?), ref: 00D0E160
                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00D0E166
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3
                                        • API String ID: 3859560861-1823295303
                                        • Opcode ID: dcc8b375ddbd733c2bd793cdb828f5fa481de1a0f3ff4d0773f5cdfc4bb207bd
                                        • Instruction ID: ebd7116ad3d488c030f43e5e4ed58111decbd8d43ac056b0003f4f3778ebeceb
                                        • Opcode Fuzzy Hash: dcc8b375ddbd733c2bd793cdb828f5fa481de1a0f3ff4d0773f5cdfc4bb207bd
                                        • Instruction Fuzzy Hash: 39D18B30900348CFDB14DFA8C994BEEBBB5BF54304F244569E509AB292DB70AA45CBA1
                                        Function 00CE1B70 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 268memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00CE1E5F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00CE1E65
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00CE1F0F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00CE1F15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3
                                        • API String ID: 3859560861-1823295303
                                        • Opcode ID: be0e083d68487fbffaf0bfa7b84c428c73d5eb4f16e844692d48fafc309f22c7
                                        • Instruction ID: e13769455f9782a4aa2b41efcbbb293f6148e81962a25239306498c91461bc1b
                                        • Opcode Fuzzy Hash: be0e083d68487fbffaf0bfa7b84c428c73d5eb4f16e844692d48fafc309f22c7
                                        • Instruction Fuzzy Hash: 8DB17970D00298DEDB20DB69CC49BAEBBB5FF01314F1442DAE919A7292DB745B84CF91
                                        Function 00CC03C0 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CC25D0: __Init_thread_footer.LIBCMT ref: 00CC263F
                                        • SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00CC0502
                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00CC05B7
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00CC0656
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00CC0701
                                          • Part of subcall function 00CB2970: RaiseException.KERNEL32(?,?,00000000,00000000,00E35A3C,C000008C,00000001,?,00E35A6D,00000000,?,00CA91C7,00000000,28CB4BA0,00000001,?), ref: 00CB297C
                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00CC0787
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$ExceptionInit_thread_footerRaise
                                        • String ID:
                                        • API String ID: 3442259968-0
                                        • Opcode ID: b0b5c931b29f9e2023a9b1652618a7d74a1c7aaf1bf25724a472f937b8c06329
                                        • Instruction ID: 325b6cebb97207a7ba382394be0191e09b9b13858489aecd51721a2da6e10346
                                        • Opcode Fuzzy Hash: b0b5c931b29f9e2023a9b1652618a7d74a1c7aaf1bf25724a472f937b8c06329
                                        • Instruction Fuzzy Hash: 72B12AB1D0135DDBEB24CF54CD54BDABBB1BF59308F10829AE9186B280D7B56A84CF90
                                        Function 00CE07E0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 204memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00CE0A0F
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CE0A15
                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00CE0ABF
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CE0AC5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID: |3
                                        • API String ID: 3859560861-1823295303
                                        • Opcode ID: 10941b7ad49ef4bfb15fc3b6d1cb1c79269a169cf06e0651acf6509d7138a606
                                        • Instruction ID: a7cee98008a620342e42e47a7634ae964bda1d325d9f8c757760eebb4ddc6aa3
                                        • Opcode Fuzzy Hash: 10941b7ad49ef4bfb15fc3b6d1cb1c79269a169cf06e0651acf6509d7138a606
                                        • Instruction Fuzzy Hash: 11916A70D013A8CEEB24DB25CC45B9ABBB5AF01314F1442E9D519A7282DBB45BC8DF92
                                        Function 00CAFCE0 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ItemMessageSendWindow
                                        • String ID:
                                        • API String ID: 799199299-0
                                        • Opcode ID: ea1f83cdc081f7291f50e7f592f6c826127e9da0fed99dbc618966bc28545a41
                                        • Instruction ID: 773349b65800a3983a5c1ce025ff37c12e48be140c7d18bdd1a97c038b4b22cd
                                        • Opcode Fuzzy Hash: ea1f83cdc081f7291f50e7f592f6c826127e9da0fed99dbc618966bc28545a41
                                        • Instruction Fuzzy Hash: 0141C3362001069FC725CFA8E898B66B7A9FB47315F04443EE599C7162D732ED12EB20
                                        Function 00D9BCD0 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00D9BD04
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00D9BD24
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00D9BD4C
                                        • std::_Facet_Register.LIBCPMT ref: 00D9BE2B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00D9BE55
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                        • String ID:
                                        • API String ID: 459529453-0
                                        • Opcode ID: ce0dc1d4ac1df2f38416866e1a3e50a1197f9629289d6c8f3b565b13c2d8b8c3
                                        • Instruction ID: c1e4e79008c2cac27d558fdbb7ace8ec67459c9b01f41c3a4e9a9b5478a46112
                                        • Opcode Fuzzy Hash: ce0dc1d4ac1df2f38416866e1a3e50a1197f9629289d6c8f3b565b13c2d8b8c3
                                        • Instruction Fuzzy Hash: DC519EB0900208DFDF11CF58D9457AEBBF4EF11324F25815EE846AB391D771AA05DBA1
                                        Function 00CF7A70 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00CF7A99
                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 00CF7AA9
                                        • SendMessageW.USER32(?,000005FA,?,00000000), ref: 00CF7BC1
                                          • Part of subcall function 00D06040: EnterCriticalSection.KERNEL32(28CB4BA0,28CB4BA0), ref: 00D06080
                                          • Part of subcall function 00D06040: GetCurrentThreadId.KERNEL32 ref: 00D06093
                                          • Part of subcall function 00D06040: LeaveCriticalSection.KERNEL32(?), ref: 00D06111
                                          • Part of subcall function 00D00100: SetLastError.KERNEL32(0000000E,?,00CF880B,?,?,?,?), ref: 00D00118
                                        • GetLastError.KERNEL32(?,?,00ECC530,00000000), ref: 00CF7B33
                                        • ShowWindow.USER32(?,0000000A,?,?,00ECC530,00000000), ref: 00CF7B45
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
                                        • String ID:
                                        • API String ID: 2782539745-0
                                        • Opcode ID: 1d6384269733f3d6e047876e74ea853e52213ed42a2bc082faa779b770eff523
                                        • Instruction ID: ecab430b6821681a18360d6c88961a209eb4191443ae2806e1a245b73ad4bf27
                                        • Opcode Fuzzy Hash: 1d6384269733f3d6e047876e74ea853e52213ed42a2bc082faa779b770eff523
                                        • Instruction Fuzzy Hash: C631EE70D00308EBDB10EFA0CC4ABEEBBB4EF10304F104259E615672D0DBB95A09DBA2
                                        Function 00CD46E0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD472A
                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00CD4730
                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00CD4753
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00E66756,000000FF), ref: 00CD477B
                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00E66756,000000FF), ref: 00CD4781
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess$FormatMessage
                                        • String ID:
                                        • API String ID: 1606019998-0
                                        • Opcode ID: cd39abfccc790d0f515afd2343ea4d4e231fb87b90396deb624834b9bd1ebc13
                                        • Instruction ID: 96a0b7673777b7b580f69f11bc358ca6b888fe2237f53509b9ff3510823d3d48
                                        • Opcode Fuzzy Hash: cd39abfccc790d0f515afd2343ea4d4e231fb87b90396deb624834b9bd1ebc13
                                        • Instruction Fuzzy Hash: 501133B1A44319ABEB10DF94CC46BAFBBF8EB04B04F104519F610BB6C1D7B5A604C791
                                        Function 00CC0DC0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00CC0DCB
                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00CC0E28
                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00CC0E77
                                        • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00CC0E88
                                        • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00CC0E95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID:
                                        • API String ID: 312131281-0
                                        • Opcode ID: 39030bcef1889634d413ab299951eba41faccfaef1470e1b4471844fac3b57e0
                                        • Instruction ID: 38024f5ae70edb0e9cbc8c746009207f730049318721d1a7c853c4d23411868b
                                        • Opcode Fuzzy Hash: 39030bcef1889634d413ab299951eba41faccfaef1470e1b4471844fac3b57e0
                                        • Instruction Fuzzy Hash: 42215131958746A7D220DF11CD44B1ABBF1BFEE758F202B0EF5D4211A4E7F191848E86
                                        Function 00DBA780 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                          • Part of subcall function 00DBA570: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00DBA59D
                                        • _wcschr.LIBVCRUNTIME ref: 00DBAAE2
                                        • _wcschr.LIBVCRUNTIME ref: 00DBAB6F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer_wcschr$FileHeapModuleNameProcess
                                        • String ID: h$l
                                        • API String ID: 973101865-3303259029
                                        • Opcode ID: f14b17234ee775885806033d969855557a24bcd555c8043efe527f309eabd7e7
                                        • Instruction ID: 2b343b863ae0ff40f8fb931830373e177f3c757bb2048773baab51266b61782a
                                        • Opcode Fuzzy Hash: f14b17234ee775885806033d969855557a24bcd555c8043efe527f309eabd7e7
                                        • Instruction Fuzzy Hash: 58F1A171A00609DFDB10DFA8C859BDEFBF5EF44324F14826DE415AB291EB709905CBA1
                                        Function 00DD3F70 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 417COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: realm
                                        • API String ID: 2691759472-4204190682
                                        • Opcode ID: cc4a5ea2590e3691bb884e8dc3200042e37a9a979cc2ee0bef5c700d938eb793
                                        • Instruction ID: 93ff11030dcf243216eb2806aa811c2209b39b3983fb769070150e32e66b56f8
                                        • Opcode Fuzzy Hash: cc4a5ea2590e3691bb884e8dc3200042e37a9a979cc2ee0bef5c700d938eb793
                                        • Instruction Fuzzy Hash: 0FF1AF31A00649DFDB00DFACC848B9EBBB9EF55324F18825AE8149B391DB74DD44CBA0
                                        Function 00CAD8D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 231windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00CAD946
                                        • SendMessageW.USER32(?,00000000,00000000), ref: 00CADA42
                                          • Part of subcall function 00CAF190: SysFreeString.OLEAUT32(00000000), ref: 00CAF233
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateFreeMessageSendStringWindow
                                        • String ID: AtlAxWin140$>
                                        • API String ID: 4045344427-1858757345
                                        • Opcode ID: 1c2e8aa3cefece30195d36f6ff4ae12d4aed32e457e20075a6b5fd5ba08ecfbc
                                        • Instruction ID: 3afaab0d35df972cb51f1080fa09b425de06d4d5fb9eb120000d9d3bd3d82bcd
                                        • Opcode Fuzzy Hash: 1c2e8aa3cefece30195d36f6ff4ae12d4aed32e457e20075a6b5fd5ba08ecfbc
                                        • Instruction Fuzzy Hash: CD91F574600205EFDB14CF64C888B5ABBB9FF49714F148599F82A9B291CB71EE05DB50
                                        Function 00CF99D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DA0F40: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00DA0F84
                                          • Part of subcall function 00DA0F40: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DA0F8F
                                        • GetCurrentThreadId.KERNEL32 ref: 00CF9B3C
                                        • SendMessageW.USER32(?,00000127,00030003,00000000), ref: 00CF9BC5
                                        Strings
                                        • AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 00CF9A69
                                        • AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00CF9AE0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$CurrentThread
                                        • String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                        • API String ID: 2377075789-1831360935
                                        • Opcode ID: 4fc8068d14b6b82b46320ab06417aa204238788c0582a5acdf331164c718c775
                                        • Instruction ID: cbad32b65222881af5227d5b878fbab89beedf8c893e0dc13a78ba6c3f346c72
                                        • Opcode Fuzzy Hash: 4fc8068d14b6b82b46320ab06417aa204238788c0582a5acdf331164c718c775
                                        • Instruction Fuzzy Hash: 7D81A230A00248DFDF15EF64C985BADBBB5FF45304F1441A8E909AB296DB70AE04DBA1
                                        Function 00D007C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00000004,?), ref: 00D0083C
                                        • MonitorFromWindow.USER32(?,00000002), ref: 00D00860
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00D00882
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MonitorWindow$FromInfoRect
                                        • String ID: U2
                                        • API String ID: 1973172141-415264087
                                        • Opcode ID: 7273ee3ff1d8bf0865db9015bc79db66cc0772ba9acea30710cb4604553bc17d
                                        • Instruction ID: 7ef5bb9175992a74cafdb3440b29ce9edab8439abb078434a6b79de1886cc4a7
                                        • Opcode Fuzzy Hash: 7273ee3ff1d8bf0865db9015bc79db66cc0772ba9acea30710cb4604553bc17d
                                        • Instruction Fuzzy Hash: EE715A75E00208AFDB10DFA4DD49BAEBBF9EF59700F144219F905B72A0DB71AA00DB60
                                        Function 00CFC4B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00CFC4EE
                                        • SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 00CFC6C1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Rect
                                        • String ID: AiDlgHeight$AiDlgWeight
                                        • API String ID: 3200805268-871102398
                                        • Opcode ID: 00d06789eeb5bd241dc5b8a4cdfa344e5166ee91e3d48fe99b4b87913d3fbd9f
                                        • Instruction ID: 01ad40420016a7abde9d8666b00e8ce212d016740cc924ca5d7858ee472b5a6b
                                        • Opcode Fuzzy Hash: 00d06789eeb5bd241dc5b8a4cdfa344e5166ee91e3d48fe99b4b87913d3fbd9f
                                        • Instruction Fuzzy Hash: E6617F71E0020DEFCB04DFA8C985B9EBBB5FF48314F148269E911AB291D734AA05CF91
                                        Function 00DDF940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,28CB4BA0,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00DDF974
                                          • Part of subcall function 00DA5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,00E9A8AD,000000FF), ref: 00DA5188
                                          • Part of subcall function 00DA5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,00E9A8AD,000000FF), ref: 00DA51BB
                                          • Part of subcall function 00CB2970: RaiseException.KERNEL32(?,?,00000000,00000000,00E35A3C,C000008C,00000001,?,00E35A6D,00000000,?,00CA91C7,00000000,28CB4BA0,00000001,?), ref: 00CB297C
                                          • Part of subcall function 00CA9B10: HeapAlloc.KERNEL32(?,00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,?,00F39A1C,?,00DDBB18,80004005,28CB4BA0), ref: 00CA9B5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocExceptionHeapObjectRaiseSingleWait
                                        • String ID: *.*$.jar$.pack
                                        • API String ID: 1065105516-3892993289
                                        • Opcode ID: 6fed3a31bd5029dbb63573d2e4b9274d0806d821abd9af9a9dee49f29bce3bdc
                                        • Instruction ID: 63e9adcee2415cd34779620d453b87796bbdb1427cd7a743f2f473cace4c4daf
                                        • Opcode Fuzzy Hash: 6fed3a31bd5029dbb63573d2e4b9274d0806d821abd9af9a9dee49f29bce3bdc
                                        • Instruction Fuzzy Hash: B0517270A0060A9FDB10DFA9C854BAEF7B4FF45314F14826AE426EB391DB34D904CBA0
                                        Function 00CED130 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E36662: EnterCriticalSection.KERNEL32(00F44CD8,?,?,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E3666D
                                          • Part of subcall function 00E36662: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9EF6,00F45904,28CB4BA0,?,?,00E5DE0D,000000FF,?,00DDBABC,28CB4BA0), ref: 00E366AA
                                        • __Init_thread_footer.LIBCMT ref: 00CED28D
                                          • Part of subcall function 00E36618: EnterCriticalSection.KERNEL32(00F44CD8,?,?,00CA9F67,00F45904,00EB6640), ref: 00E36622
                                          • Part of subcall function 00E36618: LeaveCriticalSection.KERNEL32(00F44CD8,?,00CA9F67,00F45904,00EB6640), ref: 00E36655
                                          • Part of subcall function 00E36618: RtlWakeAllConditionVariable.NTDLL ref: 00E366CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                        • String ID: 2$ItemData$Windows.UI.Xaml.Controls.ListViewItem
                                        • API String ID: 2296764815-168328404
                                        • Opcode ID: b33b23aa74b9fd5fe902739d1aa29b460588b6530ff60beb58fde09f2b365838
                                        • Instruction ID: 8d683dcaf1ea9a5bcb866e3a04816cb8efe61ef43e414d9f19c30e09a6660b42
                                        • Opcode Fuzzy Hash: b33b23aa74b9fd5fe902739d1aa29b460588b6530ff60beb58fde09f2b365838
                                        • Instruction Fuzzy Hash: F1718D70901289EFDB05CFA8C905BDEBBF0BB15304F148259E915A73D1D7B99B08DBA2
                                        Function 00D05E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(014DF7E0,28CB4BA0,014DF7E0), ref: 00D05E41
                                        • GetCurrentThreadId.KERNEL32 ref: 00D05E51
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00D05E77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: 4w
                                        • API String ID: 2351996187-3778465916
                                        • Opcode ID: 6b2c60509bd6a39f3b7bff3b63d2b2eb1de1c63184918e2059fd8d192a6f6e6c
                                        • Instruction ID: 16549a0cadfad4a059fe9e6c4cd6366d33e0d899f80caf756a97a87620f83bb0
                                        • Opcode Fuzzy Hash: 6b2c60509bd6a39f3b7bff3b63d2b2eb1de1c63184918e2059fd8d192a6f6e6c
                                        • Instruction Fuzzy Hash: 6141DF71900916AFDB10DF58D880BABFBA8FB44310F148329EC69D7284D731EE54CBA0
                                        Function 00CB2990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00CB29C6
                                        • EnterCriticalSection.KERNEL32(00F46250), ref: 00CB29E6
                                        • LeaveCriticalSection.KERNEL32(00F46250), ref: 00CB2A0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: 4w
                                        • API String ID: 2351996187-3778465916
                                        • Opcode ID: 2488c54f8593718f63f9097ba48fb6a2ed675f5b24fdd9c6e93d56c65ae85b43
                                        • Instruction ID: 6332eee557c1756aec27a5b650fbab04d409fa432671ba011bbdfd694653bdf1
                                        • Opcode Fuzzy Hash: 2488c54f8593718f63f9097ba48fb6a2ed675f5b24fdd9c6e93d56c65ae85b43
                                        • Instruction Fuzzy Hash: B521B171904748EFDB20CF58DD45B8ABBE8FB05B20F00461AEC65E7780D7B5A508DB91
                                        Function 00D06040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(28CB4BA0,28CB4BA0), ref: 00D06080
                                        • GetCurrentThreadId.KERNEL32 ref: 00D06093
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00D06111
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: 4w
                                        • API String ID: 2351996187-3778465916
                                        • Opcode ID: bbe91a5bb5593d4def19233500134557e66f13297126c742ef2786b9ea954320
                                        • Instruction ID: 6b11d0a336c4bef93361b95fbe64c225e00bcde0da0b0c24bc3ee249f8c6a2a5
                                        • Opcode Fuzzy Hash: bbe91a5bb5593d4def19233500134557e66f13297126c742ef2786b9ea954320
                                        • Instruction Fuzzy Hash: 8231BF71900344DFEB11CF69C94579EBBF4EF09314F148169E899A33A1E7759A04CBA1
                                        Function 00CD4B50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00CD4B92
                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CD4B98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoOriginateLanguageException$combase.dll
                                        • API String ID: 2574300362-3996158991
                                        • Opcode ID: 7cc0a389fc398e6b9339088e2829390d438f986e5d7a25cd16fe6de9ba179736
                                        • Instruction ID: 85fea3f961ebced986b97ceed5c2fa3a6a475c24469ac2a6c92d36c944ecb197
                                        • Opcode Fuzzy Hash: 7cc0a389fc398e6b9339088e2829390d438f986e5d7a25cd16fe6de9ba179736
                                        • Instruction Fuzzy Hash: 3C31AE70904249EFDB18DFA8CD46BAEB7F4EB04310F10852AEA29A73D0D7759B44DB91
                                        Function 00DD2140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00DD029A,?,28CB4BA0,?,?,?,000000FF,?), ref: 00DD2154
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00DD029A,?,28CB4BA0,?,?,?,000000FF,?,00DCFC64), ref: 00DD2171
                                        • GetLastError.KERNEL32(?,28CB4BA0,?,?,?,000000FF,?,00DCFC64,?,?,00000000,00000000,28CB4BA0,?,?), ref: 00DD21D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateEvent$ErrorLast
                                        • String ID: AdvancedInstaller
                                        • API String ID: 1131763895-1372594473
                                        • Opcode ID: b5cdc2fdaebe67090704957e62baba25eeb84e0c4692359188392855b056a7d4
                                        • Instruction ID: 84afe9428c87fe70b028e5f1ba15614e500fae2fe707ed6773522dbc1bceeee2
                                        • Opcode Fuzzy Hash: b5cdc2fdaebe67090704957e62baba25eeb84e0c4692359188392855b056a7d4
                                        • Instruction Fuzzy Hash: 61117931340706BFE7209B22DD89F66BBA4FB54700F11842AF605AB690CB70B855CBA4
                                        Function 00D81F50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D82470: __Init_thread_footer.LIBCMT ref: 00D82500
                                          • Part of subcall function 00D82470: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00D8253D
                                          • Part of subcall function 00D82470: __Init_thread_footer.LIBCMT ref: 00D82554
                                          • Part of subcall function 00D82470: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00D8257F
                                        • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D81FA2
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00D81FC0
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00D81FC8
                                          • Part of subcall function 00CB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00CB0DE6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                        • String ID: SysListView32
                                        • API String ID: 605634508-78025650
                                        • Opcode ID: 1a3acb28ed177041c1a76aba6d5f7194db5fcf735382a274772b810d9feea0fc
                                        • Instruction ID: 5e0511bf70a6bc49dc57eb15d7e9b31dc625be5f6fc972c7ed394ff5745d280f
                                        • Opcode Fuzzy Hash: 1a3acb28ed177041c1a76aba6d5f7194db5fcf735382a274772b810d9feea0fc
                                        • Instruction Fuzzy Hash: 46117975301214AFD624AB158C05F6BFBA9EFDA750F054619FA44AB2A1C6B1BC00DBA1
                                        Function 00CB2700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00F46250), ref: 00CB273C
                                        • GetCurrentThreadId.KERNEL32 ref: 00CB2750
                                        • LeaveCriticalSection.KERNEL32(00F46250), ref: 00CB278E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                        • String ID: 4w
                                        • API String ID: 2351996187-3778465916
                                        • Opcode ID: 09d628529a9d92333e8bf1c82980548b548e285c9362122f03cfedd6733a33a8
                                        • Instruction ID: cc4755bc5ef3a2ae473aad7c5b9cc9bfb89eaaa2b755b7187724ae0c8576229a
                                        • Opcode Fuzzy Hash: 09d628529a9d92333e8bf1c82980548b548e285c9362122f03cfedd6733a33a8
                                        • Instruction Fuzzy Hash: 09110435904345DFDB20CF59C90479BBBE4EB56721F10465ADC21E7390DBB09A08C791
                                        Function 00D829C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00D82A0B
                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00D82A23
                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00D82A2B
                                          • Part of subcall function 00CB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00CB0DE6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$CreateLong
                                        • String ID: RichEdit20W
                                        • API String ID: 4015368215-4173859555
                                        • Opcode ID: 4a88c844975a833eb5e305fd41f83f88c8e0d7c7373911b222733f697fbbf7f9
                                        • Instruction ID: 6f0b518e22ef2694792c84f02c546a346aad28dbaa96d2a1cf88228d556850c4
                                        • Opcode Fuzzy Hash: 4a88c844975a833eb5e305fd41f83f88c8e0d7c7373911b222733f697fbbf7f9
                                        • Instruction Fuzzy Hash: 4A015735301214AFD6149B15CC05F5BFBA9FBCA760F15861AFA48A73A0C6B1AC00DAA1
                                        Function 00D04830 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00D04881
                                        • GetParent.USER32(?), ref: 00D0488A
                                        • SendMessageW.USER32(?,00000411,00000000,?), ref: 00D0489F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Parent$MessageSend
                                        • String ID: ,
                                        • API String ID: 2251359880-3772416878
                                        • Opcode ID: 8dbaf2f7e42f885188437983a502113ab284cedd254d3f358442fa65974ffd45
                                        • Instruction ID: 47717db47d04ce1b17edfee83f929520d500837aead6d6d7837eee17e2c593d0
                                        • Opcode Fuzzy Hash: 8dbaf2f7e42f885188437983a502113ab284cedd254d3f358442fa65974ffd45
                                        • Instruction Fuzzy Hash: 1E1180B1515344AFD710DF24D844B1AFBF4FF89310F04892AF658926A0D7B1E854CFA2
                                        Function 00CAEFA0 Relevance: 6.3, APIs: 4, Instructions: 271memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00CAF06A
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CAF0B6
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CAF0D8
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CAF233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: String$Free$Alloc
                                        • String ID:
                                        • API String ID: 986138563-0
                                        • Opcode ID: af5844f6dd280b2f4c8ac9817d5d9083cca7812afe0900769281f976a012271b
                                        • Instruction ID: cf6df9c8f4e1d8146f856547db4e8b0da540fa9f7cfef3c6792b3dbea9b4b893
                                        • Opcode Fuzzy Hash: af5844f6dd280b2f4c8ac9817d5d9083cca7812afe0900769281f976a012271b
                                        • Instruction Fuzzy Hash: 18A16075A0024ADFDB15DFA8CC48BAEB7B8FF45718F10422DE525E7280D774AA06CB61
                                        Function 00CC8180 Relevance: 6.3, APIs: 4, Instructions: 266windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00CC8258
                                        • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00CC8287
                                        • SendMessageW.USER32(00000000,0000110A,00000004,0A74C085), ref: 00CC8443
                                        • SendMessageW.USER32(0000110A,0000110A,00000001,00000000), ref: 00CC8466
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: c6fcbc88a6667b8bb6528c0cc184bd0e3aeb599d57b5ab3e5b3835620b4c9205
                                        • Instruction ID: fd1262982f51f3cb027d165456baf499be9ff020f496cc8e17c968c11d2c6b26
                                        • Opcode Fuzzy Hash: c6fcbc88a6667b8bb6528c0cc184bd0e3aeb599d57b5ab3e5b3835620b4c9205
                                        • Instruction Fuzzy Hash: C5A16C72A00204DFCF15DF68C894FAEBBB5BF49710F0951A9E811AB291DB30E949CB60
                                        Function 00CC3E70 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 598140f62812961e292ca5e5b82c4fa0d62ff03880edb7096a0f3617e714d9a7
                                        • Instruction ID: c53c82e184a34dd7454e9af1815fe2518a857af02f40e0f13ce5bf7c37763e1d
                                        • Opcode Fuzzy Hash: 598140f62812961e292ca5e5b82c4fa0d62ff03880edb7096a0f3617e714d9a7
                                        • Instruction Fuzzy Hash: 88A16574D00249DFCB10CFA8C894BDEBBB5FF48314F258269E814A7291E778AA45CB91
                                        Function 00CC2F00 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 259515047a28636883863523c37e5b34ebe79277c78e7f842cd6f78606e8ebf8
                                        • Instruction ID: c74040f8990a85d0cc9c82a486445fdc943cefbfdf334dfe958e105f729b43dc
                                        • Opcode Fuzzy Hash: 259515047a28636883863523c37e5b34ebe79277c78e7f842cd6f78606e8ebf8
                                        • Instruction Fuzzy Hash: B681BB34A00348DFDB10DFA8C944B9EFBB4EF05704F24826DE815AB392E774AA45DB91
                                        Function 00CB4650 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CB46F0
                                        • SysFreeString.OLEAUT32(00000000), ref: 00CB4731
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID:
                                        • API String ID: 3341692771-0
                                        • Opcode ID: 19df153116b99689a2dd08f15b5feb7dd3930e678f9d7d22ea43f49d4843ba51
                                        • Instruction ID: 55730be38a197a2f2f1268ccf1a57d0e0dd03dabcfc44bdfa27fc80c910fc79c
                                        • Opcode Fuzzy Hash: 19df153116b99689a2dd08f15b5feb7dd3930e678f9d7d22ea43f49d4843ba51
                                        • Instruction Fuzzy Hash: 4061AE72A04209EFDB14CF58D844B9ABBB8FB45720F10416AFC14A7391D776AD10DBA0
                                        Function 00CBCCF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(28CB4BA0,28CB4BA0,?), ref: 00CBCD2F
                                        • EnterCriticalSection.KERNEL32(?,28CB4BA0,?), ref: 00CBCD3C
                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00CBCE13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: 4w
                                        • API String ID: 3991485460-3778465916
                                        • Opcode ID: c009364bc0d95a34b8b6cfb1fd5fb9f047d3a4474a24154cb7ac9c7413bac7cf
                                        • Instruction ID: 7f01b97ccdcfd0bf4bb71253fe7c0b9d520437def2fcac2fc2ad880e8d4a4d7e
                                        • Opcode Fuzzy Hash: c009364bc0d95a34b8b6cfb1fd5fb9f047d3a4474a24154cb7ac9c7413bac7cf
                                        • Instruction Fuzzy Hash: CF4116392007458FDB22CF78C881BEABBB5EF55310F100529E8A6E7391CB31A916DB90
                                        Function 00DBC6B0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 00DBC70F
                                        • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00DBC71C
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00DBC739
                                        • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00DBC75B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: cebbc74b8061adc2c306037ddded42e786c1b8288d9f49f9d2edd2115f0329b9
                                        • Instruction ID: b5cf9e7ff05971527eed979ba3ce2086d89e5f9d0412a2dfa31f195cba8c9a85
                                        • Opcode Fuzzy Hash: cebbc74b8061adc2c306037ddded42e786c1b8288d9f49f9d2edd2115f0329b9
                                        • Instruction Fuzzy Hash: 4B2133B2740306ABE6105F15EC82FAB775CFB80B04F240129FA02A62D0EBA17D058A74
                                        Function 00CF642D Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00000010,?,00000060), ref: 00CF6467
                                        • GetWindowRect.USER32(?,?), ref: 00CF64B6
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00CF64DF
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 00CF6571
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$LongRect
                                        • String ID:
                                        • API String ID: 463821813-0
                                        • Opcode ID: 31ee4eaf9d3876676c7c43bb1aea5639cc0b7138cbfd214e91a5eccdcb52d867
                                        • Instruction ID: 07f4962d8992ebe9b55550027f0fb30a8ce3982c20b3db2835672d9afd5e753d
                                        • Opcode Fuzzy Hash: 31ee4eaf9d3876676c7c43bb1aea5639cc0b7138cbfd214e91a5eccdcb52d867
                                        • Instruction Fuzzy Hash: CE416A75108749AFD701DF29DC85A6AFBB4FF89300F044A1AFA91A3260D771A894DF52
                                        Function 00DA5170 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,00E9A8AD,000000FF), ref: 00DA5188
                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,00E9A8AD,000000FF), ref: 00DA51BB
                                        • GetStdHandle.KERNEL32(000000F5,?,28CB4BA0,00000000,00E5D840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00DA5226
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,28CB4BA0,00000000,00E5D840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00DA522D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AttributeConsoleHandleText
                                        • String ID:
                                        • API String ID: 3849414675-0
                                        • Opcode ID: d9e7833209088981649500d2d4a48acc9bdce001fb06b57fa2b4bfe0e027fe5b
                                        • Instruction ID: 476bdb25e272f1efed815f967a48bd21b7afb38775d781ea887fca26c569e363
                                        • Opcode Fuzzy Hash: d9e7833209088981649500d2d4a48acc9bdce001fb06b57fa2b4bfe0e027fe5b
                                        • Instruction Fuzzy Hash: BD21D476705605AFD6109B59EC89F6AF76DEB85720F204329FA25E73D0CB305C01CBA0
                                        Function 00CF98E0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 00CF996F
                                        • GetParent.USER32(00000000), ref: 00CF9977
                                        • GetParent.USER32(00000000), ref: 00CF997C
                                        • SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 00CF998D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Parent$MessageSend
                                        • String ID:
                                        • API String ID: 2251359880-0
                                        • Opcode ID: a30c4360176dc56f0873de1df07ea2f1c0e5948aa5f9ef589b56b065efd38f61
                                        • Instruction ID: 9f7f8dc2a4b94708ce6c0898ff1d721891692e36d394ce89e1b11d8d19726571
                                        • Opcode Fuzzy Hash: a30c4360176dc56f0873de1df07ea2f1c0e5948aa5f9ef589b56b065efd38f61
                                        • Instruction Fuzzy Hash: F621F53220010D6BDF649B28EC84FBEF398EFA1354F054529FA15D21A0EB31EE91C666
                                        Function 00CB89D0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00CB8A19
                                        • GetParent.USER32(?), ref: 00CB8A4D
                                          • Part of subcall function 00E35D0D: GetProcessHeap.KERNEL32(00000008,00000008,?,00CB0DC7,?,?,00CB0B74,?), ref: 00E35D12
                                          • Part of subcall function 00E35D0D: HeapAlloc.KERNEL32(00000000,?,?,00CB0B74,?), ref: 00E35D19
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00CB8A80
                                        • ShowWindow.USER32(?,00000000), ref: 00CB8A96
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$HeapLong$AllocParentProcessShow
                                        • String ID:
                                        • API String ID: 78937335-0
                                        • Opcode ID: 3bfeb321eaec42ae8a375fdccfc8fea69799450349b6491c1ef37073e6d611dd
                                        • Instruction ID: a40b85d5a756b2e8a98feda62f0cb881d72c8ef065c11a42a02853e53302a914
                                        • Opcode Fuzzy Hash: 3bfeb321eaec42ae8a375fdccfc8fea69799450349b6491c1ef37073e6d611dd
                                        • Instruction Fuzzy Hash: 2421AE346047019FC720EF29D848A6BBBE8FF59710B014A2EF8A6D3661DB30E804DB61
                                        Function 00CBCB20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,28CB4BA0), ref: 00CBCB8A
                                        • EnterCriticalSection.KERNEL32(?,28CB4BA0), ref: 00CBCB97
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00CBCBE8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: 4w
                                        • API String ID: 3991485460-3778465916
                                        • Opcode ID: e1062fb6eef2e6309d6eb635eefa64f441d87844918cd5dd1b8a8aac7983a34c
                                        • Instruction ID: 94e67159496efbcff630e43fef4f0e885fb232231e9fa0bf723b88cb414fb01b
                                        • Opcode Fuzzy Hash: e1062fb6eef2e6309d6eb635eefa64f441d87844918cd5dd1b8a8aac7983a34c
                                        • Instruction Fuzzy Hash: FA21E2369002459FDF11CF64D985BEABBB4FF16324F1005A9EC59BB382C7315A09CB60
                                        Function 00CBCC10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,28CB4BA0), ref: 00CBCC7A
                                        • EnterCriticalSection.KERNEL32(?,28CB4BA0), ref: 00CBCC87
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00CBCCCE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: 4w
                                        • API String ID: 3991485460-3778465916
                                        • Opcode ID: 1d03410e661b68a0c1455ed0bb1fe04a47c4723f91c863f43b990401c114824d
                                        • Instruction ID: c3a050653375b183da20fac607f746da2b71d1a3c73de5b6358cc05f76e7b313
                                        • Opcode Fuzzy Hash: 1d03410e661b68a0c1455ed0bb1fe04a47c4723f91c863f43b990401c114824d
                                        • Instruction Fuzzy Hash: FC21F1769002449FDF11CF24C981BEABBB8FF15324F1006A9EC59AB382D7319909CBA0
                                        Function 00CBCA60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,28CB4BA0,?), ref: 00CBCABD
                                        • EnterCriticalSection.KERNEL32(?,28CB4BA0,?), ref: 00CBCACA
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00CBCAF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterInitializeLeave
                                        • String ID: 4w
                                        • API String ID: 3991485460-3778465916
                                        • Opcode ID: a7769f4275ffcf3230a04be1974c057c47970ed2b66a2b8d27d665fec2aec5cf
                                        • Instruction ID: 59aad2211a269953223535a13444bc57100d2d4e5e4a1e91db3e0c927cbc722c
                                        • Opcode Fuzzy Hash: a7769f4275ffcf3230a04be1974c057c47970ed2b66a2b8d27d665fec2aec5cf
                                        • Instruction Fuzzy Hash: 3721D6769042499FDF01DF64D980BEABB78EB56324F1006A9D865A7381C7325A09DBA0
                                        Function 00D3F9D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 255windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00000000,?), ref: 00D3FAD1
                                        • SendMessageW.USER32(00000000,00000317,?,00000014), ref: 00D3FB65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: MessageRectSendWindow
                                        • String ID: U2
                                        • API String ID: 2814762282-415264087
                                        • Opcode ID: a3384e014fed6ea3d19dbac2af41cc5120c87ba0fbb908456ea55036e35a1ed3
                                        • Instruction ID: b4594cb507272866b8125d6657894c7644efc728a92e5b0e1348678c996c2e25
                                        • Opcode Fuzzy Hash: a3384e014fed6ea3d19dbac2af41cc5120c87ba0fbb908456ea55036e35a1ed3
                                        • Instruction Fuzzy Hash: E8B167B4E00609DFDB14CFA8C984B9DFBB5FF49310F188269E819AB351D770A955CBA0
                                        Function 00DE0320 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • DeleteFileW.KERNEL32(?), ref: 00DE03FA
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 00DE052F
                                          • Part of subcall function 00DCF280: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,28CB4BA0,00000001,75B4EB20,00000000), ref: 00DCF2CF
                                          • Part of subcall function 00DCF280: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,28CB4BA0,00000001,75B4EB20,00000000), ref: 00DCF305
                                          • Part of subcall function 00DCC7E0: LoadStringW.USER32(000000A1,?,00000514,28CB4BA0), ref: 00DCC836
                                        Strings
                                        • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00DE03AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: File$DeleteInit_thread_footer$CreateHeapLoadProcessReadString
                                        • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                        • API String ID: 3544038457-3685554107
                                        • Opcode ID: 99e838f0c68af2d2eb4ffc3913c4501befafe8fba5c323aa1150153ab0c6f580
                                        • Instruction ID: ec58ec21b63cad1191cff990f3b67460e1bcc78abdf9cab96a89b1096112f68b
                                        • Opcode Fuzzy Hash: 99e838f0c68af2d2eb4ffc3913c4501befafe8fba5c323aa1150153ab0c6f580
                                        • Instruction Fuzzy Hash: 5791B271A006459FDB00EF6DC845B9EBBB5EF45314F188269E915DB292DB70D904CFA0
                                        Function 00DD7150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA9E50: GetProcessHeap.KERNEL32 ref: 00CA9EA5
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9ED7
                                          • Part of subcall function 00CA9E50: __Init_thread_footer.LIBCMT ref: 00CA9F62
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00EA13BF,000000FF), ref: 00DD72D3
                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00EA13BF,000000FF), ref: 00DD7361
                                        Strings
                                        • << Advanced Installer (x86) Log >>, xrefs: 00DD723F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                        • String ID: << Advanced Installer (x86) Log >>
                                        • API String ID: 3699736680-396061572
                                        • Opcode ID: fe8686f08f2bd1105a8a70865956d42ed0c16fc4d3d03c731cd25b97b839c28a
                                        • Instruction ID: fa81557833b0e56940d2ecd64fc4cbea34dacb89bd30d01565539af1a411f60b
                                        • Opcode Fuzzy Hash: fe8686f08f2bd1105a8a70865956d42ed0c16fc4d3d03c731cd25b97b839c28a
                                        • Instruction Fuzzy Hash: 5161EC70905689CFDB00CF6CC949B5ABBF0EF46314F14829DE814DB392DB75AA08DBA1
                                        Function 00D93C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathIsUNCW.SHLWAPI(?,28CB4BA0,00000000,00000000), ref: 00D93D11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Path
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 2875597873-3019864461
                                        • Opcode ID: d1bcc8ce2c95172c575a01849c7ff532c87de7cbc2fcd7da3fe7ea941ca1c468
                                        • Instruction ID: c1b5c8cc0d0227891af39b88b492b0279c9ecb534ad73680eb4d8eefc3e2d1e2
                                        • Opcode Fuzzy Hash: d1bcc8ce2c95172c575a01849c7ff532c87de7cbc2fcd7da3fe7ea941ca1c468
                                        • Instruction Fuzzy Hash: F451C170E00604DBDF14DF58D985BAEB7F5FF45704F20821DE8116B281EB75AA48CBA0
                                        Function 00DD8550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,28CB4BA0,?,?,00F46054), ref: 00DD858F
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,00F46054), ref: 00DD85F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryPathTemp
                                        • String ID: ADVINST_LOGS
                                        • API String ID: 2885754953-2492584244
                                        • Opcode ID: 458b2ba1e6fa5e06d8758ebe14022d2e4afe4ced98bd205158fe05eabf87772c
                                        • Instruction ID: 433f3c2ee99a0f3790b076f69bbdd0b1f7cf2b54c8ce3c0be361db701132b557
                                        • Opcode Fuzzy Hash: 458b2ba1e6fa5e06d8758ebe14022d2e4afe4ced98bd205158fe05eabf87772c
                                        • Instruction Fuzzy Hash: A251B275940219DACB319F28C844BB6B3F4FF14724F1846AEE85997390EF748D81DBA0
                                        Function 00CB7110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,00EC337C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,28CB4BA0), ref: 00CB7280
                                          • Part of subcall function 00D8DDA0: GetModuleHandleW.KERNEL32(Advapi32.dll,28CB4BA0,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00D8DDE3
                                        • CloseHandle.KERNEL32(?,28CB4BA0), ref: 00CB72B9
                                        Strings
                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00CB7178
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Module
                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                        • API String ID: 1412095732-2431777889
                                        • Opcode ID: 9fb78b483e6b4ad1020a75118bdc7e89434f9bdc25d6cdac19c807b41f0500b7
                                        • Instruction ID: fb41bacf9a6b8e2e7a4d791b7b1019ee63cb2d5c27ddf1575b98137c6d913b97
                                        • Opcode Fuzzy Hash: 9fb78b483e6b4ad1020a75118bdc7e89434f9bdc25d6cdac19c807b41f0500b7
                                        • Instruction Fuzzy Hash: 21515870D04249DEDF20DFA4C959BDEBBB4BF14308F108299E455B7281DBB46A48CFA1
                                        Function 00CF8A90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: DestroySleepWindow
                                        • String ID: (0
                                        • API String ID: 3305115879-3012264354
                                        • Opcode ID: 10c24aef9cb9405610e2ff1e49b85b0f46a6cefa948529608186d9b8a07633a6
                                        • Instruction ID: 6905e81a5ce0aab6dcb20b221545818275f4897f585be95dbe41e3b0cd79c029
                                        • Opcode Fuzzy Hash: 10c24aef9cb9405610e2ff1e49b85b0f46a6cefa948529608186d9b8a07633a6
                                        • Instruction Fuzzy Hash: DB416234A00348EFDB11DF68DC45B9DBBB5AF05700F1440A9E9197B2D2CB705E04DBA2
                                        Function 00DA73D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,28CB4BA0,00ED9754), ref: 00DA7428
                                        • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00DA7524
                                          • Part of subcall function 00D99AC0: std::locale::_Init.LIBCPMT ref: 00D99B9D
                                          • Part of subcall function 00D972B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D97385
                                        Strings
                                        • Failed to get Windows error message [win32 error 0x, xrefs: 00DA7446
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                        • String ID: Failed to get Windows error message [win32 error 0x
                                        • API String ID: 1983821583-3373098694
                                        • Opcode ID: df526e1cdd13355665120bbaf9992974fe6de052e443926a40ebab67c32bb87f
                                        • Instruction ID: 9e86d1853212ce8b0e29ad3c70e43600ebc20d41649e830e64fd64c925559963
                                        • Opcode Fuzzy Hash: df526e1cdd13355665120bbaf9992974fe6de052e443926a40ebab67c32bb87f
                                        • Instruction Fuzzy Hash: A541AE70A042099BDB10DF68CD09BAFBBF8EF05304F144569E415EB290D7B49A08CBA1
                                        Function 00DF2050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,00EDA350,00000001,28CB4BA0,00000000), ref: 00DF20FE
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00DF211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Event$CreateOpen
                                        • String ID: _pbl_evt
                                        • API String ID: 2335040897-4023232351
                                        • Opcode ID: 566c75eec77c0471fb23175d7c838798d9b97296d24fa9def65f0d6c63e18044
                                        • Instruction ID: 2f2e35e2f3de5eed219189d4badbb7ea4eed9100744f6fd2325dc6690da8d3df
                                        • Opcode Fuzzy Hash: 566c75eec77c0471fb23175d7c838798d9b97296d24fa9def65f0d6c63e18044
                                        • Instruction Fuzzy Hash: 32313A71D00209EFDB10DFA8CD55BEEB7B8EF05714F108219E915B7280DBB46A09CBA1
                                        Function 00CAD640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000002), ref: 00CAD6CB
                                        • IsWindow.USER32(00000002), ref: 00CAD6E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window
                                        • String ID: H?
                                        • API String ID: 2353593579-1926948537
                                        • Opcode ID: b86ef97f5b36015b1678068ac15ac414d3b22e4c83b5f7f35d2c3de70a031963
                                        • Instruction ID: e6653ab81703d1b002f1753a10e7ce2b4cd328c2ef33e5ab6503c41b6c7dd8c6
                                        • Opcode Fuzzy Hash: b86ef97f5b36015b1678068ac15ac414d3b22e4c83b5f7f35d2c3de70a031963
                                        • Instruction Fuzzy Hash: 032157346007059FCB28DF64D855F6AB7B5EF49B14F048A2DE86B97AA0CB31A904DB90
                                        Function 00D96870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00D9689B
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D968FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                        • String ID: bad locale name
                                        • API String ID: 3988782225-1405518554
                                        • Opcode ID: 934347f903eacdb29a4d92590681510ea8a7910a76067592bd952facd56eb78a
                                        • Instruction ID: 92e661e28f085ba2ebe8cce3f8631cdf20f9d9705a41175242ab927a42f96053
                                        • Opcode Fuzzy Hash: 934347f903eacdb29a4d92590681510ea8a7910a76067592bd952facd56eb78a
                                        • Instruction Fuzzy Hash: 1C21F170604784EEDB20CF68C504B4ABFE4AF15310F14869DE08597781D7B6EA04CBA1
                                        Function 00D480F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 00D4813A
                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00D48147
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Destroy
                                        • String ID: {
                                        • API String ID: 3707531092-2739055043
                                        • Opcode ID: 20b5ed30fb38ef27bba740b45afd72af885ee134d21732f33b62749ffd7c98da
                                        • Instruction ID: 6b87442504f89f05e27e9bf746736925d85f30e4effd2658c7ff88c21e1d2364
                                        • Opcode Fuzzy Hash: 20b5ed30fb38ef27bba740b45afd72af885ee134d21732f33b62749ffd7c98da
                                        • Instruction Fuzzy Hash: DC31BC70804689EFCB01DF68CA0579EFBF4FF11314F14429AE055A7B92CBB4AA08DB91
                                        Function 00CC1200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000005), ref: 00CC1274
                                        Strings
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00CC1249
                                        • d, xrefs: 00CC1240
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                        • API String ID: 975332729-3357045315
                                        • Opcode ID: 1df3ad61682a431261c44ca8d1946d96f5670b360b12ce751383d5225f42d70a
                                        • Instruction ID: c1981024d0aab9d76ebd9411c4e1244c0841ed07f8ae33fa0d0ca1675c1fd834
                                        • Opcode Fuzzy Hash: 1df3ad61682a431261c44ca8d1946d96f5670b360b12ce751383d5225f42d70a
                                        • Instruction Fuzzy Hash: 3D210274D15298EEDF00DFE4D958B8DBBB0BF55308F148088E405AB296DBB96A09CB91
                                        Function 00CAD329 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 00CAD369
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CAD375
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 45a492ef2659abdcce2369f43cd23f40f1f66eadbad6aa557ccccee78d261e26
                                        • Instruction ID: 0e8b70e8272420e96813dace1b6044475de1e024855db38eda7ab4f98901360a
                                        • Opcode Fuzzy Hash: 45a492ef2659abdcce2369f43cd23f40f1f66eadbad6aa557ccccee78d261e26
                                        • Instruction Fuzzy Hash: 42211374D15298DEDF01DFE4D958B8DBBB0BF55308F148188D001AB396DBB95A09CB91
                                        Function 00CACF5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CACFA6
                                        • d, xrefs: 00CACF9D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: e87d705daa2cf9ade21f9c58985183463b7cb5aaf2e23bff8ba185e43fea54be
                                        • Instruction ID: 68bb2555f300feaa99cc779def72da0f54a0513103ad3c47ba180f743e651215
                                        • Opcode Fuzzy Hash: e87d705daa2cf9ade21f9c58985183463b7cb5aaf2e23bff8ba185e43fea54be
                                        • Instruction Fuzzy Hash: 64211E74D15298EEDF01DFE4D958B9DBBB1BF55308F148088E002AB292DBB95A09CB91
                                        Function 00CC12CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(0000000D), ref: 00CC133B
                                        Strings
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00CC130E
                                        • d, xrefs: 00CC1305
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
                                        • API String ID: 975332729-3357045315
                                        • Opcode ID: 451f5fe5110a306bef6c3c8d929d8014056256cbc2ef1d210f702ad7c897f45e
                                        • Instruction ID: b516f632d38913cbbea912a8f9b1b07d86b2775a4bea5230664cc19e3a898a13
                                        • Opcode Fuzzy Hash: 451f5fe5110a306bef6c3c8d929d8014056256cbc2ef1d210f702ad7c897f45e
                                        • Instruction Fuzzy Hash: 76211E74D10288EEDF00DFE4D998BDDBBB1BF55308F148098E001AB292DBB95A09DB91
                                        Function 00CAD3F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 00CAD42D
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CAD439
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: 393b44330eefef5309a16a1bf0396c170b54fb59d675e75f6e6e59cca78df7eb
                                        • Instruction ID: 7bd618a8add5079a21316f9573be51e7c9323ddcedf9822ec89a3dd5bc5b0382
                                        • Opcode Fuzzy Hash: 393b44330eefef5309a16a1bf0396c170b54fb59d675e75f6e6e59cca78df7eb
                                        • Instruction Fuzzy Hash: CB213374D00288EADF05DFE4D958BCDBBB0BF55308F208198E001BB286DBB95A09DF51
                                        Function 00CAD021 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • d, xrefs: 00CAD05C
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CAD065
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
                                        • API String ID: 2558294473-4096264744
                                        • Opcode ID: dc46ab7870c14927805a484403303369d6f2c401fe66365dcd44d52683762070
                                        • Instruction ID: 7c6da6a24293ce664d4f8b24eab1e0a8d43ca42baa29285ec949ef9aad1db604
                                        • Opcode Fuzzy Hash: dc46ab7870c14927805a484403303369d6f2c401fe66365dcd44d52683762070
                                        • Instruction Fuzzy Hash: D5213074D14288EEDF05DFE0D958BCDBBB0BF55308F108088E001BB282DBB90A09DB51
                                        Function 00D012B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D0130F
                                        • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00CFFDEC,00000000,28CB4BA0,?,?), ref: 00D01328
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Window$Create
                                        • String ID: tooltips_class32
                                        • API String ID: 870168347-1918224756
                                        • Opcode ID: 1fe31ee24081c7e5fff9789134212a4b1c285042761481750be0d9ff6dcb1a56
                                        • Instruction ID: e68011d7aa2a1782ba86622bb7cdbde08739f3f916750ce8f3f264891635a508
                                        • Opcode Fuzzy Hash: 1fe31ee24081c7e5fff9789134212a4b1c285042761481750be0d9ff6dcb1a56
                                        • Instruction Fuzzy Hash: 5F01F0313802167AF7248664DC4AFA23298D751B40F348329BF04FA0E0D6A2FA11D618
                                        Function 00CC1391 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000013), ref: 00CC13C4
                                        Strings
                                        • Unknown exception, xrefs: 00CC1399
                                        • C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00CC13A9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: Parent
                                        • String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                        • API String ID: 975332729-2259502730
                                        • Opcode ID: cce9e107213ecf9926275d4f3c510f9582f201a29055b50a36fefc3083889f78
                                        • Instruction ID: 3c983e5cc6d18333dacfeacd75a55a2d08eff5f34fd6efca360a3436ac5f72b0
                                        • Opcode Fuzzy Hash: cce9e107213ecf9926275d4f3c510f9582f201a29055b50a36fefc3083889f78
                                        • Instruction Fuzzy Hash: 1C016134D05248EFCF01DBE4CA15ADDBBB1AF55304F548098D401AB396DBB55A08EB91
                                        Function 00CAD4B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Unknown exception, xrefs: 00CAD4C0
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CAD4D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                        • API String ID: 2558294473-452454139
                                        • Opcode ID: c8fb33caa272cf3029dd443a218812128726d47f51d653bea4c99e4d84d1abc2
                                        • Instruction ID: 1b2720f7e719bda957fe081ffbbd8aad7570f16d9da8ee907676397a1bef199a
                                        • Opcode Fuzzy Hash: c8fb33caa272cf3029dd443a218812128726d47f51d653bea4c99e4d84d1abc2
                                        • Instruction Fuzzy Hash: B9018034D05288DBCF01EBE4CE15ADDBBB1AF56304F14819CD002AB386DBB55B08EB92
                                        Function 00CAD0E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Unknown exception, xrefs: 00CAD0EA
                                        • C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CAD0FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: ActiveWindow
                                        • String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                        • API String ID: 2558294473-452454139
                                        • Opcode ID: ef70e16fa601c3b87a8fb9311413675a4d87164da77b7d5045516194d227b0fa
                                        • Instruction ID: 62a2484ef7984cf45c69dd7734bb86863c92df14dd03dc980be3bde0c27aaa11
                                        • Opcode Fuzzy Hash: ef70e16fa601c3b87a8fb9311413675a4d87164da77b7d5045516194d227b0fa
                                        • Instruction Fuzzy Hash: A7018034D05288DBCF01DBE4CE156DDBBB1AF56304F148198D0016B386DBB55B08EB92
                                        Function 00E3598C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CB3650: InitializeCriticalSectionAndSpinCount.KERNEL32(00F44C5C,00000000,28CB4BA0,00CA0000,Function_001BD840,000000FF,?,00E359BB,?,?,?,00CA6438), ref: 00CB3675
                                          • Part of subcall function 00CB3650: GetLastError.KERNEL32(?,00E359BB,?,?,?,00CA6438), ref: 00CB367F
                                        • IsDebuggerPresent.KERNEL32(?,?,?,00CA6438), ref: 00E359BF
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CA6438), ref: 00E359CE
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E359C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 450123788-631824599
                                        • Opcode ID: 22d6e26a7f1a5849b48bb417358e7f282686cfcbd693f476024b115bd30b535b
                                        • Instruction ID: d5571d08eca144898ba2f177d3f11fb056129541e1f8ff4b85c0edbe62872f77
                                        • Opcode Fuzzy Hash: 22d6e26a7f1a5849b48bb417358e7f282686cfcbd693f476024b115bd30b535b
                                        • Instruction Fuzzy Hash: C8E09270201B11CFC361AF36E508383BBE4AF46718F11991EE996E6741DBB0E408CBA1
                                        Function 00E3344C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00E3341F
                                          • Part of subcall function 00E33814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E33887
                                          • Part of subcall function 00E33814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E33898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2282343229.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.2282322492.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282793858.0000000000F3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282817757.0000000000F43000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282848153.0000000000F44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_pYcFueZgOd.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: L4$~4
                                        • API String ID: 1269201914-2895323252
                                        • Opcode ID: 894a0402c3848d97cdbbeb563f709688fe41e4e8473ea7bb59b5f9fcd1110f4e
                                        • Instruction ID: 420f055e2adbbef4a1961a66bab01725f31653fe57703bf7ab16708513705f3f
                                        • Opcode Fuzzy Hash: 894a0402c3848d97cdbbeb563f709688fe41e4e8473ea7bb59b5f9fcd1110f4e
                                        • Instruction Fuzzy Hash: 3AB012D16689416C310C52691D0BD760D5CC0C0F21F30953AB400E2083E4405D88A433